According to a report by the Associated Press hackers were able to break into Citibank ATMs located in 7-Elevens and mine users PINs. The fraud ring is alleged to have stolen more than $2 million between October and March. While there are strict industry standards for protecting customers’ PINs, it appears not all ATM operators are putting enough protections in place. The report said that the perpetrators were able to nab PINs while the ATM was communicating with the backend system that processes transactions.
Though the 7-Eleven ATMs are Citibank branded, the bank doesn’t own any of them, the machines were purchased from Cartronics. In late 2006 Cardtronics launched its own in-house transaction processing service, but more than half of the 7-Eleven/Citibank ATM transactions are still processed by yet another company Fiserv.
While Wired, the first place to report the story, says the FBI blames a Citibank-owned server for the PIN breach, Citibank says a “third party” is responsible for processing 7-Eleven ATM transactions. While Fiserv told Wired it was not responsible for the breach, Cartronics has yet to respond to the story.