According to a report by the Associated Press hackers were able to break into Citibank ATMs located in 7-Elevens and mine users PINs. The fraud ring is alleged to have stolen more than $2 million between October and March. While there are strict industry standards for protecting customers’ PINs, it appears not all ATM operators are putting enough protections in place. The report said that the perpetrators were able to nab PINs while the ATM was communicating with the backend system that processes transactions.
Though the 7-Eleven ATMs are Citibank branded, the bank doesn’t own any of them, the machines were purchased from Cartronics. In late 2006 Cardtronics launched its own in-house transaction processing service, but more than half of the 7-Eleven/Citibank ATM transactions are still processed by yet another company Fiserv.
While Wired, the first place to report the story, says the FBI blames a Citibank-owned server for the PIN breach, Citibank says a “third party” is responsible for processing 7-Eleven ATM transactions. While Fiserv told Wired it was not responsible for the breach, Cartronics has yet to respond to the story.
I’ve read several accounts of crackers discovering that the encryption modules on a disturbingly large number of ATMs are left at the default settings – they never change or update the key or passphrase, OR the management/superuser passphrase. This means that if you find out what one is, you can monitor the transactions of many, many others, let alone get into the administrator’s console on the machine itself. I don’t know for certain that’s what happened here, but I can say I’ve never trusted an ATM the same way again.
Banks themselves realize they scrutiny they’re under, but the contract agencies or clearinghouses that participate in the flow of our personal banking information (from the bank, across a clearinghouse, over the internet, and to the ATM, rented by the 7-11 down the road provided by the 3rd party ATM distributor) should be under equal protection, audit, and scrutiny. Most of what I’ve heard/read tells me that the people who set up the equipment and maintain/manage it are severely undertrained, and don’t take into account the high level of sensitivity that should be mandatory.