“Citibank's systems were not compromised in this incident, which ended in March,” Rob Julavits, spokesman for Citibank, told vnunet.com.
“This had to do with 7-11’s network. Earlier this year Citibank received notice from a third-party transaction processor for the ATM industry that the processor's systems were potentially compromised in late 2007.”
“By March we had notified and reissued cards to all customers whom we believed may have been exposed to increased risk.”
The precise details of the attack haven’t yet been released, as the trial of Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva has just begun in the U.S. District Court for the Southern District of New York. However, the fault may lie with the internet connections linking the ATMs to the payment processors or the servers that handle them.
The 7-11 network is run by two companies which operate the ATMs, Cardtronics and Fiserv Inc. Fiserv was unavailable for comment but is reportedly not involved with the case and Cardtronics has also denied involvement.
“Cardtronics is not involved in this criminal prosecution and therefore does not anticipate that it will issue any statements with respect to this case or the alleged conduct of the defendants in this case,” it said in a statement.
“All ATMs owned or operated by Cardtronics have encrypted PIN pads, as well as triple data encryption (3DES) as required by the various electronic fund transfer networks.”
Seven other people have been arrested over the case and they may have stolen over US$2 million by making clones of cards and then withdrawing the money from legitimate cash machines. On his arrest Biltse was reportedly found with $800,000 in cash at his home, so the final total may be much higher.
Early documents filed by the FBI report that the heist was managed by a leader in Russia, who supplied the information and took 70 per cent of the proceeds, with 25 per cent going to the people withdrawing the cash and five per cent covering expenses.