Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
That's amazing! I have the same combination on my luggage!
I'll form my OWN solar system! With blackjack! And hookers!
Did everyone run to Citybank to close their accounts?
When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.
At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this way for nefarious reasons. I do wonder though, who benefits? They should haul the sytems analysts through the courts until they start to sing, and say "Yeah I was told to write it this way by xxxxxx"
I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.
The card issuer however will know the PIN
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
slashnik
Half of my is laughing because I'm picturing the comic book guy saying "Worst Hack Ever" - the other half is genuinely a little frightened at the lack of security guarding my finances :(
LINUX ONLINE POKER: Linux Poker
Okay, take one system then multiply it across various similar systems. Soon, you get a repeatable pattern that folk just love to take advantage of. For example, the crackers. You have to love naivety!
Looking at space, radio, science and computing from a 'down-under' amateur enthusiast perspective.
... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.
I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.
Your mileage may differ, of course. But take this seriously.
This brings up an issue with financial networks that I just don't understand.
The greatest security online would be to do away with a "pull" charge (where your details are given to the business and the money "pulled" from your account") and adopt a "push" system - where I make an order, get a receipt #, log into MY account with the bank (ie. the SSL connection is between me and my bank) and then I send the money to them. I don't have any extra charges or don't send any money I don't want to. And they don't have my details to lose or get stolen.
But wait, that would mean people would have to do two steps, and people would use their OWN money more often, and not use credit.... can't have that can we. There are a zillion people out there who would sign up for this system, but it's not in the banks interests. Freemarket capitalism (*cough* oligopoly *cough*) fails again.
In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.
So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.
But not for this reason, my reason was it was too freaking easy to pop the plastic card in the wall and run up 20% interest on each withdrawl, plus the fee to pay the machine to do it's job?
Sig Hansen?
3141, right?
The dangers of knowledge trigger emotional distress in human beings.
As soon as I got my bank card with the visa/mastercard logo three years ago, I called the bank and told them no thanks, send me a normal card. I hope that means I have no debit card capabilities on my account, but who knows for sure. In anycase, I haven't gotten hit yet.
I really enjoyed how all the propaganda for debit card talked about the convinience of debit over writting checks, when it's really for people who cannot get a credit card, and it seems to be more and more inferior to a credit card. I guess the banks really want to only credit cards in the hands of people that will not pay the bill in full each month.
The only real identity theft security will come when more massive fraud occurs and the banks do the math on what the lack of trust and fixing the messes is costing them over real security.
I love how congress passes laws like DCMA but never passes a law banning unnecessary identity storage by all these corporations. At least pass a vague regulation like HIPPA or SOX for the credit agencies.
Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here.
You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.
Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details.
Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Another data point in the saga of debit cards.
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
...the user.
Storing the pin data on the same machine as the decryption code is dumb. Storing the pin in the first place is dumb. Combine them and you get VERY dumb.
When do people realize that security isn't something you can simply brush off to your IT department? Security is the minimum of system security and user security. Compromise one, compromise the whole system!
It's time for some secrurity awareness training. Especially in sensitive areas! I've been working for an auditing company, you'd be amazed (or frightend) to hear some of the security related stories that happened there. The outcry alone when I had the nerve of requiring passwords with at least 8 figure and at least capitals and numbers...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!
If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?
What completely-out-of-his-mind moron decided this would be a good idea?
I'm sorry, but I refuse to get an account with a debit card. I will always insist on an ATM card and make sure the account in question cannot have a debit card issued against it.
Now, admittedly the particular case in TFA involves PINs, so ATM cards would ostensibly be susceptible to the same attack, but it beats not having anything at all protecting your account...
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
In Hong Kong a list of 20,000 people who had lodged complaints against police was found on a local website. The list included name, address, ID numbers; sufficient for identity theft, but also made many people nervous of retaliation for their complaints. Details of police complainants still on Net.
It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html
Extract from above Link:
The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.
ATM's don't read chips (yet?) - just stripes.
In the uk at least.
my password really is 'stinkypants'
Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.
Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.
I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.
I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.
