Home › Business › Tech & Science
PIN thefts show ATM security gaps
STORY TOOLS 
More from Tech & ScienceSAN JOSE — Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' personal identification numbers, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted millions of dollars. But more importantly, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption, some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct — what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm.
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
(Requires free registration.)
Article discussions on this site are to support community debates of issues related to our stories and editorials.
Discussions should not stray from the subject of the story or editorial.
We do not allow the following:
We reserve the right to delete threads and/or ban users for these or other reasons we deem necessary.
Opinions are the sole responsibility of the person posting them. You agree not to post comments that are off topic, defamatory, obscene, abusive, threatening or an invasion of privacy. Violators may be banned. Click here for our full user agreement.