More ATM Hacks Predicted

A story today on Silicon reports that a Citibank ATM network breach in Canada, Russia and the UK could have been prevented if the bank's US customers had chip and PIN technology on their cards.

Citibank has admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a "block" of PINs and the keys to decrypt them.

Avivah Litan, a research director for Gartner, told silicon.com: "You won’t have the same problem with a chip card. They are hard to duplicate but it's pretty easy to copy a magnetic stripe."

With a PIN-block, hackers break into retailer servers and steal a chunk of PINs, then create counterfeit cards that enable them to withdraw cash at ATM machines. Litan wrote that in this case the thieves probably stole magnetic-stripe data found on the back of ATM cards.

She said: "What's really exposed are the retail systems that use the ATM system. It could have been an insider – it's very hard to know. It was someone who had access to the [encryption] keys data. They were very skilled."

The analyst said the crime reflects the largest PIN theft to date and the financial industry will be hit by more PIN-block fraud in the future.

She said: "Phishing was last year but banks have wised up to that, so now it's the PIN block fraud. Certainly this is a pot of gold for them.

"What's better – going for cards or going for the details? This is the simplest way – breaking into the bank using the ATM system. With the UK it was because Americans go there and use the magnetic stripe [on their cards]."

Citibank confirmed only US customers had been affected by the theft. It is now reissuing cards to customers whose accounts were blocked after the fraud was discovered.