Millions of bank customers face a new threat to their money after it emerged yesterday that hackers had cracked PIN codes used in cash machines.

Citibank machines in 7-Eleven convenience stores across America were the target of the biggest and most effective remote PIN code theft scam in US banking history between last autumn and this spring when at least $2 million (£1 million) was stolen.

Details of the fraud have only now been made public, as the case makes its way through the US District Court for the Southern District of New York.

The alleged hackers — Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva — are accused of stealing at least $2 million through the PIN scam and have been indicted on two counts each of conspiracy and fraud. It is thought that a much larger sum of money might have already been transferred to Russian bank accounts — and there are suggestions that the actual hacking was performed by another party, with the defendants simply using second-hand information to make cash withdrawals. The wording of the indictment against them is vague.

Hackers crack ATM PIN codes to steal millions

Citibank machines in 7-Eleven stores are targeted in the most effective remote PIN code theft scam in US banking history

• Spammers poised to target BlackBerry and iPhone owners

• Schoolboy hacker Omar Khan who upped his grades faces 38 years in jail

• Banks let us down on fraud protection

Related Links

• Spammers set to target BlackBerry and iPhone

• Schoolboy hacker faces 38 years in jail

• Banks let us down on fraud protection

The ring-leader of the three suspects is Mr Rakushchynets, a 32-year-old Ukrainian and a regular contributor to underground online credit card fraud forums. When he was arrested by the FBI — he was already under investigation for his suspected role in a separate $5 million hacking scam — agents found $800,000 of cash at his Brooklyn home, most of it stuffed into rubbish bags.

PIN codes have always been the most closely guarded secrets in banking transactions, and the are supposed to be encrypted the very second they are tapped into a keypad. Until recently, it was virtually impossible to get at them without physically looking over someone’s shoulder as theypunched in their digits to withdraw money. Indeed, scams involving strategically placed mirrors or tiny video cameras have become something of a common threat for banks.

Other cash machine crime has involved fraudsters setting up fake keyboards to glean PINs — or, for less sophisticated criminals, simply crashing a car into the wall of a bank and hoping it breaks open the part of the cash machine where the banknotes are stored. PIN codes have also been obtained through so-called e-mail “phishing” scams.

But technology has changed over the past few years. The infrastructure is now built on Microsoft’s Windows operating system, and the cash machines themselves can be remotely diagnosed and repaired online. Unfortunately, this means that PIN codes have started to “leak” along the way — suggesting that industry guidelines on encryption are not always being followed.

“PINs were supposed be sacrosanct,” says Avivah Litan, a security analyst with the Gartner research firm. “What this shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”

So far it is not clear how many Citibank customers were affected by the hackers. The bank has nearly 5,700 Citibank-branded cash machines inside 7-Eleven stores, but it does not own or operate any of them. The maintenance of the machines is carried out by two companies: Cardtronics, based in Texas, and Fiserve, based in Wisconsin.

It remains unknown — or at least undisclosed — exactly how the hackers infiltrated the closely guarded computer network, although it has been confirmed that they broke in through a server at a third-party processing company, meaning they almost certainly did not have to go anywhere near a cash machine or a 7-Eleven store. Once they obtained the PIN codes, the hackers could then simply make blank cards and use them to withdraw funds from compromised accounts at virtually any cash machine in the country.

Don Jackson, director of threat intelligence for the computer security company SecureWorks, said he had seen an “alarming” spike in the number of attacks on back-end computers for cash machine networks over the past year.

“What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed,” he said. “But there are a whole lot of other and PIN compromises going on that aren’t reported.”

Citibank has declined to comment on the details of the case, saying only that it has notified affected customers and issued them with new debit cards. “We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” it said in a statement. Cardtronics has said it is co-operating with authorities, while Fiserv insists the intrusion did not happen on any of its servers.

“Fiserv is confident in the integrity and security of our system,” said a spokeswoman.