Friday, March 10, 2006

ATM PIN security breach--Citibank, Bank of America, etc.

Back on March 4, the story broke from an American traveling in Canada that something had gone wrong at Citibank, causing it to shut off access from the ATM networks of Canada, Russia, and the UK. Bruce Schneier picked it up on March 6, and now it's hit the mainstream media with more details, with some attributing the problem to OfficeMax.

The symptoms from a bank customer's perspective are debit cards being replaced by the banks (which Citibank, Bank of America, and Washington Mutual have been doing since at least last month) and an inability to make withdrawals with current cards from ATMs in Canada, Russia, or the UK. At least some of the banks have now admitted to ATM fraud occurring, with Citibank admitting to "several hundred transactions" in three countries, while some western Massachusetts institutions have seen fraud in Spain, Pakistan, and Romania. The attribution to OfficeMax comes from investigations in Massachusetts.

Tech Web News' report is the most detailed to date:
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."


Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.

No comments: