Could a hacker steal enough information from a store you've shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you've never told a soul your PIN code?
In fact, said the Justice Department last week, it's already happened, possibly to millions of people.
Buried in last week's indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: At at least one retail chain, the indictments accuse the group of swiping encrypted versions of debit card PINs, decrypting them, then using the information to print debit cards and get cash from ATMs.
If proven true, that could mean criminals have crossed a new threshold in the pursuit of plastic card fraud -- PIN hacking.
For decades, the only security layer standing between criminals and cash from stolen debit cards has been the secret PIN code, which has proven surprisingly robust. When hackers steal a large set of debit cards numbers, there is generally no way to obtain their corresponding PINs, limiting the value of the stolen data.
Criminals have stolen small numbers of PINs in old fashioned ways, such as installing tiny cameras on ATMs that record PINs while they are entered.
But uncovering a way to obtain PINs from a stolen batch of debit card account data would give hackers the ability to withdraw thousands of dollars at a time from any ATM in the world – a holy grail of sorts for card thieves. That's precisely what the U.S. government says some of the suspects did as part of their five-year scheme, detailed last week.
In the indictment of alleged ringleader Albert Gonzalez, the Department of Justice accuses him of:
• Downloading "tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards."
• Obtaining "technical assistance from criminal associates in decrypting encrypted PIN numbers."
• Cashing out "by encoding the data on magnetic stripes of blank credit/debit cards and using these cards to obtain tens of thousands of dollars at a time from ATMs."
The Justice Department would not comment on the indictments or on the specific methods that might have been used to perform the decryption. A spokeswoman would only confirm that the agency is indeed accusing some of the suspects of decrypting PINs.
Speculation for years
Encrypted PIN codes are supposed to be impenetrable. After a consumer enters their code into a PIN pad at a store, or at an ATM, the data is immediately converted into an unintelligible string of text called a "PIN block." That block of text is then sent along the payment processing network, ultimately back to the cardholders' bank, where the PIN is verified.
There has been speculation for years that criminals had found some way around the PIN encryption. In 2006, after a spate of fraudulent ATM withdrawals, Citibank began cutting off ATM cash access to some overseas travelers. Consumers around the country reported phantom withdrawals from their checking accounts of $1,500 or more from far-flung places like Bulgaria.
At the time Citibank, Bank of America, Wells Fargo, and Washington Mutual all reissued some debit cards. There was conjecture that criminals might have stolen PIN information that was accidentally left "in the clear," or unencrypted, by a retailer.
Earlier this year, Wired News reported that a Citibank server that processes transactions initiated at 7-11 stores ATMs had been "breached," according to an affidavit filed by an FBI investigator. The affidavit claims a single suspect, who has now been arrested and charged with theft, stole $750,000 from ATMs in a single month during early 2008.
But last week's indictment accuses the criminals of taking everything they need to print fake debit cards and steal money directly from retailers. The specific case outlined in the indictments involved downloading PIN blocks from a Florida OfficeMax store in 2004 through a vulnerable wireless network, then later decrypting them. The indictments also accuse the group of downloading PIN blocks associated with millions of debit cards," hinting that the PIN problem might be even wider.
The scheme was apparently so successful that at several times the suspects allegedly sent boxes full of cash through express mail services to make payments to one another.
How it might have happened
PIN blocks are transmitted from retailers to credit card processors and are sometimes stored on computers along the way, where they would be available for the taking by criminals who knew how to decrypt the secret codes. This is sometimes called stealing data "at rest." Retailers have no need to keep PIN blocks in the stores, but poorly configured systems sometimes store this information anyway.
The hacking gang indicted last week also was capable of stealing data on the move, according to the indictments. The group is accused of using various methods to install "sniffer" programs that grabbed account numbers and PIN blocks as they flew by on computer networks. Initially the suspects sat in parking lots and used insecure wireless networks to gain unauthorized access, the government charges. For example, in July 2005, while sitting in a Miami TJ Maxx parking lot, the criminals are accused of worming their way into the firm's central credit card server in Framingham, Mass.
Later, some of the suspects brazenly walked into stores and physically installed sniffer software onto computers in other stores, the indictments say.
In May 2007, for example, they entered a Dave & Buster's restaurant in Islandia, N.Y., and installed sniffer software. Afterward they re-entered the store every month to empty the catch from their virtual net, eventually stealing 5,000 account numbers from that store alone and using those numbers to steal $600,000. In that case, they are accused of stealing only debit and credit card numbers.
Still, even with data stolen using such hands-on methods, stolen PIN blocks should be useless to criminals -- unless they can be unscrambled.
Encryption expert Ross Anderson, a professor at Cambridge University in England, has testified before about the possibility of "phantom withdrawals" involving PIN codes stolen from British banks. He says potential vulnerabilities in bank encryption software have been known by researchers for years. In 2003, a British court imposed a gag order on Anderson, preventing him from revealing some elements of his research.
He called this week's indictment "the first documented recent case" of PIN hacking, but added that it was "not surprising."
"The banks have encryption boxes that are claimed to be 'secure' but the claim is of course untrue," he said. "
Not so alarming
Mike Urban, who runs a debit card fraud-fighting service called CardAlert at Fair Isaac Corp., counters such talk by saying the most likely explanation for the crime is also the least alarming: Hackers didn't reverse engineer PINs; they simply managed to steal encryption keys from the same retailers where they stole the data, he said.
"I'm speculating here, but more than likely, to compromise that many PIN blocks they would have to have gotten the encryption keys somehow," he said. "More than likely there was a breakdown in management of keys wherever the keys were compromised. " Armed with the keys and a little know-how, he said, criminals could readily discern PIN codes from PIN blocks.
Urban said it would not be terribly alarming if the hackers obtained PINs that way, noting that retailers routinely secure keys carefully and that PIN compromises are "extremely rare." He also said that while the government's case against the hackers mentions theft of PIN blocks from several retailers, evidence of actual PIN-block decryption is offered in only one case – the one involving OfficeMax. He said he believed that could be an isolated incident.
"Fraud on PIN-based transactions is much lower than signature-based debit or credit transactions," he said.
Gonzalez, the alleged ringleader of the hacking ring, who also went by the moniker soupnazi -- apparently a reference to the "Seinfeld" character -- is being held in New York while awaiting trial. He faces life in prison if he is convicted of all charges. Only two other suspects out of the 11 indicted are in custody. Ukranian national Maksym Yastremskiy is being held in Turkey, and Aleksandr Suvorov is in Germany. Both are facing extradition.
RED TAPE WRESTLING TIPS
There's no need to panic over the possibility that hackers could steal PINs from places you shop. Consumers who are hit with fraud related to debit cards have strong legal protections. Losses reported within two days of discovery are limited to $50, and most banks give full refunds to consumers. Still, debit fraud can be a huge hassle, because consumers who are victims may find their bank accounts emptied and their ability to access cash severely limited until the money is replaced. The hassle factor is much higher than with standard credit card fraud.
But possible PIN theft is another incentive to use debit cards only to withdraw cash at ATMs – not for purchasing. There are already plenty of other good arguments for keeping your debit card in your wallet. We've written about the case for credit here; so has Consumer Reports.
If you really want to buy things with your debit card, perhaps as part of a monthly budgeting plan, consider signing the sales slip instead of entering your PIN, to keep your PIN a secret. And if you really want to enter your PIN, consider setting up a separate checking account, isolated from your standard account, for your purchases. That way, if your account is hacked, the criminals won't have access to all your money. But be sure to keep that fully stocked with cash; overdrawing your debit account can lead to costly overdraft fees.
Also, resist the urge to use the same PIN code for all your accounts.