Citibank ATM Breach Reveals PIN Security Problems
July 1, Associated Press – (National)

Hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and
stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. It also indicates criminals were able to access personal identification numbers (PINs) by attacking the back-end computers responsible for approving the cash withdrawals. The case against three people in U.S. District Court
for the Southern District of New York highlights a significant problem. Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet.

Despite industry standards that call for protecting PINs with strong encryption some ATM operators apparently are not properly doing that. The PINs seem to be leaking while in transit between the ATMs and the computers that process the transactions. It is unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March 2008 and was first reported by www.Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc.
stores throughout the U.S., but it does not own or operate any of them.

The Associated Press