Hackers are alleged to have remotely accessed customers' PIN details.
An astonishing PIN code scam has been uncovered by US authorities.
A case currently working its way through the New York court system - details of which have only recently been made public - alleges that three hackers of Russian origin were able to steal at least £1 million by using numbers entered at Citibank cash machines at the 7-Eleven convenience store chain.
While the exact methods perpetrated by the alleged fraudsters remain unclear, it is thought that they broke into the PIN system through a server at a third-party company which processed the numbers for 7-Eleven. This means that they were able to access the numbers without ever having to be physically present at a cash machine.
The case also marks a general evolution in PIN fraud, from the time in which the number could only conceivably stolen by either intercepting letters containing the number or physically looking over a bank customer's shoulder as it was entered. However, with the development of a new PIN infrastructure operated by Windows, cracks have emerged in security.
It is thought that, with the technological advances, some banks are inadvertently "leaking" the numbers by insufficiently encrypting them as they work through the system.
Commenting on the case to the Times, security analyst with Gartner research firm Avivah Litan said: "PINs were supposed be sacrosanct. What this shows is that PINs aren't always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication."
Don Jackson at SecureWorks added: "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed, but there are a whole lot of other and PIN compromises going on that aren’t reported."
Citibank has yet to comment on the case.
