This from silicon.com confirms the methodology of accessing Citi ATM’s through a merchant server (OfficeMax).
Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a “block” of PINs and the keys to decrypt them.
The article goes on to quote an expert, that Chip cards are better than mag stripe. This article makes me still think that its a mistake to offer Chip and mag stripe on the same card. As long as the stripe is there, the vulnerability is there. I think there could be a case for chip only cards, and then offer lower value mag stripe cards for travellers to countries that don’t have chip.
The analyst said the crime reflects the largest PIN theft to date
and the financial industry will be hit by more PIN-block fraud in the
future.She said: “Phishing was last year but banks have
wised up to that, so now it’s the PIN block fraud. Certainly this is a
pot of gold for them.“What’s better – going for cards or
going for the details? This is the simplest way – breaking into the
bank using the ATM system. With the UK it was because Americans go
there and use the magnetic stripe [on their cards].”
Bankwatch 