By Dan Ilett, 10 March 2006 12:20
NEWS
A Citibank ATM network breach in Canada, Russia and the UK could have been prevented if the bank's US customers had chip and PIN technology on their cards, a leading analyst has said.
Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a "block" of PINs and the keys to decrypt them.
Avivah Litan, a research director for Gartner, told silicon.com: "You wont have the same problem with a chip card. They are hard to duplicate but it's pretty easy to copy a magnetic stripe."
With a PIN-block, hackers break into retailer servers and steal a chunk of PINs, then create counterfeit cards that enable them to withdraw cash at ATM machines. Litan wrote that in this case the thieves probably stole magnetic-stripe data found on the back of ATM cards.
She said: "What's really exposed are the retail systems that use the ATM system. It could have been an insider it's very hard to know. It was someone who had access to the [encryption] keys data. They were very skilled."
The analyst said the crime reflects the largest PIN theft to date and the financial industry will be hit by more PIN-block fraud in the future.
She said: "Phishing was last year but banks have wised up to that, so now it's the PIN block fraud. Certainly this is a pot of gold for them.
"What's better going for cards or going for the details? This is the simplest way breaking into the bank using the ATM system. With the UK it was because Americans go there and use the magnetic stripe [on their cards]."
Earlier this year, silicon.com reported that the major security weakness in bank cards is in the magnetic strip because it is easy to duplicate. The technique is known as skimming.
Martin McMillan, CEO of Level Four, a company that builds software and testing tools for ATMs, said: "If you were to have a chip-only card, skimming would disappear. As long as you have a magnetic strip on the back of the card it will be susceptible to skimming."
Citibank confirmed only US customers had been affected by the theft. It is now reissuing cards to customers whose accounts were blocked after the fraud was discovered.
A spokesman for Citibank told silicon.com: "All this occurred because of a breach at a company in the US. There was a small proportion of customers who were affected. We are not aware of customers affected outside the US."
Comments
There are 3 comments. Join the discussion
1. anonymous
The millions of UK issued Chip and PIN credit cards in circulation, which have retained magstrips look vulnerable. With so many differing types of PIN entry devices, ranging from park and swipe systems to hand-held wi-fi ones, it can't be much of a challenge to capture PINs and magstrip details without anyone noticing until it's too late.
Any of these cards cloned or stolen can be used with a PIN at almost any ATM anwhere in the world. No wonder crooks are attracted to ATMs. They can get hard cash at £200 to £500 a time without ever challenged.
From a credit card holders perspective it makes sense to opt for Chip and Signature Credit cards!
2. Nick Cole
And in a few years time skimming will use chip readers as well!
Hardware based security only works as long as the criminal base cannot access the hardware. And given the rate of improvement in performance brute force decyption gets 'easier' as time goes by anyway.
All that expense and aggravation developing chip and pin will be no better than existing mag strips in a shorter timescale! In fact probably worse as the chipped cards will have more personal information. Just think of the havoc once ID thieves get hold of chip readers.
We place too much reliance on circumventable technology.
3. CB
Fundamentally Chip and PIN passes the burden of proof for fraudulent transactions to the customer.
This means that any security breach of the 'banks' systems will results in the customer being penalised.
How can this possibly lead to safer more secure banking?
The banks need to take responsibility for the security of their systems.