Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.
At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this way for nefarious reasons. I do wonder though, who benefits? They should haul the sytems analysts through the courts until they start to sing, and say "Yeah I was told to write it this way by xxxxxx"
I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.
The card issuer however will know the PIN
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
slashnik
Another data point in the saga of debit cards.
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees).
Which makes it quite likely that the bank will make the business decision to refund his money, since it will be cheaper than even the prep work for the bank to show up in court.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?
Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.
Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.
I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.
I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.
On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
You still don't know whether that card reader into which you inserted the card yourself is legit. With so many different designs and appearances of readers out there, how can you know?
Formerly, equipment to build fake readers was hard to come by, but this is unfortunately no longer true.
Have worked on building integrated debit/credit card systems for the grocery industry in Canada, for years I've built integrated solutions for every Canadian bank at one time or another. Having some low-level access to the system I've always felt it was well thought out and generally secure.
Then I worked on my first US banking integrated solution. I was astounded when I realized I'd actually be working with RAW pin #'s and have a customer's full Track-2 data from thier debit card. With those two pieces of info I could duplicate thier card and use it anywhere. All that's required is one unsavory developer in cahoots with one merchant. I am surprised it's never happenend sooner.
In the Canadian interac system the banks supply the pin pads that have built in software so that it deals with the magstripe and the pin and insures only the encrypted PIN # is available to the developer. Further each pin pad has 3 encryption keys and with each transaction the response from the bank (which has to be decrypted by the pin pad) includes a new key to replace 1 of the 3 on the pinpad. It's quite common if there's communication errors for the keys to get out of sync and require a couple transaction retries to get resynced but it's far far far better then the US system.
I lived is the US for a couple years since those days developing debit interfaces and I've never swiped my bank card at ANY merchant vendor machine. But back in Canada debit is king and I use it daily and with confidence it's safe.
Note: As an aside the behind the scenes processing required for a credit/debit card transaction in the US is incredible. It's essentially chaos! The only savior is ignorance is bliss and most of the developers for the US system haven't since the back end of the Canadian banking system which is very structured, simple and reliable.
Well, since the chip's unlocking of the public-key signature can be used as an oracle to whether or not you got the PIN right, and you can exploit a bug to reset the counter in a fraction of a second (which you couldn't do with an ATM), and it takes just a few seconds to try all 10,000 combinations... ...not to mention the problems that could be caused by modified, fraudulent Chip&Pin terminals logging PINs and storing the chip and possibly swipe too. ...and also not to mention the plain-and-simple shoulder-surfing problem caused by a proliferation of places where you enter your PIN, such as a supermarket queue, where people are standing behind you or where they can effectively shoulder-surf you a lot of the time and aren't necessarily expected to be as far back as they would at an ATM, despite the fact that the shoulder-surfing danger is identical...
and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data.
No, the PIN will never leaves the PINpad. The PINpads must be type approved by EMVco http://www.emvco.com/ A hash of the PIN is passes from the terminal to the PINpad which validates the PIN supplied by the customer. A signal is passed back to the till which confirms the PIN was valid.
There are strict restrictions placed on the retailer as to how much of the card data can be saved or logged.
The card stripe is read as the card is inserted, then at the bottom of the swipe slot the card lodges in the chip reader. You then enter your PIN into the remote keypad. The keypad encrypts the PIN using triple-DES (keyed using a shared key) to transfer the PIN to the terminal. So, it's hard to eavesdrop the PIN in transit, but the PIN does end up in the same system as the swiped card data. Which means that (in principle at least) it's exactly as secure or insecure as the systems in the US that have been compromised.
Basically chip and pin is not there to protect the customers - it's there to protect the stores. But as no signature is involved, it's now harder for you to claim it wasn't you. And before, you couldn't give away your ATM PIN in UK stores, now you can.
The store I work at takes debit cards and while I don't go out of my way to check out peoples' PINs, I've definitely noticed somebody who has picked that PIN at least once. Another one I remember is somebody who picked 4444. Actually, now that I think about it, it may have even been a 6 digit PIN that was all fours. I mean, I guess it doesn't really matter what your PIN is, but I just can't imagine somebody deciding to make it all the same digit.
Dude, if only you knew of the stupid inner workings of Citibank... They pushed the concept of "matrix structure" too far, nobody is really accountable for any shit in there. The worst thing is that, given their strucutre, it is really hard to prove that xxxxxx told them to do so. In the end, the analysts get screwed over and managers sail along happily.
When will damages cost the account managers more than switching from plaintext permanent passwords to one-time pad pins? It's not that expensive to switch, but of course much cheaper. Even better is a OTP-encrypted message containing the senderID, recipientID, money amount, and expiration date.
But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
--
make install -not war
as a customer, how can you tell if the device itself is genuine?
By entering an incorrect pincode. When it is accepted, the device apparently is not validating the pincode.
Of course this does not work when the fraudulent device is in fact a real one with addition of a tap of client information, but the real devices are supposed to be designed in such a way that this is not easily possible.
The banks could be adding an extra confidence message to online devices, like displaying your date of birth after you have swiped the card and before entering the PIN. This makes it easier to confirm that the device is actually communicating with the bank and is not a standalone device (which you should avoid).
The point is that you can derive the PIN for a card from the information on it + an encryption key.
So if you can derive the encryption key for thousands of cards from viewing the actual PIN's plus
co-ordinating with the actual magstripes then you can just take any other magstripe
and figure out the PIN.
However this is not a crack or a Hack: this is an cryptographic somewhat-brute-force attack.
So maybe the only fault here is the storage of thousands of magstripes.
(as was previously mentioned)
I would like to see something along the lines of biometrics at ATMs (don't bother with the arguments against biometrics-i know. it's about raising the bar, not foolproofing.) or Secure ID tokens.