The hacking of Citibank ATM networks, as well as exposing cardholder account numbers and personal identification numbers (PINs,) has given financial institutions new security worries and prompted them to review their security methods.
In a technology arms race between banks and thieves, financial institutions continually harden their networks in an attempt to thwart new attacks by crooks.
"These guys are trying to make a living as fraudsters and we're trying to stop them for a living," said Doug Johnson, vice president of risk management policy for the American Bankers Association (ABA).
The Citibank case
On Feb. 1, 2008, Citibank reported to the FBI that account and PINs had been pilfered from a server that handled transactions from Citibank-branded ATMs at 7-Eleven convenience stores. According to the FBI, the suspects, who are in custody, created new ATM cards encoded with the stolen account numbers and, with the PINs, withdrew cash from ATMs. Other court documents indicate the accused may have stolen as much as $3.6 million in various ATM fraud schemes.
The Microsoft effect
Experts say that the reason the Citibank accounts were hit follow the same logic behind Windows operating systems attacks -- they're both ubiquitous. Citibank is a global financial services enterprise with a vast IT infrastructure and 20,000 automated teller machines, while Microsoft's Windows runs on more than 90% of the world's personal computers and close to 70% of its servers. Increasingly, ATM networks are running on Microsoft's Windows operating system, which security experts say makes them more vulnerable than if they were run on a proprietary platform that would be harder for hackers to figure out. However, neither Citibank nor Microsoft would say whether Citibank's ATM network is Windows-based.
"You get more bang for the buck if you, as a hacker, invest in compromising Citibank's network because there's more of a network to attack, just like Windows," said Avivah Litan, an analyst at Stamford, Conn.-based Gartner, Inc.
Although Citibank wouldn't identify the processing firm, there are two companies that maintain the ATMs at 7-Eleven stores: Cardtronics, a Houston-based company that owns 5,500 ATMs in 7-Eleven stores and Fiserv Inc., of Brookfield Wis. Cardtronics maintains only 2,000 of the 5,500 ATMs it owns; Fiserv maintains the other 3,500. The publicly traded Cardtronics acquired the ATMs from 7-Eleven Financial Services, a division of the convenience store chain, in late 2007, according to an SEC filing.
Fiserv said through a spokeswoman that its servers were not hacked in the Citibank case. Cardtronics declined to comment for this story. In a July 2 news release it stated, "Cardtronics is not involved in this criminal prosecution and therefore does not anticipate that it will issue any statements with respect to this case."
PCI compliant ≠ secure
But Cardtronics added that all of its ATMs have encrypted PIN pads, triple data encryption and that its processing platform complies with the Payment Card Industry (PCI) data security standards.
However, being PCI compliant doesn't mean an ATM network is hacker-proof. "You can't say 'I'm PCI compliant,' and then wipe your hands and walk away," said Mike Urban, senior director of fraud solutions at Fair Isaac Corp., a provider of enterprise decision management automation in Minneapolis. "This is an ongoing security concern and should always be an ongoing concern."
Too many network administrators deploy only enough security to win PCI compliance, although that is changing, said Jim Pflaging, CEO of San Francisco-based SenSage, a provider of enterprise data warehousing tools.
Previously, some companies only met the minimum security standard. "They just want the [PCI] auditor to get out of their office," he said. Increasingly, though, others regard security as a form of risk management that is strategic to their business and go beyond the PCI standard.
ATM security evolving
Recently, ATM vendors have teamed up with security firms in order to develop new technology that will keep up with evolving hacker attacks. For instance, Wincor Nixdorf, a German ATM maker, partnered with Cisco Systems to develop the PC/E Platform Security Agent, which prevents software from being installed or modified without authorization. One theory behind the Citibank breach is that the hackers installed malicious software onto the servers to access the account numbers and PINs.
In another partnership, Diebold, Inc. is working with Agilis Software LLC. to secure its Opteva ATM line with anti-skimming technology. Skimming involves placing a fake ATM card slot over the real one in order to read card numbers and PINs as they go in.
But such point products don't provide a comprehensive security net, SenSage's Pflaging argued. However, data warehousing technology, which records every event on a network, can help identify patterns or connections between incidents that indicate potential thievery. For example, if an ATM card is used in Chicago and, moments later, in Moscow, that's a sign of trouble, Pflaging said. If a bank employee accesses the network and, soon after, moves a large file off the network, the action deserves closer scrutiny.
"You put your Inspector Clouseau hat on and you can start to look for all of these very unusual cases," Pflaging said, adding that it's possible criminals in the Citibank case could have been aided by someone inside Citibank "or someone who has somehow obtained the credentials of one of your trusted insiders."
Despite all these security breakthroughs, Windows-based ATM networks are a popular choice amongst financial institutions. According to Pflaging, Windows makes sense as an operating system because it's low cost and is easy for banks to manage, especially on global networks that span different countries, said Pflaging. "But, Windows is just an outright, big invitation to security hackers."
Even though Windows makes a big target, it can be secured, countered Gartner's Litan. "If you keep Windows locked down and you keep your network locked down, then it's no worse or better than any other system. It's just a question of locking it down and not allowing anyone to get in."
About the author:
Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.