Hackers broke into Citibank's network of automated teller machines inside 7-Eleven stores and stole customers' personal identification numbers, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scheme netted the alleged identity thieves millions of dollars. But more important for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet.
Industry standards call for protecting PINs with coding that cloaks them from outsiders, but some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the ATMs and the computers that process the transactions.
"PINs were supposed to be sacrosanct -- what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the research firm Gartner.
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news website Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate them.
That responsibility falls on two companies: Cardtronics Inc. of Houston, which owns all the machines but operates only some, and Fiserv Inc. of Brookfield, Wis., which operates the others.
A crucial issue in the investigation is how the hackers infiltrated the system, a question that hasn't been answered publicly. All that's known is that they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised.
It said it notified affected customers and issued them new debit cards.
Cardtronics said it was cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.