Citibank card fraud - magnetic strip to blame?

A Citibank ATM network breach in Canada, Russia and the UK could have been prevented if the bank's US customers had chip and PIN technology on their cards, a leading analyst has said.

Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a "block" of PINs and the keys to decrypt them.

Avivah Litan, a research director for Gartner, told silicon.com: "You won’t have the same problem with a chip card. They are hard to duplicate but it's pretty easy to copy a magnetic stripe."

With a PIN-block, hackers break into retailer servers and steal a chunk of PINs, then create counterfeit cards that enable them to withdraw cash at ATM machines. Litan wrote that in this case the thieves probably stole magnetic-stripe data found on the back of ATM cards.

She said: "What's really exposed are the retail systems that use the ATM system. It could have been an insider – it's very hard to know. It was someone who had access to the [encryption] keys data. They were very skilled."

The analyst said the crime reflects the largest PIN theft to date and the financial industry will be hit by more PIN-block fraud in the future.

She said: "Phishing was last year but banks have wised up to that, so now it's the PIN block fraud. Certainly this is a pot of gold for them.

"What's better – going for cards or going for the details? This is the simplest way – breaking into the bank using the ATM system. With the UK it was because Americans go there and use the magnetic stripe [on their cards]."

Earlier this year, silicon.com reported that the major security weakness in bank cards is in the magnetic strip because it is easy to duplicate. The technique is known as skimming.

Martin McMillan, CEO of Level Four, a company that builds software and testing tools for ATMs, said: "If you were to have a chip-only card, skimming would disappear. As long as you have a magnetic strip on the back of the card it will be susceptible to skimming."

Citibank confirmed only US customers had been affected by the theft. It is now reissuing cards to customers whose accounts were blocked after the fraud was discovered.

A spokesman for Citibank told silicon.com: "All this occurred because of a breach at a company in the US. There was a small proportion of customers who were affected. We are not aware of customers affected outside the US."