ARCHIVE
ID Number: G00138479



This research is provided for historical perspective;
portions of this document may not reflect current conditions.





Fraudulent ATM Withdrawals Reflect a Widespread Threat
8 March 2006
 
Avivah Litan  

Recent automated teller machine (ATM) fraud involving Citibank and other banks points to a new wave of "personal identification number (PIN) block" schemes.











Contact Gartner






Download Document:

PDF
fraudulent_atm_...pdf (85KB)

Help with Downloads



News Analysis

Event

On 6 and 7 March 2006, Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were "possibly compromised in previous retailer breaches in the U.S." in 2005 were being monitored for fraud.

Return to Top

Analysis

Citibank's actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers' cards were compromised, allegedly through a retailer security breach. Gartner believes that these combined bank actions reflect the largest PIN theft to date — and point to a new wave of "PIN block" card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.

In "PIN block" schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions). The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers' terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines. In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Recommendations

  • Card issuers: Ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.
  • Enterprises: Never store PIN blocks or magnetic stripe card data. Never store encryption keys along with encrypted data, and keep the encryption keys in high-security environments, such as hardware storage modules available from Safenet, Thales and other providers.
  • Payment vendors: Modify your software to make the storage of PINs, PIN blocks and cards' magnetic-stripe data impossible.
  • Banks: Validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.
  • Regulators: Modify Regulation E, which governs consumers' rights with regard to unauthorized bank account withdrawals, loosening the consumer notification timing requirements so that consumers can get their money bank more easily.

Analytical Source: Avivah Litan, Gartner Research

Recommended Reading and Related Research

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

Return to Top



© 2006 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The conclusions, projections and recommendations represent Gartner's initial analysis. As a result, our positions are subject to refinements or major changes as Gartner analysts gather more information and perform further analysis. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.




Resource Id: 489835