Citibank Replaces Some ATM Cards After Online PIN Heist
Following up on my story Wednesday about the purported hacking of a Citibank ATM server, and the subsequent arrest of two cash-rich Brooklyn men, a New York Citibank customer says he received two notices this month from Citibank warning about breaches of a "third party" ATM processing system.
"These security breaches could have resulted in unauthorized access to your Citibank Banking Card number and associated Personal Identification Number (PIN)," the first notice, e-mailed on June 3, warned.
The warning went to off-duty journalist Ryan Naraine, who blogs for ZDNet and teaches computer security through Kaspersky Lab. (Thanks Ryan!) He got a replacement card in the mail, then received a second notice from the bank Tuesday.
Subject: Data Compromise-Card Replaced
Dear Valued Client,
On May 28, 2008, Citibank mailed a letter to you with a replacement Citibank Banking Card in response to an identified data compromise involving the credit and debit card payment system used by a third party ATM network where you may recently have used your card.
To protect your account from risk of unauthorized access, Citibank will deactivate your existing Citibank Banking Card on June 24, 2008.
If you have not yet activated your replacement card, please do so immediately.
Citibank declined to state Friday how many customers are being issued new ATM cards. But it reiterated that its servers weren't hacked, despite FBI and federal prosecutors' claims to the contrary.
"Earlier this year Citibank received notice from a third-party transaction processor for the ATM industry that the processor's systems were potentially compromised in late 2007," spokesman Robert Julavits said in an e-mailed statement. "As a preventative measure we notified and reissued new debit cards to those customers whom we believed may have been exposed to increased risk. We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts."
With Citibank and the feds withholding crucial details, it's hard to assess the scope of the breach, or whether the point source in the PIN leak was Citibank (as the feds claim), an independent third-party (as the bank claims), or something in between.
But there's anecdotal evidence that the Brooklyn arrests haven't stopped the fraud. A San Diego customer told Threat Level that someone pulled $3,000 from his Citibank accounts last Sunday, using a Citibank ATM in Newbury Park, about 150 miles away.
"I spent the entire day Tuesday making five or six phone calls," says Rahul Kumar, a consultant. "I spent hours on the phone, calling an attorney, calling the police."
The cash was taken in a rapid series of withdrawals Sunday afternoon, in which the thief first pulled $800 from a checking account, then $200, then repeated the process for Kumar's second checking account and his overdraft protection account. Kumar's ATM card was safely in his wallet at the time.
Kumar says Citibank canceled his card and issued him a new one when he reported the incident, but did not offer an explanation for the theft. The bank credited him back the $3,000 Thursday.
Though Citibank blames an unnamed "third party" processor for the PIN leak, the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to an FBI affidavit.
That FBI affidavit was filed in a criminal case against two Brooklyn men accused of stealing at least $750,000 from Citibank ATMs in February. When federal agents raided the home of one of the men, 32-year-old Yuriy Ryabinin, they found $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet.
Brian Krebs, at the Washington Post's SecurityFix blog, wonders if the New York prosecution is connected to Citibank's recently-announced plans to replace 2,200 proprietary ATM machines around the county. Spokesman Robert Julavits says there's no connection.
The Citi-branded ATMs at 7-Eleven stores are not part of the replacement. In a branding deal announced in 2006, all 5,600 ATMs at 7-Eleven stores across the country have the Citibank name, and are free of transaction fees for Citibank customers. But those machines are owned and operated by Cardtronics, the largest non-bank operator of cash machines in the United States. That company didn't immediately return a phone call Saturday.
If you've received a notice from Citibank (or any other bank) about your ATM card being compromised, or have observed fraudulent cash withdrawals from your checking or savings account, I'd like to hear from you.
Photo: Keisuke Omi/Flickr