Content

Gartner warns of ‘PIN block’ hacking scams

Recent automated teller machine (ATM) fraud cases involving Citibank and other banks points to a new wave of "personal identification number (PIN) block" schemes, Gartner has warned.

According to the analyst firm the growing problem was highlighted by the recent case when Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were "possibly compromised in previous retailer breaches in the U.S." in 2005 were being monitored for fraud.

Citibank's actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers' cards were compromised, allegedly through a retailer security breach, Gartner stated.

"Gartner believes that these combined bank actions reflect the largest PIN theft to date - and point to a new wave of "PIN block" card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders," said Gartner research vice president, Avivah Litan.

She explained that, in "PIN block" schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions).

"The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers' terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines," Litan added.

In this particular scam, she believes that the thieves probably also stole (most probably from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Gartner advises that card issuers should ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.

For enterprises the analyst firm warns that they should ever store PIN blocks or magnetic stripe card data. Firms should also never store encryption keys along with encrypted data, and always keep the encryption keys in high-security environments.

Payment vendors are advised by Litan to modify their software to make the storage of PINs, PIN blocks and cards' magnetic-stripe data impossible. They should also validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.