Community
The UK daily newspapers and newswires are today picking up on an ongoing case in the US involving system breaches, thousands of stolen PIN numbers, card cloning and money laundering. We've been following this on The Wired Blog Network for a few weeks now - most recent post here.
The main case involves Citibank branded ATMs in 7-11 convenience stores managed by Cardtronics with some processing handled by Fiserv.
Most of the reporting is based on a few court documents in the public domain, as well as a lot of commentary. Different articles have different takes on how the criminals got the PINs in the first place. Some have said that PINs were intercepted on the network between the ATM and processing hub. This article implies that this is possible because the ATMs run on Windows.
I'm not certain, but I don't think this is likely. TripleDES encryption has been mandatory since 2002 if the ATM connects in any way to the Visa or Mastercard network, and it encrypts the PIN within the PIN pad itself - there's no raw transmission even to another circuit within the ATM body and certainly not to any OS accessible layer.
A more likely scenario is the system breach at the processing end. An FBI affadavit says this is what happened, and the breach was of a Citi server. Citi denies this and points to the third party operators/processors who run their branded ATMs.
This would leave Fiserv and Cardtronics, the largest non-bank ATM operator in the US, as the possible breach points. Fiserv have made statements about their innocence, while according to Wired, Cardtronics are maintaining their silence.
It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details.
But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily clonable magnetic stripe cards, the US makes itself an easy target for organised criminals.
'Card present' fraud - getting easy access to cash with cloned cards - is better for the criminals than 'card not present' fraud, which usually takes the form of buying goods online that than have to be delivered and converted to cash - an extra, inconvenient step.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Amr Adawi Co-Founder and Co-CEO at MetaWealth
25 November
Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global
Vitaliy Shtyrkin Chief Product Officer at B2BINPAY
22 November
Kunal Jhunjhunwala Founder at airpay payment services
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.