Citibank ATM thieves broke PIN security

You will be surprised (frightened) at how much data is logged to the disk of an ATM - and never deleted. It would not surprise me if they were stupid enough to also log the PIN

from what i read on the internet, its not too hard. theres a whitepaper that was published a while back about extracting the pin out of credit cards.

PINs are encrypted using either DES or Triple-DES. PCI compliance (and other things) asks for Triple-DES. http://www.bankersonline.com/vendor_guru/diebold/diebold-pin.html The PIN shouldn't be stored anywhere but the back end. The ATM is supposed to just send it off and forget it. It is possible that the back end was storing the PINs directly and not a hash. Or the hash could have been trivially brute forced. Until (when, if) they release the details, other financial institutions may be at risk the the same attack. Of course, it could be as simple as social engineering an insider and have nothing to do with the technology.

a "mole" so to speak mentioned to me that when these atm's are installed into a shop (the ones that typically rip you off for £2 a pop now), they have to setup the user account password etc locally. otherwise, anyone who knows the details for that atm can do alot stuff on it, such as get user details, previous withdraws etc etc. I actually had these details ages ago for getting into these things, thank god i never used them, looks like this may be the missing link? if i remember correctly, it could be done in a minute or two gaining access, and then after that i have no idea.

Most likely the crack was to do with non random initial pin generation for the cards. Most people do not change the pins that are supplied with the card and it is quite possible that the coders working on the pin generation code were not too careful about entropy etc. resulting in there being a small corpus of possible pin combinations. e.g. it could easily be that there was only 1 pin given out for all cards on a specific start date, highly unlikely, but the bank would not know and the customers would only know if they told each other their pins (there are only 10000 possible pins and in the US there were 984 million bank-issued Visa and MasterCard credit and debit card accounts created in 2006!). This is only a problem if someone figures it out. Then all it takes is to clone a few cards and even if you have a 1% sucess you will still net a great deal of money. I would have thought you would be able to withdraw about 500GBP per day per card (that works) and most people will not notice till their statment comes in / bank notices, so that would give you maybe a 3-5 day opporunity, so you are talking a minimum of say 1500GBP per card that works so about 15GBP per card that is skimmed, easy money!.

The solutions challenge is not in going faster than the world's new demands - it's in out-accelerating them. I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." Our CEO has read it. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it. Some fresh and original thinking from the author of "I.T. Wars" - http://www.businessforum.com/DScott_02.html