Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
This brings up an issue with financial networks that I just don't understand.
The greatest security online would be to do away with a "pull" charge (where your details are given to the business and the money "pulled" from your account") and adopt a "push" system - where I make an order, get a receipt #, log into MY account with the bank (ie. the SSL connection is between me and my bank) and then I send the money to them. I don't have any extra charges or don't send any money I don't want to. And they don't have my details to lose or get stolen.
But wait, that would mean people would have to do two steps, and people would use their OWN money more often, and not use credit.... can't have that can we. There are a zillion people out there who would sign up for this system, but it's not in the banks interests. Freemarket capitalism (*cough* oligopoly *cough*) fails again.
In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.
So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.
I tend to use the key number of a car I bought about twenty years ago. Four digits, not particularly easy to guess, but I'll never forget them.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!
for the mainstream population to embrace the debit card concept. Maybe I'm just paranoid, but if I'm going to be slinging plastic left and right, I want it to be somebody elses money until I get the statement and verify that all the charges to (insert 16 digits here) are, in fact, ones which I have authorized. Its just too easy to swipe a number and go to town.
Do you trust yourself (with a high credit limit) less than you trust someone making $5/hr, or some shady internet site with your bank account? Oh, sure, you can dispute that charge. But guess what - that money is gone from your account until they decide to credit you back that transaction. If you don't discover the error for a few days or *gasp* until the end of the month when your statement comes in, you could be writing rubber (e)checks for all your monthly expenses. I wouldn't want to bet a couple hundred dollars that the bank will reimburse you for your NSF fees and vendor NSF charges - especially since I've asked, and several managers have confirmed that they will not reimburse those charges.
I'm sure there's a small population out there who cannot get even a secured credit card. Okay, I'm fine with that - situations vary. But these things seem to be way too popular/numerous to be limited to those folks. To me, debit cards are the worst of both worlds - your money available on a card (nearly as bad as cash), but with the merchants and banks tracking your every purchase. *shakes head*
Disclaimer: I carry cash for most personal transactions. That's how I budget. I take out a fixed dollar amount each week, and when that's gone, I stop spending money for the week. If that cash gets lost or stolen, odds are good that I'm probably going to be out less than $50. Disappointing, but that's a pretty small sum, and its never happened in my adult lifetime. Big purchases & net transactions go on credit card, the latter amount being subtracted from the next week's withdrawel. Since I keep 2-3 months of expenses in my checking account, a debit card is a liability I do not want.
Is it just my observation, or are there way too many stupid people in the world?
I'm no conspiracy nut who thinks Deibold deliberately threw the election (if they actually got caught, it'd be the end of the company), but I do think that they're incompetent programmers who wouldn't know security best practices if you whacked them with a book full of them. And I think that this problem ("pins left in temporary files") sounds very much like the same kind of slop that leads to some of their voting machine failures (recall "bits of voting records lying around temporary files").
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Statistically speaking, it's no less secure than any other sequence. Especially at six digits, that actually makes it more secure from a brute force attack ...
This issue has absolutely nothing to do with the choice of pin, it has to do with latent storage of the pin. aka, not the consumer's fault.
However, now that I think about it having an "obvious" PIN also makes it easier for somebody to glean your PIN. That's not a big problem because it's not usually how PINs are gotten, but it does happen. Also, like another response to your post pointed out, if you were bruteforcing PINs you might try the "obvious" ones first (1234, all digits the same, first two digits the same as the last two, etc.).
but of all things we must secure in the war against terrorism, you'd think the bank accounts would be the single greatest priority.
You don't need terrorists to steal bank accounts. Ordinary Americans will be glad to do it instead.
Not everything is linked to terrorism. A stolen bank account or 50 doesn't strike terror into my soul.
VISA *might* number the cards differently or they might be able to find out directly (and automagically) from VISA. If VISA gives them the account and routing information for the bank, the bank will let them withdraw as much money as they want from the account as they want until you scream "fraud". The fact that a business only needs rudimentary information off a single unsigned check to drain your checking account and possibly your savings if the bank starts withdrawing from there is one of the most glaring problems with a lot of US banks.