The UK daily newspapers and newswires are today picking up on an ongoing case in the US involving system breaches, thousands of stolen PIN numbers, card cloning and money laundering. We've been following this on The Wired Blog Network for a few weeks now
- most recent post here.
The main case involves Citibank branded ATMs in 7-11 convenience stores managed by Cardtronics with some processing handled by Fiserv.
Most of the reporting is based on a few court documents in the public domain, as well as a lot of commentary. Different articles have different takes on how the criminals got the PINs in the first place. Some have said that PINs were intercepted on the network
between the ATM and processing hub.
This article implies that this is possible because the ATMs run on Windows.
I'm not certain, but I don't think this is likely. TripleDES encryption has been mandatory since 2002 if the ATM connects in any way to the Visa or Mastercard network, and it encrypts the PIN within the PIN pad itself - there's no raw transmission even to
another circuit within the ATM body and certainly not to any OS accessible layer.
A more likely scenario is the system breach at the processing end. An FBI affadavit says this is what happened, and the breach was of a Citi server. Citi denies this and points to the third party operators/processors who run their branded ATMs.
This would leave Fiserv and Cardtronics, the largest non-bank ATM operator in the US, as the possible breach points. Fiserv have made statements about their innocence, while according to Wired, Cardtronics are maintaining their silence.
It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details.
But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily
clonable magnetic stripe cards, the US makes itself an easy target for organised criminals.
'Card present' fraud - getting easy access to cash with cloned cards - is better for the criminals than 'card not present' fraud, which usually takes the form of buying goods online that than have to be delivered and converted to cash - an extra, inconvenient
Countries that have adopted the EMV chip card standard, which among other things makes it much much harder to clone cards, have all seen a reduction in card present fraud. Admittedly some of this fraud has migrated to the card not present variety. But as organised
crime is a global business, a lot of it has just moved to other countries that present a softer target, and this case certainly demonstrates that the US falls into this category.