Slashdot Mirror

← Back to Stories (view on slashdot.org)

PIN Scandal 'Worst Hack Ever'

Posted by ryuzaki0 on from the cue-comic-book-guy-voice dept.

QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"

4 of 365 comments (clear)

  1. If you are a Citibank customer... by Anonymous Coward · · Score: 5, Informative

    ... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.

    I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.

    Your mileage may differ, of course. But take this seriously.

    1. Re:If you are a Citibank customer... by jcr · · Score: 5, Informative

      I demanded to see the ATM camera photos but they said they would only release them to the police

      If you file suit, you can subpeona them.

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
  2. And best of all... by loraksus · · Score: 5, Informative

    Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
    If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
    See one such story here.

    You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
    I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.

    Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
    See here for details.

    Oh, and if your card was used, good luck with trying to fix your credit
    The credit sytstem could use an overhaul.

    --
    1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcfv gbhnjmk,l.;/
  3. I coded Tesco's system by Nursie · · Score: 5, Informative
    Or at least I coded 50% of the chip and PIN software on Tesco's Point of Sale machines. You couldn't be more wrong.

    In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.

    The sotre does not get your PIN.

    As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!

    The reason for the swipe is simple -
    • The staff don't have to change their action dependant upon whether it's a chip card or not, they just swipe it, sit it in the endof the reader and the transaction processes
    • The staff don't have to change their action from Pre-Chip'n'PIN days, they just swipe it and away we go.

    You appear to be worked up about very little.

    If you have any more questions I'd be more than pleased to answer them.