CitiBank Card Numbers and PINS Stolen in Server Breach

By Space Rogue 1 comment

Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less than helpful, but the bank in question was very forth coming, they announced the incident, released a press release, and detailed what happened. They then spent millions to revamp their entire security posture to prevent it from happening again. That bank lost millions of dollars of business afterwards despite the fact that after the breach it was probably the most secure bank in the country at that time.

Looks like banks have learned their lesson and now are keeping as quiet as possible about any and all compromises in their security.

Kevin Poulsen has written an excellent article over at Wired detailing the recent breach of ATM card numbers and their PINS. Seems that someone broke into a server that controlled CitiBank branded ATMs in various 7-11s across the country and then used the card numbers and PINs to create fake cards and drain bank accounts. There are a lot of unanswered questions about this case such as who was actually responsible for this server. Citibank is pointing the finger at a third party transaction processing company and that company seems to be denying any involvement. No one is being very forthcoming with the details, probably afraid of bad publicity and the loss of business that may result from it.

Consumers of course are protected by law from actual monetary losses but the hassle of having to get a new card number can’t be fun. Unfortunately there isn’t much the consumer can do to protect themselves against this sort of attack. You can try to avoid those stand alone ATM kiosks like those found in convenience stores and rely solely on ATMS at actual banks but in many cases that is just not practical. So keep a close eye on those statements, verify every line item and call your bank at the first sign of anything weird.

UPDATE: Thanks to NR for sending me a link to the CitiBank breach from 1995 that I referenced above.

1 Comment


Jun 6, 2008, 12:06 am

The main guy that was responsible for handling the Citibank case, Bob Ayers (he was head of computing and telecoms security at the DoD for most of the early 90s, lives in England now) but anyway, he was on a “hackers panel” in London. He brought this up, he said much the same as you did, the bank would never (and should never) go public again because it gave their competitors the chance to say “they got hacked, don’t trade with them, trade with us, we’re secure” – which cost them an insane amount of money in comparison to what was (to Citibank) a trivial sum of money that was stolen.

Leave a Reply