7-Eleven ATMs Compromised

Hackers break into Citibank's network of c-store cash machines

Published in CSP Daily News

SAN JOSE, Calif. -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings. The scam netted the alleged identity thieves millions of dollars. Criminals were able to access PINs by attacking the backend computers responsible for approving the cash withdrawals, reported the Associated Press.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem, the news agency said. Hackers are targeting the ATM system's infrastructure, which is increasingly [image-nocss] built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption—encoding them to cloak them to outsiders—some ATM operators apparently aren't properly doing that, AP speculated. The PINs, it said, appear to be leaking while in transit between the ATM and the computers that process the transactions.

It is unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by Wired.com.

The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. U.S. stores, but it doesn't own or operate any of them. That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines, but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.

A critical issue in the investigation is how the hackers infiltrated the system, a question that still has not been answered publicly, said the report. All that is known in this case is that they broke into the ATM network through a server at a third-party processor, which means they probably did not have to touch the ATMs at all to pull off the crime. They could have gained administrative access to the machines through a flaw in the network or by figuring out those computers' passwords, AP speculated. Or it is possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering. In previous PIN thefts, thieves generally took steps that might draw notice—sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.

Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts, the report said.

The alleged plot is outlined in court papers supporting the prosecution of three people—Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Citibank, part of Citigroup Inc., has declined to comment to AP on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards. Fiserv spokesperson Melanie Tolley told the news agency that the intrusion did not happen on Fiserv's servers. "Fiserv," she said, "is confident in the integrity and security of our system."

Cardtronic said in a statement, "Recent press articles have mentioned Cardtronics in the context of a reported attack by hackers on ATM systems that is currently the subject of a criminal prosecution in the United States District Court in New York, New York. Cardtronics is not involved in this criminal prosecution and therefore does not anticipate that it will issue any statements with respect to this case or the alleged conduct of the defendants in this case. All ATMs owned or operated by Cardtronics have encrypted PIN pads, as well as triple data encryption (3DES) as required by the various electronic fund transfer networks. Additionally, Cardtronics' processing platform complies with the PIN Security Requirements established by the Payment Card Industry (PCI) and has successfully completed a PCI PIN security field review performed by one of the major networks."

In a statement provided toCSP Daily News, the retailer said, "7-Eleven Inc. is aware of the federal investigation in New York concerning ATM fraud that has apparently impacted Citi customers. It is 7-Eleven's policy not to comment on any aspects of this matter because it is an ongoing investigation. We understand that Citibank has already contacted any accountholders who may have been impacted or that needed to receive a replacement card; however, 7-Eleven is confident that its ATM provider, Cardtronics, has included the appropriate safeguards designed to prevent unauthorized access to our customers' personal data in the ATMs located in our stores today."In June 2007, Dallas-based 7-Eleven entered into an agreement with Cardtronics for the ATM operator to acquire the retailer's ATM operations in the United States. The agreement provided Cardtronics with a 10-year exclusive right to operate all ATMs and Vcom advanced-function financial self-service kiosks in U.S. 7-Eleven locations, including in any new 7-Eleven stores. The acquisition added more than 5,500 ATMs to the Cardtronics portfolio, expanding the size of Cardtronics' network to more than 30,000 machines. The deal's price tag was approximately $135 million. ( Click here to view CSP Daily News coverage of the deal.) Click hereto read CSP magazine's coverage about the potential multi-million-dollar cost of data breaches to the c-store industry.See also the related story, "ATM Mayhem,"in this issue of CSP Daily News.