 |
 |
|||||
 |
 |
|
||||
|
|
High-tech Stickup
PIN codes are issued with every ATM card to verify a customer's identity. Every ATM has three components: a cash dispenser, a server and a PIN machine. When an ATM card is inserted, the ATM reads the card number and PIN entered by the customer, then sends the information to the central ATM server. That server authenticates the PIN number to confirm or deny the requested transaction. To prevent hackers from grabbing the PIN during its transmission to the ATM server, very strong encryption codes are used. In some ATMs, the system even splits the PIN into two parts and stores each part in separate servers to secure the PIN. So how did hackers infiltrate Citibank's PIN security systems? By targeting the ATM system's infrastructure – walking in through the technological back door. Because technology is becoming increasingly accessible through remote means, and because some encryption techniques just aren't tough enough, PIN numbers are leaking through the airwaves between the ATMs and the computers that process the financial transactions. In Citibank's case, the thieves broke into the ATM network through a third-party processor. Nearly 6,000 ATMs were targeted in the six-month attack from October 2007 to March 2008. Although it's unknown exactly how the network was hacked, experts say it could have been done through administrative access to the machines, a flaw in the network, malicious software or simply by old-fashioned hacking of passwords. Whatever the method, the breach reveals a clear need for increased back-end security to protect data, regardless of whether it's already been encrypted. Administrator privileges, too, must be closely monitored. Consider providing users who have direct access to any financial system with the bare minimum of authority to accomplish tasks at hand, and carefully scrutinize anyone who has authority to access secure customer information such as PIN codes. Every user who has administrative privileges presents an inherent vulnerability for your system, which opens your organization up to a huge potential for loss. The Connors Group provides IT staffing for financial services organizations. Contact Vinay Singh, Director of Financial Services Staffing at The Connors Group, at vinay@theconnorsgroup.com or 201-537-0032. |
|
||||
|
||||||
 |
 |
|||||
Bank robbers no longer have to wear masks and guns to stick up the corner bank branch. Citibank found that out the hard way earlier this year when hackers broke into its network of ATMs inside 7-11 stores and stole customer PIN codes in a scam that netted the thieves millions of dollars. Worse than the monetary theft was the knowledge that the PIN codes – numeric passwords banks consider to be a closely guarded security feature – were stolen through computer attacks.
