Hackers broke into a multinational bank's network of ATMs inside 7-Eleven stores and stole customers PIN codes, according to court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access that theoretically are among the most closely guarded elements of banking transactions by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in US District Court for the Southern District of New York high lights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp's Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption which means encoding them to cloak them to outsiders some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that processes the transactions.
It's unclear how many bank's customers were affected by the breach, which extended at least from October 2007 to March of 2008 and was first reported by technology news website Wired.com. The bank has nearly 5,700 ATMs inside 7-Eleven Inc.stores throughout the US, but it doesn't own or operate any of them.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines which means they had carte blanch (full authority) to grab information - through a flaw in the network or by figuring out those computers passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
The bank has declined to comment on the technique or how many customers’ accounts were compromised. However, it notified affected customers and issued them new debit cards.
The case against three people in US District Court for the Southern District of New York high lights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp's Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption which means encoding them to cloak them to outsiders some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that processes the transactions.
It's unclear how many bank's customers were affected by the breach, which extended at least from October 2007 to March of 2008 and was first reported by technology news website Wired.com. The bank has nearly 5,700 ATMs inside 7-Eleven Inc.stores throughout the US, but it doesn't own or operate any of them.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines which means they had carte blanch (full authority) to grab information - through a flaw in the network or by figuring out those computers passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
The bank has declined to comment on the technique or how many customers’ accounts were compromised. However, it notified affected customers and issued them new debit cards.