Many More ATM Attacks Forthcoming

“The banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.”

That’s from a brief posted on March 8th by by Avivah Litan (pictured) of Gartner Research, the only person who’s talking and knows jack-all about the PIN block scam. She confirms what we’ve suspected; that the debit card accounts and PIN codes are not only being stolen, they’re being counterfeited– and then used for fraudulent ATM withdrawals. Read her short report, after the jump.

But first, here’s a thought. Why haven’t they caught the crooks yet? They should know which ATMs were compromised and at what times… isn’t there security tape footage we should be seeing?


“Fraudulent ATM Withdrawals Reflect a Widespread Threat”
8 March 2006

by Avivah Litan

Recent automated teller machine (ATM) fraud involving Citibank and other banks points to a new wave of “personal identification number (PIN) block” schemes.

Event

On 6 and 7 March 2006, Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were “possibly compromised in previous retailer breaches in the U.S.” in 2005 were being monitored for fraud.

Analysis

Citibank’s actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers’ cards were compromised, allegedly through a retailer security breach. Gartner believes that these combined bank actions reflect the largest PIN theft to date
and point to a new wave of “PIN block” card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.

In “PIN block” schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions). The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers’ terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder’s PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines. In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Recommendations

  • Card issuers: Ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.

  • Enterprises: Never store PIN blocks or magnetic stripe card data. Never store encryption keys along with encrypted data, and keep the encryption keys in high-security environments, such as hardware storage modules available from Safenet, Thales and other providers.
  • Payment vendors: Modify your software to make the storage of PINs, PIN blocks and cards’ magnetic-stripe data impossible.
  • Banks: Validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.
  • Regulators: Modify Regulation E, which governs consumers’ rights with regard to unauthorized bank account withdrawals, loosening the consumer notification timing requirements so that consumers can get their money bank more easily.

Analytical Source: Avivah Litan, Gartner Research

[via garnter.com (click Litan, then Latest Research, then “Fraudulent ATM Withdrawals Reflect a Widespread Threat”]