Gartner warns of ‘PIN block’ hacking scams

Recent automated teller machine (ATM) fraud cases involving Citibank and other banks points to a new wave of "personal identification number (PIN) block" schemes, Gartner has warned.

According to the analyst firm the growing problem was highlighted by the recent case when Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were "possibly compromised in previous retailer breaches in the U.S." in 2005 were being monitored for fraud.

Citibank's actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers' cards were compromised, allegedly through a retailer security breach, Gartner stated.

"Gartner believes that these combined bank actions reflect the largest PIN theft to date - and point to a new wave of "PIN block" card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders," said Gartner research vice president, Avivah Litan.

She explained that, in "PIN block" schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions).

"The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers' terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines," Litan added.

In this particular scam, she believes that the thieves probably also stole (most probably from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Gartner advises that card issuers should ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.

For enterprises the analyst firm warns that they should ever store PIN blocks or magnetic stripe card data. Firms should also never store encryption keys along with encrypted data, and always keep the encryption keys in high-security environments.

Payment vendors are advised by Litan to modify their software to make the storage of PINs, PIN blocks and cards' magnetic-stripe data impossible. They should also validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.