On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
It's not just Citibank, my Wells Fargo cards won't do PIN transactions in the UK either. I've been informed that one can still withdraw cash on a Visa card by going into a bank and doing a cash advance. Ironically, most of the ID-anal-retentive UK banks require 2 forms of photo ID, one being a passport and one being a UK driving license, which doesn't help us foreigners. HSBC only needed a passport and any second form of photo ID. It has been difficult enough trying to do purchases on a non chip-n-pin card. Retailers seem to forget that if a card doesn't have a chip, like a foreign card, you can still swipe it.
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
You underestimate human laziness - 2 steps is twice as difficult as 1. People really like convenience, hence the popularity of debit over ATM/pin.
Have worked on building integrated debit/credit card systems for the grocery industry in Canada, for years I've built integrated solutions for every Canadian bank at one time or another. Having some low-level access to the system I've always felt it was well thought out and generally secure.
Then I worked on my first US banking integrated solution. I was astounded when I realized I'd actually be working with RAW pin #'s and have a customer's full Track-2 data from thier debit card. With those two pieces of info I could duplicate thier card and use it anywhere. All that's required is one unsavory developer in cahoots with one merchant. I am surprised it's never happenend sooner.
In the Canadian interac system the banks supply the pin pads that have built in software so that it deals with the magstripe and the pin and insures only the encrypted PIN # is available to the developer. Further each pin pad has 3 encryption keys and with each transaction the response from the bank (which has to be decrypted by the pin pad) includes a new key to replace 1 of the 3 on the pinpad. It's quite common if there's communication errors for the keys to get out of sync and require a couple transaction retries to get resynced but it's far far far better then the US system.
I lived is the US for a couple years since those days developing debit interfaces and I've never swiped my bank card at ANY merchant vendor machine. But back in Canada debit is king and I use it daily and with confidence it's safe.
Note: As an aside the behind the scenes processing required for a credit/debit card transaction in the US is incredible. It's essentially chaos! The only savior is ignorance is bliss and most of the developers for the US system haven't since the back end of the Canadian banking system which is very structured, simple and reliable.
for the mainstream population to embrace the debit card concept. Maybe I'm just paranoid, but if I'm going to be slinging plastic left and right, I want it to be somebody elses money until I get the statement and verify that all the charges to (insert 16 digits here) are, in fact, ones which I have authorized. Its just too easy to swipe a number and go to town.
Do you trust yourself (with a high credit limit) less than you trust someone making $5/hr, or some shady internet site with your bank account? Oh, sure, you can dispute that charge. But guess what - that money is gone from your account until they decide to credit you back that transaction. If you don't discover the error for a few days or *gasp* until the end of the month when your statement comes in, you could be writing rubber (e)checks for all your monthly expenses. I wouldn't want to bet a couple hundred dollars that the bank will reimburse you for your NSF fees and vendor NSF charges - especially since I've asked, and several managers have confirmed that they will not reimburse those charges.
I'm sure there's a small population out there who cannot get even a secured credit card. Okay, I'm fine with that - situations vary. But these things seem to be way too popular/numerous to be limited to those folks. To me, debit cards are the worst of both worlds - your money available on a card (nearly as bad as cash), but with the merchants and banks tracking your every purchase. *shakes head*
Disclaimer: I carry cash for most personal transactions. That's how I budget. I take out a fixed dollar amount each week, and when that's gone, I stop spending money for the week. If that cash gets lost or stolen, odds are good that I'm probably going to be out less than $50. Disappointing, but that's a pretty small sum, and its never happened in my adult lifetime. Big purchases & net transactions go on credit card, the latter amount being subtracted from the next week's withdrawel. Since I keep 2-3 months of expenses in my checking account, a debit card is a liability I do not want.
Is it just my observation, or are there way too many stupid people in the world?
Dear Slashdot
Degnebbit! "Hacking" is a word for clever creative activities. "Cracking" is the correct word for breaking system security. Although in this case, plain old "fraud" would be better, as you can't "crack" what isn't there. Thank you for your attention in this matter, which clearly is an simple oversight. I'm sure you will be more diligent in the future.
I'll be checking in in another five years, but until then,
All your base &c.,
R. Van Winkle Esq.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
No, the problem is that the numbers are stored at all at the PIN entering end.
If your entire security is dependent solely on an operational directive (in this case: erase entered PIN immediately), then it will fail. ;^)
(Also, by Murphy's and others' laws: at the worst time
Great minds think alike; fools seldom differ.
"On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience."
Compare and contrast the pervailing attitude towards monitoring in this story verses the other.
When I was called the Royal Bank was obviously as positive as possible about the potential security threat, but they called me none the less. It wasn't like there was this huge mystery when my card wouldn't work, they explained what happned and why my account was frozen.
As someone pointed out, freezing the account of the Texas couple due to concerns about terrorist financing failed because they were alerted to the problem. It would make a lot more sense if the bank accepted the payment, processed their account and then passed the information to DHS for them to monitor rather than stumbling around in some keystone cops attempt at thwarting terrorist financing.
Then go back to the station, and drop the flaming ZIPPO into the gas tank/storage tank and run like hell.
Enjoy the BBQ
Can anyone explain how the Cox Cable online bill payment system can detect my bank card with visa logo as an ATM card (based on the card number alone) then charge it as such without my pin or experation date off the card? They don't even give me an option to charge it only as a debit/credit card instead of ATM like Bellsouth does.
I have an ATM card from the largest non-government bank in Brazil (Bradesco), and I was required to come up with a PIN of six digits or more. This is the PIN I use for cash withdrawals or to authorize debit purchases at stores.
Interesting point: debit cards like the ones in the USA, the ones accepted as credit cards, but that "behind the scenes" just debit the money from the owner's account, do not appear to exist in Brazil. Here we have two different types of cards: credit cards and ATM (here called "debit") cards. The billing is different.
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
An Implant in you hand or your head?
Dude, if only you knew of the stupid inner workings of Citibank... They pushed the concept of "matrix structure" too far, nobody is really accountable for any shit in there. The worst thing is that, given their strucutre, it is really hard to prove that xxxxxx told them to do so. In the end, the analysts get screwed over and managers sail along happily.
rs232's Recent Submissions
Title - Datestamp
ATM networks hacked Tuesday March 07, @03:09PM Rejected
As have these
davecb5620@gmail.com
When will damages cost the account managers more than switching from plaintext permanent passwords to one-time pad pins? It's not that expensive to switch, but of course much cheaper. Even better is a OTP-encrypted message containing the senderID, recipientID, money amount, and expiration date.
But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
--
make install -not war
Even our luggage is given more security than our pin numbers. It's ridiculous because out of all things we must secure in the war against terrorism, you'd think the bank accounts would be the single greatest priority. Bank security should be the number #1 priority, because if banks can be hacked we are in serious trouble.
Imagine if it had been your pin stolen, or imagine Bill Gates waking up and discovering someone stole his pin.
What is more important in the was against terrorism than financial security? Financial security is the most important kind of security that exists! If you cannot secure the money, what exactly is national security about?
If it is theft, theft by whom? What conspiracy theories are you talking about? I find it more likely that people could be tricked into giving their pin numbers to a high priest or marketing genius than to hear about some computer glitch or worse, a global conspiracy theory. Obviously something went wrong, but I think this goes beyond politics, this is money.
Can't we discuss this without bringing in partisan politics? Diebold is a company, companies don't hack banks. Rogues hack banks, in specific, hacker groups.
interesting.
Debit card PINs are encrypted with only single DES by most card companies. A few cards and a lot of computing might produce a key to make thieves' own PINs. Under 10 cards maybe?
seems to be hovering around zero - correct me if i'm wrong.
c le349735.ece): ... the launch of cards that require the holder to authorise transactions using a personal identification number (PIN), rather than by signing a receipt, had produced dramatic results."
A quick search on the (UK newpaper) independent revealed this story of Mar 07 (http://news.independent.co.uk/business/news/arti
"Debit and credit card fraud fell by almost a quarter during 2005
yeah, very dramatic...
The card does not (in US) generally have PIN on it. It does often have difference between customer selected PIN and encrypted acct#/expdate on it. If you can watch what customer enters and read magnetic record, you get part of the encrypted stuff.
Problem with a onetime code as suggested is it could take a lot of digits to cover all that. You could do a hash, but many folks would ahve trouble entering long numbers. PINs can be up to 12 digits, but essentially nobody uses more than 4, for that reason. You'd have to input acct #, amount, expiration date, sender id and recipient id all into one place to compute such a hash. Gonna type all that in? Oh...just type in acct no. etc.? Could do something where everyone has compatible smartcard readers, maybe, as long as you can also count on private keys never leaving cards. They'd have to "sign" all that info. But for net/phone transactions it's a lot of typing.
reminds me of our cards in belgium, if i pay with it here in belgium i got to enter my pin. but my card has "maestro" (like all cards you get here), and in some neighbouring codes you can use it to pay without pin code!
so if someone steals my card, takes it to france, he can just pay with it and never needs my pin code... isn't that something great?
You get it all wrong. The problem are not people like the guy you answered to.
The problem is that (especially american) people are sheep and accept the insecure systems in use. There is nothing wrong with using debit cards, even using them for most day-to-day purchases. It is not the fault of the user if the system is badly designed. After all it is possible to setup debit card systems where the security is high (e.g. by requiring PINs, certified vending equipment etc.) and the risk is low (e.g. by having clauses which restrict the damage to the customer or by requiring the bank to prove on case-by-case that the system was not abused by another person).
Many countries in fact do have such systems and only low fraud rates. In Germany, for example, next to all people do carry a debit card from their own bank. These debit cards are connected to the "maestro" system and allow to get money at ATMs all over europe (and more places on the world) and purchases in mostly all shops who do accept plastic (very often only debit-cards are accepted but no credit cards). The security of german cards was upgraded a few years ago (it is believed that the formerly used 56 bit DES private key was broken by criminals) and nowadays uses at least 3DES with a bank-specific key. As the vending equipment can not recalculate or check the PIN (only the card issuing bank can), the PIN entered is usually encrypted and checked with a vending service provider over a dial-up or leased line. Some cards, however, also have a chip integrated which can check the PIN by itself (but needs to get synced to the central bank computer regularly). While cases of fraud still occur, it is believed that they are due to card copying by skimming devices (card readers who are attached in front of real card readers at ATMs). Most ATMs are now equipped with "anti-skimming devices" which disallow to attach external card reader.
Some merchants, often depending on the value, also allow paying with signature, without the PIN. In such cases, however, all the risk is on the side of the merchant and not on the side of the customer. If the signature was forged, tough luck for the merchant. As the bank by default do not see the signature of such transactions, they are considered to be transactions without "written consent of the account owner". Therefore it is very easy to get such transactions charged back: All you have to do is tell your bank that you are refuting a specific transactions and they will happily give you back your money (as required by law). It is then up to the merchant to get the money by other means.
So if all the american people would standup against outdated and insecure systems, using debit cards won't need to be a personal and security risk. Just act!
The Slashdot title is quoting the title from techweb.com. Redirect your complaints to the author of the article. I'm assuming you didn't RTFA though.
PIN numbers are should be larger. 4 digits 0-9 is way too small. There should be a max of at least 15 digits.
The problem is that the banks have no financial incentive to replace magstripe cards with smartcards... The cost to doing so is enormous but if the banks had to absorb the loss due to fraud (skimming, etc), the cost of the initial investment would be covered in about 2 years (for Canada).. Unfortunately for us, the banks and credit card companies just pass the cost of fraud on to the consumer in the form of service charges and higher interest rates.. As a result, there's no incentive for them to secure the system. Since banks and credit card companies have a lock on the market, the consumer is powerless to 'take their business elsewhere' in protest...
As Admiral Akbar would say: It's a Trap!
[Fuck Beta]
o0t!
Given the way computers work and that fact that ANY biometric data or any form be it a PIN number or retna scan data has to be processed and as such needs to be converted into a digital form for comparision/verification.
The best software design in the world wont negate the memory managment or indeed hardware memory design in so far that this data is stored in memory that can potential hold that data intact even if encrypted for longer than is needed. Whilst the original stored on a remote network will always be there for comparision the terminal end only needs to be there for the duration of the transaction and no longer.
Now if the hardware had voilatile memory which would lose its value after say even 5 seconds after the data is written (or suitable value) and the scanned/input biometric data was only stored there then nomater how bad the code the data wouldn;t be perpetualy vulnerable.
Whilst this approach is not perfect it is a viable and doable approach to what is a common problem in many application or user interaction in a society we live in.
Maybe if the CPU had a small area of such memory say sandwiched between a couple of processor layers then even future memory XRAY reading technologies or the like will have problems extracting the data.
Security is a balnce at the end of the day between YES and NO, alas
it is designed and used by humans who in reality believe in YES, NO and MAYBE its out there.
but the intended target seems to be citibusinessonline.da-us.citiban k.com.lawases.com
The lawases.com page does some strange javascript -- perhaps it does a javascript keylogger??
Free Software: Like love, it grows best when given away.
...the problem...is that retailers improperly store PIN numbers after they've been entered...
I bet they use PC computers too!
"Hello? Department of Redundancy Department please."
--Chemguru
Who types access codes? We used "trusted devices", even when that's an untrustworthy credit card. Even short PINs most people write down somewhere, trusting a slip of paper in their wallet, purse, desk or car. Trust a storage chip with a standard interface to "readers" like mobile phones or just dinky little interface dongles, or PC slots.
Smartcards are the easiest way to do this. "Recharged" from a large repository stored on a person's home network. I'd get more into the key distribution architecture, but I happen to be working under NDA on just such a system. Fancy signing, or even enclosing transaction details as I mentioned, are just leveraging the system towards optimal. Just offering a single onetime password per transaction is such an improvement against most attacks over the current plaintext userid that the minimum implementation is the big win.
--
make install -not war
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
They are being used in parts of Europe, and have been for some time.
From what I understand, the system is now mandatory in the UK.
In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.
The sotre does not get your PIN.
As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!
The reason for the swipe is simple -
You appear to be worked up about very little.
If you have any more questions I'd be more than pleased to answer them.
However there is a code on there to say that it should be a chip card, however the strip is still there in case the chip or the reader breaks. This is the only real exploit I know of (and I coded the tesco system and I think my software runs sainsbury's now too), that you can break (or cover in something like nail varnish) the chip and then it is at the merchant's discretion as to whether they accept the transaction or not. In the case of fraud the liability is then with the merchant and not the card issuer/scheme.
Conceivably then, you could clone the stripe and put a dummy chip on a card and get away with it at some places, but not all. The chip itself cannot (at present) be cloned with anything other than an electron microscope, AFAICT.
The PIN pad generates a hash of the PIN you have entered using a pre-generated (during the transaction) key. This hash is then presented to the processor on the card for verification. The card merely replies yes or no.
And before anyone shouts "I'll just use a fake card that always says yes then!" let me inform you that there are cryptographic checks performed between the card and the PAD, the card and the issuer, tha PAD and the issuer etc etc so that each piece of the puzzle (card, PoS, issuer) can verify the identity of the other whilst the transaction is in progress.
Staff training was it exactly, there is a chip reader below the swipe in a so called swipe and park reader, done so that all cards, chipped or chipless, can be processed the same way.
In seperate PIN pad and reader systems there is a secure link between the two, otherwise the system would fail accreditation. The PIN hash that passes along these is unknown to the PoS or the rest of the system.
Visa Usa Notice. If Sams Club and OfficeMax are saving Citi Visa pins, they're saving other pins as well.
Hear that thumping? It's the hearts of a thousand excited product liability lawyers.
Any shop that takes Chip and PIN cards goes through extensive approval processes from their acquiring banks (who are in turn accredited by the card schemes) when they want to take a card type. This includes checks that the devices are properly accredited.
Now I guess it's possible (though IMHO unlikely) that a rogue employee could bring a dodgy device in and wire it up, but you're protected from fraud by the merchant and the card scheme anyway.
In 99% of online transactions there is simply a flag (and a few other bits of data) that say "The PIN verification performed by the card was successful". It could say it failed but then there would be no need for an online transaction as the card would be declined by that stage.
IF the card is configured to allow online PIN checking, and IF the terminal supports it and IF the acquirer also supports it, and usually IF either the card or the terminal does not support offline PIN verification, then a one-way hash is sent to the issuer. This has two methods of defence - firstly that the hash is generated using the PIN and other tansaction data and a random component, so it is different every time. Secondly it's one-way, so there is no way to find the original PIN from it, even with a key. The remote system then verifies this hash rather than the PIN itself.
At least on EMV cards they can be up to 12. I doubt they'll ever get used above 4 though, as people have enough trouble remembering already.
Balance book ferchissakes? Haysus you must be fun to go out for a night with.
Debit cards mean I don't have to get cash, I don't have to think ahead for when I'm going to need money and I don't have to worry about paying it off at the end of the month either. It's like using cash, without the need to plan ahead. It's perfect. It also means that I withdraw the exact amount for what I need, not more to make up to what the machines will dispense.
If that makes me irresponsible then fine. But you sound a little too caught up in thinking about it.
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
Your face is irrelevant to the way the fraud is being perpetrated. The article states that the criminals are printing up fresh cards with the stolen information. If they insist, they could print up a picture of their own damn faces and use that on your stolen card information.
The only type of fraud the photo can help with is card fraud with your own stolen/lost card (the least common form of credit card fraud, accounting for 15%> of transactions.) Assuming that you are as likely/as quick to call up the credit card company to cancel a stolen photo credit card as somone who has lost a non-photo credit card, the photograph is essentially irrelevant.
See my article here on this. Bottom line, I don't think it's necessarily a problem with retailers storing PINs, it's a fundamental implementation problem.
a rd-fraud-and-bank-negligence
http://www.signal15.com/articles/2006/03/09/atm-c
Need Free Juniper/NetScreen Support? JuniperForum
but of all things we must secure in the war against terrorism, you'd think the bank accounts would be the single greatest priority.
You don't need terrorists to steal bank accounts. Ordinary Americans will be glad to do it instead.
Not everything is linked to terrorism. A stolen bank account or 50 doesn't strike terror into my soul.
How did they buy stuff without your pin number? Don't you need to enter that when you make any purchase?
And no, you do not take any loss. The moment you contest a transaction with a credit card company or your bank they are required BY LAW to take your word as truth and refund the money pending an investigation. That is the law. Now that doesn't mean they won't try and weasel out of it or fob you off with blame, but if you remind them of their legal requirements they will usually cave.
Of course the new scheme makes it considerably less likely that this will happen. Basically there's not many situations where a fraudulent chip and PIN transaction can go through -
- The bank screws up, as in this article and you have your card stolen
- Someone fits a fraudulent device to an accredited Chip and PIN terminal and records your PIN and steals your card
- You give away your PIN and have your card stolen
The cards are cryptographically authenticated by the PoS and the acquiring/issuing bank. The PoS is cryptographically verified by the card and the acquiring/issuing bank. The acquiring/issuing bank is cryptographically verified by the card. You report the card is missing, you have no liability. There is no known way to clone the cards. There is no way to do a chip and PIN transaction without the card. This is why fraud is moving to customer not present and online transactions which can be contested exactly as before.Chip and PIN gives very little opportunity for fraud. If you can think of a way to commit cardless Chip and PIN fraud then I'd be pleased to hear it (and talk to my contacts in VISA about it).
The preferred solution is to not have a problem.
Accepted everywhere. What's in YOUR cabinet?
Is she hot?
Seriously though, I don't think its so much that geeky-coolness is slipping into the mainstream as it is society is becoming somewhat better at intermixing and tollerance instead of just "those are the nerds, we're the preps..We can't talk to them". Afterall, we all adapt to our surroundings. Hang out with the right group of people and you'll subconciously pick up their lingo. You can get non-gamers saying "for the win", "woot" or whatever the phrase of the day is if they spend enough time with you and feel the right way about you. She probably just started hanging out with the slightly-geeky gamer type in school and picked it up off him(or her).
Societal evolution is an interesting thing to follow.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
There must be more to it than that, since there are so few possible PINs that an attacker could just keep a list of the hashes for each of them.
You could hash it with a nonce but that still doesn't protect you from an eavesdropper or a corrupt merchant.
Are they maybe hashing the PIN and the card number together? Encrypting with shared secret keys?
If you get the PIN wrong a set number of times (usually three) the card locks itself. The hash is seeded with transaction dependant data. Also, you don't get to see the hash, the link I told you about, between the PIN Pad and the card reader is a direct link and is encrypted itself (think SSL, I think they use certificates for authentication and then key exchange, then an encrypted link much like SSL though I'm not sure of the details.)
Especially since others were victimized and the bank (if this was under US law) faces the specter of a class action suit.
1 - the swipe data alone is no where near enough to make cloned card. You need a lot more data AND access to the master keys used by the card issuer.
2 - The link between the PIN Pad and the reader is direct and encrypted.
3 - With EMV (the UK scheme) no PIN is used in a magnetic transaction. Signature is used and the fraud liability is with the merchant. There is NO way to do a stripe'n'PIN transaction.
4 - The scenario would not be prevented if there was no strip because there is no scenario.
You can't call it negligence,
Right.. It's called incompetence... There is a difference.
Most software is fairly simple. Things like industrial automation, cash registers, CRM crap, etc don't require highly trained/advanced programmers. The general public thinks "software engineering" is rocket science, but it's really closer to manual labor/construction work.
Most software jobs don't require intricate knowledge of math or engineering. They just need someone to code up a simple application combined with a few customizations or integrate package X with Y in application environment Z. These jobs aren't hot growth areas right now (compared to some other stuff in ECE/CS). Also consider these are positions are sometimes those whose main requirement is "knowledge of Visual Basic".
Thus, I can forsee entire cooperations of criminally stupid/incompetent people -- regardless of which industry they are in. So it doesn't surprise me that pinpads might be insecure.
There are quack doctors, bad lawyers, and bad car mechanics... People somehow think that there won't be badly written software probably because the salaries are higher.
Given a choice between working on a cool new 3D video game and working on the next model of cash register, which would you pick? Why would anyone with a MS/PhD in CS/ECE want to work on cash registers? Yes these degrees are not needed for the work, but the people that get these degrees often [not always] have enough drive+knowledge+wisdom not to do really stupid stuff.
I'm not sure what the solution is. I doubt government regulation will improve things. Education is probably the answer...
The point is that you can derive the PIN for a card from the information on it + an encryption key.
So if you can derive the encryption key for thousands of cards from viewing the actual PIN's plus
co-ordinating with the actual magstripes then you can just take any other magstripe
and figure out the PIN.
However this is not a crack or a Hack: this is an cryptographic somewhat-brute-force attack.
So maybe the only fault here is the storage of thousands of magstripes.
(as was previously mentioned)
From my point of view, it's the best hack ever.
Now to make this post appeal to the slashdot masses.... From my point of view, it's the best hack ever, you insensitive clod!
It takes an hour at best to learn to forge a signature convincingly -- that's an hour in which you can notice that your card is not about your person, and call the missing card hotline {number conveniently printed on your card
Chip and PIN is liked by Big Business because it removes the need for a human being {the checkout operator} to make a decision as to the validity of a signature. It "reduces fraud" by virtue of the simple fact that every transaction with a correct PIN is presumed to be valid. The cards are harder to clone right now; but where there's a will, there's always a way, and one would have to be extremely naïve to imagine that criminals are not working on the problem right now. When that happens, expect total and utter chaos; PINs will be obtained by shoulder-surfing [+], and cards will go missing only for as long as it takes to clone them. Even if the card is constructed so as to change state after each transaction, this is not perfect because it creates a classic race condition; if the clone card is used first, it will be the original card which is in the wrong state. If the cloning emulates the state machine logic perfectly, the clone card will even be good for more transactions.
[*] Having stolen your debit card and phone, and learned your PIN, the robber hands them to an accomplice who makes the purchase; all the while the robber stands guard over you, just in case you *ahem* mis-remembered your PIN and the accomplice has to phone the robber to prompt you.
[+] Chip-and-PIN keypads as I have seen so far use a static arrangement and usually are positioned at the best height and angle for reading the user's keystrokes from behind. It would be more secure, though highly counter-intuitive and error-prone, for the keypads to use a touch screen with a variable layout.
Je fume. Tu fumes. Nous fûmes!
I'm taking a guess here in that it's also entirely possible (and likely) in certain departments at Citi that plain text emails are being sent around the office with account numbers, unencrypted PINs, etc. It's even possible there are Excel sheets full of these sitting across shared folders on Windows.
Yikes.
And various transaction, time and card related data go to make a key which (IIRC) RSA encrypts the whole lot before hashing. I'm satisfied, personally.
Takes only a dozen or so - maybe less - cards. Single DES.
Know PIN, get offset off magstripe, giving ciphertext. Find
a key that produces PINs correctly for O(10) cards and you
can make up PINs thereafter for any cards the issuer used
that same key for. Sometimes that can be huge numbers of cards.
the money stolen is *yours*, not the credit card company's money.
use credit and pay it off. i don't even own a debit card and will *never* own one.
of course, the banks want you to own one... they want to offload risk onto *you*.
in the credit card industry on both sides of the atlantic, let me just tell you, the US systems are primitive by comparison.
Me thinks that Citi is not being entirely forthright about the true extent of what's going on.
