Wednesday, July 02, 2008

Citibank has major ATM breach, very sensitive in nature

News media widely report a serious deliberate compromise of Citibank’s ATM machines inside 7-11 stores. Identifying information and PINs were taken, and three people are indicted in New York.

The breach seems to have occurred deep within Microsoft’s infrastructure, designed to allow remote repair of machines.

Citibank has apparently refunded or promised to refund any lost money from accounts. In various other kinds of breaches reported in the media in the past few years, refunds have not always occurred.

A typical story is by Jordan Robertson of the AP and appears today The original AP link (July 1) is here. and the story characterizes the “most sensitive part” of the bank’s computerized files and infrastructure as compromised.

It’s interesting to compare this with a recent story that indicates that credit card companies, but not original customers, have sometimes been notified of breaches by others databanks.

Other media briefs indicate that Visa allows customers to make small purchases on debit cards without entering pins. This could work both ways from a security viewpoint.

No comments: