ATM PIN Numbers And Accounts Hacked
For many years proponents of electronic voting, vendors, election officials, and their paid PR shills, have been touting the use of ATMs as analog evidence of the security attainable with electronic networks and to claim electronic voting machines had the same level of security and deserved the same trust.
It hasn't seemed to penetrate with duped clerks and these flacks for election fraud that:
- No matter how many times General/Diebold/Premier changed their name to try and hide the scandals the voters still don't trust their voting machines.
- Regardless of the fact that HAVA's author, Ohio Republican Congressman Bob Ney, and Diebold's lobbyist, Jack Abramoff, have been convicted and imprisoned this is still bad law and the voters still don't trust electronic voting.
- It does matter when computer scientists examine electronic voting equipment and find them wanting in the most fundamental aspects; citizens believe the experts.
- Regardless of the number of voters purged from statewide voter registration databases by dubious means the public trust in their election officials is not enhanced.
- No matter how many times Secretaries of State in several states decertified and recertified the voting equipment the public still did not believe the vote counts produced by electronic voting machines were transparent, accurate, and secure.
- The number of "glitches," finger pointing, and blaming everything but the electronic voting machines for the hundreds of documented disasters and catastrophes using these machines has exceeded the bounds of credibility for even the most trusting citizen.
- The only people who doubted the integrity and security of electronic voting were not just "kooks, weirdos, and scared spitless computer geeks," as the New York Times put it.
- The widely advertised problems with Microsoft Windows security and the quarter million or so known viruses, trojan horses, etc. for that operating system are nothing to worry about has been anything but convincing to concerned citizens, and they are not simply computerphobes.
- Or, as Mary Mancini puts it,
"OK, let's just say, for arguments sake, that there was no malicious intent behind the myriad of electronic voting machines problems. OK, I know. Stop laughing! I am trying to prove a point here.Let's just say the vote flipping problems are caused by 'buggy' software created by inept programmers and the malfunctioning printers are because of cheaply made, bottom-line-only conscious hardware manufacturers. Let's just say that the companies that made these machines won government contracts, took our hard-earned tax dollars, and delivered, in the words of Doug Kellner,Co-Chair of the New York State Board of Elections, 'crap.' I'm just saying, let's just say. So if that's that case, wouldn't it be prudent for state governments to decertify these machines, stop using them, and throw the companies, a.k.a. crooks and liars, in the pile of non-responsible vendors they refuse to do business with? I mean, if the machines are crap than how can we rely on their results, right?OK, you can stop stifling your giggles now."
- It doesn't matter that after promising to deliver Ohio for Bush in 2004 using Diebold machines that their CEO, Wally O'Dell, resigned, the public still doesn't trust their equipment despite the claim that their ATM machines are impenetrable. Or are they?
After all these years of claiming electronic voting is as secure as the friendly ATM machine at your local bank, lo and behold, what do we find out? And note also that the ATM PIN numbers were hacked without physical access.
Chuck Corry
_____________________________________________________________________________
Citibank ATM Breach Reveals PIN Security Problems by Jordon Robertson
© 2008 by Jordan Robertson, AP Technology Writer
Reproduced under the Fair Use exception of 17 USC § 107 for noncommercial, nonprofit, and educational use.
ATM breach highlights security problems with the most sensitive part of a banking record
July 1, 2008 (AP) - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wisconsin-based Fiserv Inc., which operates the others.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wisconsin-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. [Sounds like the many questions about electronic voting equipment problems.]
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through. [Surely no one would think of doing this with electronic voting equipment. After all there are only billions at stake in elections.]
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs. [Voting machine vendors claim no fraud has ever been detected. Might one think they are living in this same other world?]
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported." [And might we presume the same is true of electronic voting equipment and databases?]
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse, and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits. [And how much might a hack of electronic voting machines be worth?]
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement. [But who is responsible for correcting elections that have been hacked?]
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system." [Sounds exactly like what voting equipment vendors say about their machines.]
___________________________________
DISCLAIMER
NOTE: If you would like to be removed from our mailing list please respond to this message with REMOVE in the subject line. Comments or criticisms of our policies or Web sites should be addressed to mailto:comments@ejfi.org.
You are receiving this message because (1) you asked to be added to our mailing list; (2) you sent the EJF an e-mail or requested help from us; (3) you are known to work on issues related to human rights; (4) you are known to be interested in civil liberties and equal justice; (5) your name and address appeared as an addressee on email sent to us; or (6) you are a member of or contribute to the Equal Justice Foundation.
_____________________________________________________________________________
_____________________________________________________________________________
Issues of interest to the Equal Justice Foundation http://www.ejfi.org/ are:
Civilization click here
Courts and Civil Liberties http://www.ejfi.org/Courts/Courts.htm
Domestic Violence http://www.ejfi.org/DV/dv.htm
Domestic Violence Against Men in Colorado http://www.dvmen.org/
Emerson case http://www.ejfi.org/emerson.htm
Families and Marriage http://www.ejfi.org/family/family.htm
Prohibitions and the War On Drugs click here
Vote Fraud and Election Issues