I'm almost 100% sure that this is not limitted to the UK, Canada, and Russia, or to customers of Sam's Club or Office Max. I'm in the U.S., and have never used my ATM / debit card for purchases at either of those retailers. It could just be coincidence, but my Citibank account had unauthorized transactions made at an ATM in California just last week. Since I don't go around sharing my PIN, and was in possession of my ATM card, its obvious that someone somehow got my PIN (which I am now going to be changing at least monthly) and duped my card.
If you have a Citibank ATM card, I encourage you at a minimum to get yourself over to your local branch as soon as possible (I imagine that for most that will now have to be Monday) and change your PIN right away. I'd also strongly consider closing your account and moving to a more secure bank, but honestly I'm not sure at what other bank the situation is really any better.
Understanding is a three edged sword. - Ambassador Kosh Naranek, Babylon 5
I want to see pictures of your 14-year-old daughter.
Why are all of the models in that link mutants? All the people I know have nipples.
This sort of a system is widely in use at least here in Finland in e-commerce... I use it all the time, both as a buyer and a seller. The banks give out "payment buttons" to websites that send the billing details in a HTML form to the bank, where you do your stuff over SSL _with the bank_ and once you're done, the bank redirects you back to the store, pulling a predefined URL on the store's server that informs the business logic that the payment has been completed. It's a really simple system, and having buttons for the three biggest banks covers most of your customer base. The implementation is a no-brainer (no J2EE or anything like that required), and the three banks differ only in minor details.
They don't get any of my details they don't need to ship me the goods, and there no need to mess around with credit cards... good for the business as well as payment has always been made with certainty.
I want to play Free Market with a drowning Libertarian.
Geez... how hard can it be people? Just make it a point to change your PIN every few weeks or so. I change mine on a regular basis. This makes any stored data related to my PIN basically worthless.
A debit card will only work if you enter a PIN. It works the same at an ATM as it does an a merchant. A credit card is what it sounds like you had, since those will take either cash-advance via PIN in an ATM, or signature verification at point of sale (with no PIN required).
The US banking system continues to be its own worst enemy.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The PIN itself is stored in a memory location on the card's microprocessor inaccessible to the outside world.
My housemate did a fair amount of work into breaking UK chip and pin. His tutor group were set it as a research project by their tutor (who I now have as a lecturer).
They concluded that to get the PIN from the card, one would have to dissassemble the card and physically access the ROM. This is all well and good, but the card is designed in such a way that if it is taken apart, the internals are destroyed in the process.
Official threat to Homeland Security
University of Surrey - http://www.surrey.ac.uk
Usually say "reasonable care" If you take reasonable care and report the card stolen in a timely fashion you should be covered. If you are not then I would challenge it legally. OTOH, I still think having a photograph of the holder on the back of the card is a good idea.
It's all about cost. At some point in the history of many of these breeches, there was a guy yelling his bloody fool head off that a giant security exposure exists. Management didn't understand the risks, didn't understand the techincal issues that lead to the risk, and do understand one and only one thing: how much does it cost to fix it? Then they just decide. Fix or not? Oftentimes, not. When the fool keeps yelling his bloody head off, he is eventually marginalized and his career is effectively over. That's why people who care about this stuff almost all eventually become consultants. Without immediate risk to your job, you can tell 'em what's broke. When they don't like it, you move on and tell somebody else.
If you mod me down, I shall become more powerful than you could possibly imagine.
Maybe a lot of people should read this article: http://www.theregister.co.uk/2003/02/21/how_to_get _an_atm/
Although it is an old article, it might enlighten something.
> There is NO way to do a stripe'n'PIN transaction.
Yes there is - although not in a shop that uses a chip.
ATMs fall back to the "strip" if the chip doesn't work for any reason.
And of course, the PIN will work with the strip.
So the nice criminal may not be able to go into Tesco and buy his weekly shopping, but he could go to a Tesco ATM (or Link, High Street etc) and withdraw you're daily limit, then use cash to buy his shopping (or more likely drugs)
try to make ends meet, you're a slave to money, then you die
This one major difference between debit cards and credit cards explains why I use the latter and never the former: With a debit card, the issuer ALREADY HAS YOUR MONEY. With a credit card, they don't, so you have the upper hand.
Checkout emvco.com for the standards on EMV cards and terminals. Ask your bank about how they require merchants who use them to go through accreditation well beyond these standards.