Citibank’s ‘Gone in Sixty Seconds’ Heist Should Serve as a Wake Up Call

Citibank's 'Gone in Sixty Seconds' Heist Should Serve as a Wake Up Call

The Federal Bureau of Investigation announced that fourteen suspects have been charged with stealing more than one million dollars in funds by exploiting a flaw in Citibank's transaction security protocols which allowed for large, simultaneous withdrawals on the same accounts from multiple locations. The heist should serve as a wake up call to banks who may be in serious need of a systems security review.

The scheme entailed the defendants setting up several checking accounts at the bank in which “seed money” was deposited in amounts of less than $10,000 to avoid federal transaction reporting mandates. The suspects then went to several casinos in California and Nevada and synchronized withdrawals from the accounts so that they all occurred within a one minute time period, capitalizing on a lapse in Citibank's security which failed to detect the concurrent transactions that allowed the defendants to make off with funds in excess of the initial deposits.

“While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes,” FBI Special Agent Daphne Hearn said.

But is it a fair assessment to categorize a sixty-second gap in transaction security as being the “smallest of loopholes” for systems that are designed to handle millions of requests to move large amounts of funds all over the world on a daily basis? Network security specialist Scot Terban thinks not, and believes the heist could have been avoided with the implementation of some fairly simple preventative measures.

“It seems to me that there are two issues at hand with regard to the vulnerability in the Citibank system that lead to the 'Gone in 60 Seconds' hack. Firstly, if the end users account isn't a 'credit' account, then the system should be able to check the balance within fairly easily. If the user does not have enough money in the account, and it is not under some sort of overdraft protection plan, then it should cut that action off immediately and disallow the transaction,” said Terban.

“This also should apply for any transactions whether or not they take place within 60 seconds. A second mitigation protocol should have been in place to stop this kind of transaction programmatically within the 60 second time span,” Terban continued.

Terban also believes the relative success of the scheme may be an indication that similar transaction security flaws may exist at other institutions, and that this event could also be evidence that other systems that banks employ within their networks may be vulnerable to exploitation.

“If the systems cannot keep up with transactions on one account, I suspect then we have a serious issue with the nature of our cash machines and accounts in other banks systems as well. Since many of these systems are made by only a few companies and have been shown in the past on numerous occasions to be deeply flawed where OS security is involved, I think the banks in general should look to this event and re-evaluate their own systems,” Terban said.

While the initial heist was successful in pilfering funds, the operation was ultimately thwarted by law enforcement and the bank. The defendants – thirteen of whom are now in custody – can expect to be arraigned on a number of charges, including several counts of bank fraud, each punishable by up to 30 years in prison and a $1,000,000 fine. Yet the arrests are no indication that the vulnerability has been addressed by Citibank or any of its competitors.