Many More ATM Attacks Forthcoming

“The banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.”

That’s from a brief posted on March 8th by by Avivah Litan (pictured) of Gartner Research, the only person who’s talking and knows jack-all about the PIN block scam. She confirms what we’ve suspected; that the debit card accounts and PIN codes are not only being stolen, they’re being counterfeited– and then used for fraudulent ATM withdrawals. Read her short report, after the jump.

But first, here’s a thought. Why haven’t they caught the crooks yet? They should know which ATMs were compromised and at what times… isn’t there security tape footage we should be seeing?


“Fraudulent ATM Withdrawals Reflect a Widespread Threat”
8 March 2006

by Avivah Litan

Recent automated teller machine (ATM) fraud involving Citibank and other banks points to a new wave of “personal identification number (PIN) block” schemes.

Event

On 6 and 7 March 2006, Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were “possibly compromised in previous retailer breaches in the U.S.” in 2005 were being monitored for fraud.

Analysis

Citibank’s actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers’ cards were compromised, allegedly through a retailer security breach. Gartner believes that these combined bank actions reflect the largest PIN theft to date
and point to a new wave of “PIN block” card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.

In “PIN block” schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions). The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers’ terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder’s PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines. In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Recommendations

  • Card issuers: Ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.

  • Enterprises: Never store PIN blocks or magnetic stripe card data. Never store encryption keys along with encrypted data, and keep the encryption keys in high-security environments, such as hardware storage modules available from Safenet, Thales and other providers.
  • Payment vendors: Modify your software to make the storage of PINs, PIN blocks and cards’ magnetic-stripe data impossible.
  • Banks: Validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.
  • Regulators: Modify Regulation E, which governs consumers’ rights with regard to unauthorized bank account withdrawals, loosening the consumer notification timing requirements so that consumers can get their money bank more easily.

Analytical Source: Avivah Litan, Gartner Research

[via garnter.com (click Litan, then Latest Research, then "Fraudulent ATM Withdrawals Reflect a Widespread Threat"]

Comments

Edit Your Comment

  1. Danilo says:

    Maybe I’m way off here, but if they’re counterfeiting ATM cards, they can’t be too far off from counterfeiting Visa-branded, hologrammed check cards, right?

    “Hello. Please to be buyink these thrree iPods. Yes. I use my debit carrd. Look, it havink my picture on it and everything. “

    Pretty chilling stuff. My debit card has my photo on it. Never, ever get asked for secondary ID. The cost to procure equipment and produce pretty counterfeits would be nothing as compared to potential cash thieves could make.

  2. Hawkins says:

    The issue, I believe, is that when you do crimes with bogus credit cards, you end up with stuff. Like iPods. Which is nice. But when you do crimes with ATM cards, you end up with cash.

    The reason that debit cards are such a good idea, and why they never ask for ID, is that they offer two-factor security: something that you have (the card), plus something that you know (the PIN). At least, they used to be a good idea, until some merchants (processors?) decided that they should keep a copy of your PIN, along with the data on your card. Which makes no sense unless they were planning to rob you.

  3. RowdyRoddyPiper says:

    Yeah, it kind of shocks me that the data that is needed to complete the transaction is being stored after the transaction is completed. I naively thought that it blew up, inspector gadget style, 5 seconds or so after the deal was done. It’s amazing that people trusted with our money have very little idea how to secure it.