Citibank ATM machines at an assortment of 7-11 convenience stores were broken into by a trio of hackers this year, resulting in the theft of an untold amount of PIN numbers and cash, according to court documents obtained by the Associated Press.
Wired.com's Threat Level Blog, which originally reported the story here, says neither Citibank nor Cardtronics, the company that owns the machines yet only operates some, have "come clean on the breach." Presently, it is not clear how many PINs were compromised or how much money was stolen.
Prosecutors allege that the accused—Yuriy Rakushchynets, Ivan Biltse, and Angelina Kitaeva—stole at least $2 million.
But how did they do it? As of yet, no one knows.
The AP reports:
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice — sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
However the trio did it, their scam lasted from October 2007 until this March, reports C/NET.