In one report, RBS admitted that a hacker penetrated a server at their payment processing unit. No one has really provided the details as to how the wise-guys got a hold of the pin-codes.
My theory is that RBS kept authorization message data that enabled the wise-guys to get the customer pins. Assuming of course that RBS did not store the clear text value of the pin-codes entered, one guess is that the pin-blocks and offsets (since cards
in the US are pin-configurable) were logged and stored by RBS. This is called ‘pin block’ hacking.
Although the PIN BLOCK value is a result of a transformation and encryption, keeping this data in a server compromises the customer pin code. What if the hacker also ran through ‘his own’ card and extracted the resulting pin block from his own transaction?
Or what if the wise-guy tapped a couple of pin-codes from specific ATMs or POS terminals that use RBS as a processor and extracted the corresponding pin blocks stored by RBS? That would be a way to get the AWK (acquiring working key). But if the hacker already
had the AWK, then the customer pin-codes can be programatically obtained from the PIN-blocks. There are other simple ways to determine the customer pin-codes, sometimes depending if the atm is owned by the same issuing bank and by using the offset value if
the payment processor is different from the issuing bank.
And whether or not RBS stored these pin-blocks, RBS needed to receive them, decrypt them, encrypt them again and send them to the Issuing Banks especially if RBS is not working as a stand-in for the Issuing Banks. The transmission of pin-blocks from the
ATM or POS to RBS, then RBS to the Issuing Banks are all points where pin-blocks can be compromised. One report actually stated it was network tapping and not server hacking.
So now that we can reasonably assume that PIN BLOCKS were compromised, the next question is how could they have possibly gotten away with $9 million with cloning 100 cards and using them in 49 cities in about 30 minutes? That’s $90,000 per card account.
Well they did say 100 cards cloned but this does not tell us how many times each card account got replicated. One report also says that the hacker was able to remove the daily withdrawal limits of the cloned cards. The person or persons that did this have
knowledge of 7813 or the issuing banks' daily limit check processing or both. Either they picked cards that had no restrictions or they were smart enough to change the service codes and some data in track 3 to remove the daily withdrawal limits and geographical
zone usage restriction, in the process of encoding the cloned mag-stripes with the slight modifications. Other parameters (which I would rather not say in detail) can also be changed.
In addition, some reports say that fake deposits were used to ‘load’ the balance on these payroll cards. Well, this is another loophole that has more to do with the acceptance, clearance of deposits and the checking of daily limits by the issuing bank’s
authorization system. This is where user limits (or customizable controls by the bank’s risk mgmt team with direct input from cardholders) could have prevented such a payout for the fraudsters.
Is the magnetic-stripe the culprit? I am of the opinion that you can actually use a non-chip card (with just a mag-stripe) and secure it strongly with one-time pin-codes that are validated by the issuing bank’s server. No matter how many times the mag-stripe
is copied or cloned, the card account cannot be used without the input of a valid one time use pin-code that has a limited life and is not replayable. Enabling the easy management and customization of card account features (limits and prohibitions) such as
daily withdrawal limits on the issuing bank’s authorization level (even better with input from the actual cardholder), can prevent the $9-million-in-30-minutes-heist. Therefore, the resulting damage could have been a mere fraction of this if the limit and
prohibitions were properly set on the issuing banks' level and tested on a real-time basis. Perhaps, RBS and Heartland can respectfully point this out on their way to the gallows.
Is EMV the solution to this problem? Answer to this is simply as long as there are POS or ATMs that accept mag-stripes, then the answer is no. This is also assuming that the chip cannot be cloned or cannot be tampered with. But just as the SDA has been subverted
which prompted the French issuers to upgrade to DDA, cloning or tampering of the chip is not impossible. Like with any project, it all depends on how much profit one can get out of a project that results into the successful cloning or tampering of the chip.
At this time, there are enough mag-stripes and readers and other loopholes that the fraudsters can use. I suspect that work is already underway to successfully duplicate the chip or tamper with the chip.
It is difficult for Europeans to understand the seemingly obstinate Americans who prefer to sign their card payments. One would have had to live there to understand the many reasons why this is so. But here are some of the reasons for mag-stripe and signature.
* In the U.S., federal banking regulations do not require banks to offer the same protection on debit-card (pin-based) theft as they do on credit-card (signature-based) theft. Consumers are advised to avoid using the PIN but to use the debit card as a credit
card (which is signed).
* In the U.S., a consumer has 9 cards on the average. Imagine 9 different pin-codes for 9 cards!
* One personal observation relates to T&E card transactions. For example, restaurant bills in the U.S. are not totaled and require signatures. The tip is always added to the bill and the cardholder can enter any tip amount he wants to give to the server,
then sign. I might add that in the U.S., tips MUST be added! How can you possibly do this with a hand-held terminal that a server in Europe carry around with him/her?
* With the lack of pin-codes, fraudsters would have to not only clone the mag-stripes but must also do way beyond white-plastic fraud. In addition to creating authentic looking cards (with the bank logo, embossed card number and name), fraudsters must also
come up with an official-looking ID card to match the name on the fake card.
* Without a pin, the card is useless to fraudsters that want to do cash withdrawals.
* You might say that Americans still do need to withdraw cash from the ATM machines. Well, funny thing is that in the U.S., card schemes explicitly prohibit merchants from requiring minimum credit card charges. Now that I think of it, I hardly had any cash
with me while I lived in the Bay Area. Anyway, enough of them Americans…