SAN JOSE (CALIFORNIA) - BANK customers have a new security threat to worry about, after hackers managed to break into Citibank ATMs in the US and steal PIN codes.
According to recent court filings, the hackers hit Citibank automated teller machines in 7-Eleven stores, helping themselves to at least US$2 million (S$2.7 million).
The Times of London has described it as 'the most effective remote PIN code theft scam in US banking history' and said there are suggestions that the hackers could have transferred many millions more to Russia.
But more importantly for consumers, the criminals demonstrated an ability to remotely access PINs - theoretically among the most closely guarded elements of banking transactions - by attacking the back-end computers which approve cash withdrawals.
And that means that, unlike other bank fraud scams, there is nothing a customer can do to protect himself - short of ceasing to use ATMs - and no way he can know his PIN has been compromised until someone has cloned his card and taken his money.
The case against Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva in the United States District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft's Windows operating system and allows remote diagnosis and repair of machines over the Internet.
And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently are failing to do that properly.
The PINs seem to be leaking while in transit between the ATMs and the computers that process the transactions.
'PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be,' said Ms Avivah Litan, a security analyst with the Gartner research firm.
It is unclear how many Citibank customers were affected by the breach, which was traced back to at least last October and was first reported by technology news website Wired.com. The trio were indicted in March this year.
Citibank has nearly 5,700 ATMs inside 7-Eleven stores throughout the US, although they are operated by other companies.
The hackers broke into the ATM network through a server at a third-party processor, which means they did not have to go anywhere near a 7-Eleven to pull off their heist. Exactly how they did it has not been revealed, but they may have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by cracking those computers' passwords.
It is also possible that they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
But what is disturbing for customers is that, however they did it, ATM users would have had their PINs stolen from machines which showed no signs of tampering.
And once the thieves had the PINs, they would be able to encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Mr Don Jackson, director of threat intelligence for SecureWorks Inc, said he has seen an 'alarming' spike in the number of attacks on back-end computers for ATM networks over the past year.
Citibank said it had notified affected customers and given them new cards, and the victims would not have to bear the financial loss.
But while Mr Jackson said the Citibank heist was 'fairly large', he suggested that it was just the tip of the iceberg.
'What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported,' he said.
