17-03-06

ATM network compromised ? thousands of credit cards blocked in the US and UK

The news of the web is that thousands of cards are being blocked and that this would be the result of the compromise of some online databases of retailers. But there is more to the story. This story is so big and its consequences are so enormous (even if it seems everybody tries to get it under the carpet again) that the first article is published here. The follow up will be done on http://scams.skynetblogs.be


"Gartner believes that these combined bank actions reflect the largest  PIN theft to date — and point to a new wave of 'PIN block' card  fraud," Litan writes. If hackers broke into retailer servers and steal  PIN blocks that represent encrypted PIN data as well as terminal encryption keys (typically stored on retailers' terminal controllers),  they might be able to determine a cardholder's PIN and create  counterfeit cards that enable them to withdraw cash at ATM machines.
The Payment Card Industry (PCI) Data Security standard https://sdp.mastercardintl.com/pdf/pcd_manual.pdf prohibits the storage of PIN blocks and covers terminal operations. Gartner advises card issuers to follow this guidance http://www.gartner.com/DisplayDocument?doc_cd=138479 but according to this specialist, this is not what really happened, the data is being sniffed (intercepted) over the LAN of the ATM and this means the ATM network of the banks is compromised. Atm's are moving to the open network world away from their closed environments
http://www.signal15.com/articles/2006/03/09/atm-card-frau...

 

For smaller operations this could be done like this : they skim ATM's inside bankoffices and send the information wireless to a car nearby.
http://www.utexas.edu/police/alerts/atm_scam/ 

or they reproduce the cards and the system as the french engineer Humpich did in the late 90's with an atm and a card
http://digg.com/security/Debit_card_thieves_get_around_PI...
but maybe this is not that easy to do
http://digg.com/security/Debit_card_thieves_get_around_PI...

This maybe the time for the industry (and the regulators) to wake up

* better cards would help
Martin McMillan, CEO of Level Four, a company that builds software and testing tools for ATMs, said: "If you were to have a chip-only card, skimming would disappear. As long as you have a magnetic strip on the back of the card it will be susceptible to skimming."
http://www.silicon.com/financialservices/0,3800010322,391...
http://www.silicon.com/financialservices/0,3800010322,391...

 

And as a user : Sign your receipt instead of using your pin code
http://digg.com/security/Debit_card_thieves_get_around_PI...

more info http://scams.skynetblogs.be

18:18 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.