Citibank Linked to ATM Breaches

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Two men have been charged with making hundreds of fraudulent withdrawals from New York City automatic teller machines earlier this year, taking more than $750,000 in cash.

In a federal indictment filed in the U.S. Southern District of New York (Citibank Indictment) Yuriy Ryabinin, a 32-year-old Ukranian immigrant and Ivan Biltse, 30, are charged with access device fraud, using stolen information from a computer intrusion into a Citibank server that processes ATM withdrawals. The indictment says Ryabinin and Biltse allegedly "received over-the-internet information related to Citibank customers, which information had previously been stolen from Citibank." They are not being charged with the computer intrusions.

In a related affidavit filed in the same case, the Ukranian immigrant is also accused of taking part in an attack against four iWire prepaid MasterCard accounts in a two-day period last fall. The iWire accounts, issued from First Bank, St. Louis MO, recorded more than 9,000 withdrawals (both actual and attempted) from ATM machines located "around the world" from September 30 to October 1. According to the affidavit, First Bank officials contacted the United States Secret Service on October 3 about the withdrawals. The affidavit (Citibank Complaint), from FBI cyber-crime investigator Albert Murray states the total taken in the caper was $5 million. Ryabinin is charged with taking more than $100,000 of the iWire cash from Brooklyn, NY cash machines. The iWire company contracts with employers that need to pay employees without bank accounts via prepaid cards.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Citibank denies the indictment and affidavit's charge that their server had been breached. "The facts alleged in the indictment about Citibank's systems are not correct. Citibank's servers were not compromised," says Rob Julavits, a Citibank spokesperson. Julavits explains that, earlier this year, Citibank received notice from a third-party transaction processor for the ATM industry that the processor's systems were potentially compromised in late 2007. "As a preventative measure, we notified and reissued new debit cards to those customers whom we believed may have been exposed to increased risk," Julavits says.

The two men were arrested on February 29 and March 5 and await trial. An arrest warrant was also issued on March 5 for Ryabinin's, wife who is also charged in the indictment.

For more on fraud, see: Credit/Debit Card Fraud: New Trends, Incidents