Join the Community

22,077
Expert opinions
44,027
Total members
419
New members (last 30 days)
204
New opinions (last 30 days)
28,695
Total comments

Massive ATM fraud in the US - who is to blame?

  0 12 comments

The UK daily newspapers and newswires are today picking up on an ongoing case in the US involving system breaches, thousands of stolen PIN numbers, card cloning  and money laundering. We've been following this on The Wired Blog Network for a few weeks now - most recent post here.

The main case involves Citibank branded ATMs in 7-11 convenience stores managed by Cardtronics with some processing handled by Fiserv.

Most of the reporting is based on a few court documents in the public domain, as well as a lot of commentary. Different articles have different takes on how the criminals got the PINs in the first place. Some have said that PINs were intercepted on the network between the ATM and processing hub. This article implies that this is possible because the ATMs run on Windows.

I'm not certain, but I don't think this is likely. TripleDES encryption has been mandatory since 2002 if the ATM connects in any way to the Visa or Mastercard network, and it encrypts the PIN within the PIN pad itself - there's no raw transmission even to another circuit within the ATM body and certainly not to any OS accessible layer.

A more likely scenario is the system breach at the processing end. An FBI affadavit says this is what happened, and the breach was of a Citi server. Citi denies this and points to the third party operators/processors who run their branded ATMs.

This would leave Fiserv and Cardtronics, the largest non-bank ATM operator in the US, as the possible breach points. Fiserv have made statements about their innocence, while according to Wired, Cardtronics are maintaining their silence.

It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details.

But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily clonable magnetic stripe cards, the US makes itself an easy target for organised criminals.

'Card present' fraud - getting easy access to cash with cloned cards - is better for the criminals than 'card not present' fraud, which usually takes the form of buying goods online that than have to be delivered and converted to cash - an extra, inconvenient step.

Countries that have adopted the EMV chip card standard, which among other things makes it much much harder to clone cards, have all seen a reduction in card present fraud. Admittedly some of this fraud has migrated to the card not present variety. But as organised crime is a global business, a lot of it has just moved to other countries that present a softer target, and this case certainly demonstrates that the US falls into this category.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,077
Expert opinions
44,027
Total members
419
New members (last 30 days)
204
New opinions (last 30 days)
28,695
Total comments

Trending

Now Hiring