Following up on my story Wednesday about the purported hacking of a Citibank ATM server, and the subsequent arrest of two cash-rich Brooklyn men, a New York Citibank customer says he received two notices this month from Citibank warning about breaches of a "third party" ATM processing system.
"These security breaches could have resulted in unauthorized access to your Citibank Banking Card number and associated Personal Identification Number (PIN)," the first notice, e-mailed on June 3, warned.
The warning went to off-duty journalist Ryan Naraine, who blogs for ZDNet and teaches computer security through Kaspersky Lab. (Thanks Ryan!) He got a replacement card in the mail, then received a second notice from the bank Tuesday.
Citibank declined to state Friday how many customers are being issued new ATM cards. But it reiterated that its servers weren't hacked, despite FBI and federal prosecutors' claims to the contrary.
Citibank ATM fraud suspect Yuriy Ryabinin in a 2003 photo taken at a ham radio convention. "Earlier this year Citibank received notice from a third-party transaction processor for the ATM industry that the processor's systems were potentially compromised in late 2007," spokesman Robert Julavits said in an e-mailed statement. "As a preventative measure we notified and reissued new debit cards to those customers whom we believed may have been exposed to increased risk. We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts."
With Citibank and the feds withholding crucial details, it's hard to assess the scope of the breach, or whether the point source in the PIN leak was Citibank (as the feds claim), an independent third-party (as the bank claims), or something in between.
But there's anecdotal evidence that the Brooklyn arrests haven't stopped the fraud. A San Diego customer told Threat Level that someone pulled $3,000 from his Citibank accounts last Sunday, using a Citibank ATM in Newbury Park, about 150 miles away.
"I spent the entire day Tuesday making five or six phone calls," says Rahul Kumar, a consultant. "I spent hours on the phone, calling an attorney, calling the police."
The cash was taken in a rapid series of withdrawals Sunday afternoon, in which the thief first pulled $800 from a checking account, then $200, then repeated the process for Kumar's second checking account and his overdraft protection account. Kumar's ATM card was safely in his wallet at the time.
Kumar says Citibank canceled his card and issued him a new one when he reported the incident, but did not offer an explanation for the theft. The bank credited him back the $3,000 Thursday.
Though Citibank blames an unnamed "third party" processor for the PIN leak, the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to an FBI affidavit.
That FBI affidavit was filed in a criminal case against two Brooklyn men accused of stealing at least $750,000 from Citibank ATMs in February. When federal agents raided the home of one of the men, 32-year-old Yuriy Ryabinin, they found $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet.
Brian Krebs, at the Washington Post's SecurityFix blog, wonders if the New York prosecution is connected to Citibank's recently-announced plans to replace 2,200 proprietary ATM machines around the county. Spokesman Robert Julavits says there's no connection.
The Citi-branded ATMs at 7-Eleven stores are not part of the replacement.
In a branding deal announced in 2006, all 5,600 ATMs at 7-Eleven stores across the country have the Citibank name, and are free of transaction fees for Citibank customers. But those machines are owned and operated by Cardtronics, the largest non-bank operator of cash machines in the United States. That company didn't immediately return a phone call Saturday.
If you've received a notice from Citibank (or any other bank) about your ATM card being compromised, or have observed fraudulent cash withdrawals from your checking or savings account, I'd like to hear from you.
Update:
According to Cardtronics' SEC filings, the 7-Eleven ATM transactions are processed by a Wisconsin-based Fortune 500 company called Fiserv. In a little-noticed report, Fiserv admitted to a breach in April, after customers of First Federal Bank of California got letters warning that their private account information had been leaked. From the Orange County Register:
Fiserv describes itself, not inaccurately, as the "world’s largest service provider to banks, credit unions, lending institutions, and investment advisers."
Reached by phone Friday night, Tolley told Threat Level that she couldn't confirm that Fiserv was breached (though she confirmed it in April, when customers of only one bank in California were known to be impacted). She said she'd have to look into whether or not the ongoing issues at Citibank are a result of a Fiserv intrusion.
"It seems to me as though, if the FBI and those types of agencies are involved, it probably is not in our best interests to discuss, because criminal activity shouldn't be helped, but stopped."
More on Monday.
Update: Fiserv is innocent.
ATM Photo: Keisuke Omi/Flickr
See Also:
