On 6 and 7 March 2006, Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were "possibly compromised in previous retailer breaches in the U.S." in 2005 were being monitored for fraud.
Citibank's actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers' cards were compromised, allegedly through a retailer security breach. Gartner believes that these combined bank actions reflect the largest PIN theft to date — and point to a new wave of "PIN block" card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.
In "PIN block" schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions). The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers' terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines. In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.
Analytical Source: Avivah Litan, Gartner Research
Recommended Reading and Related Research
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)
|Resource Id: 489835|