Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
That's amazing! I have the same combination on my luggage!
I'll form my OWN solar system! With blackjack! And hookers!
When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.
At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this way for nefarious reasons. I do wonder though, who benefits? They should haul the sytems analysts through the courts until they start to sing, and say "Yeah I was told to write it this way by xxxxxx"
I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.
The card issuer however will know the PIN
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
slashnik
Half of my is laughing because I'm picturing the comic book guy saying "Worst Hack Ever" - the other half is genuinely a little frightened at the lack of security guarding my finances :(
LINUX ONLINE POKER: Linux Poker
... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.
I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.
Your mileage may differ, of course. But take this seriously.
This brings up an issue with financial networks that I just don't understand.
The greatest security online would be to do away with a "pull" charge (where your details are given to the business and the money "pulled" from your account") and adopt a "push" system - where I make an order, get a receipt #, log into MY account with the bank (ie. the SSL connection is between me and my bank) and then I send the money to them. I don't have any extra charges or don't send any money I don't want to. And they don't have my details to lose or get stolen.
But wait, that would mean people would have to do two steps, and people would use their OWN money more often, and not use credit.... can't have that can we. There are a zillion people out there who would sign up for this system, but it's not in the banks interests. Freemarket capitalism (*cough* oligopoly *cough*) fails again.
In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.
So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.
3141, right?
The dangers of knowledge trigger emotional distress in human beings.
Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here.
You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.
Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details.
Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Another data point in the saga of debit cards.
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!
If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?
It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html
Extract from above Link:
The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.
Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.
Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.
I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.
I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.
On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
for the mainstream population to embrace the debit card concept. Maybe I'm just paranoid, but if I'm going to be slinging plastic left and right, I want it to be somebody elses money until I get the statement and verify that all the charges to (insert 16 digits here) are, in fact, ones which I have authorized. Its just too easy to swipe a number and go to town.
Do you trust yourself (with a high credit limit) less than you trust someone making $5/hr, or some shady internet site with your bank account? Oh, sure, you can dispute that charge. But guess what - that money is gone from your account until they decide to credit you back that transaction. If you don't discover the error for a few days or *gasp* until the end of the month when your statement comes in, you could be writing rubber (e)checks for all your monthly expenses. I wouldn't want to bet a couple hundred dollars that the bank will reimburse you for your NSF fees and vendor NSF charges - especially since I've asked, and several managers have confirmed that they will not reimburse those charges.
I'm sure there's a small population out there who cannot get even a secured credit card. Okay, I'm fine with that - situations vary. But these things seem to be way too popular/numerous to be limited to those folks. To me, debit cards are the worst of both worlds - your money available on a card (nearly as bad as cash), but with the merchants and banks tracking your every purchase. *shakes head*
Disclaimer: I carry cash for most personal transactions. That's how I budget. I take out a fixed dollar amount each week, and when that's gone, I stop spending money for the week. If that cash gets lost or stolen, odds are good that I'm probably going to be out less than $50. Disappointing, but that's a pretty small sum, and its never happened in my adult lifetime. Big purchases & net transactions go on credit card, the latter amount being subtracted from the next week's withdrawel. Since I keep 2-3 months of expenses in my checking account, a debit card is a liability I do not want.
Is it just my observation, or are there way too many stupid people in the world?
What worries me is the new crop of stand-alone ATMs. These units are operated by companies other than banks, and exist solely to collect $1.50 - $2.50 per transaction as a service fee.
I guess that the cryptographic engine that communicates to the Interac network must be supplied and approved by whatever payment provider the merchant chooses (GlobalPayments, etc.), but the pin pad keys themselves are usually integrated into the design of the front panel. I, therefore, have no assurance that the interface I'm entering my pin into is directly connected to the cryptographic system, without any sort of eavesdropping in the middle.
We had a problem with this a few years back here in Ontario, I can only assume that it will crop up elsewhere.
At least when I'm at a grocery store and I use a VeriFone SC500 (or whatever brand that store uses) with its seals intact, I can be reasonably confident that the device hasn't been modified to steal my pin. (Not 100% sure, of course, but the design of an ATM makes it much easier to subvert the electronics than a vendor-supplied pin pad does.) Of course, when the clerk swipes my card into their POS system rather than swiping it directly into the pad, I still have to be alert for cameras, shoulder-surfers, etc.
I found my debit card suddenly non-functional one day, and shortly thereafter got a call from the bank. Any card that had been used at a certain prominent gas station here in Hamilton had been hotlisted by the Interac folks, due to some sort of pin-harvesting scheme. Inconvenient, yes, but nice to know the banks at least try to stay on top of this sort of stuff.
When will damages cost the account managers more than switching from plaintext permanent passwords to one-time pad pins? It's not that expensive to switch, but of course much cheaper. Even better is a OTP-encrypted message containing the senderID, recipientID, money amount, and expiration date.
But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
--
make install -not war
In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.
The sotre does not get your PIN.
As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!
The reason for the swipe is simple -
You appear to be worked up about very little.
If you have any more questions I'd be more than pleased to answer them.
However there is a code on there to say that it should be a chip card, however the strip is still there in case the chip or the reader breaks. This is the only real exploit I know of (and I coded the tesco system and I think my software runs sainsbury's now too), that you can break (or cover in something like nail varnish) the chip and then it is at the merchant's discretion as to whether they accept the transaction or not. In the case of fraud the liability is then with the merchant and not the card issuer/scheme.
Conceivably then, you could clone the stripe and put a dummy chip on a card and get away with it at some places, but not all. The chip itself cannot (at present) be cloned with anything other than an electron microscope, AFAICT.
Visa Usa Notice. If Sams Club and OfficeMax are saving Citi Visa pins, they're saving other pins as well.
Hear that thumping? It's the hearts of a thousand excited product liability lawyers.
See my article here on this. Bottom line, I don't think it's necessarily a problem with retailers storing PINs, it's a fundamental implementation problem.
a rd-fraud-and-bank-negligence
http://www.signal15.com/articles/2006/03/09/atm-c
Need Free Juniper/NetScreen Support? JuniperForum
but of all things we must secure in the war against terrorism, you'd think the bank accounts would be the single greatest priority.
You don't need terrorists to steal bank accounts. Ordinary Americans will be glad to do it instead.
Not everything is linked to terrorism. A stolen bank account or 50 doesn't strike terror into my soul.
The preferred solution is to not have a problem.
If you get the PIN wrong a set number of times (usually three) the card locks itself. The hash is seeded with transaction dependant data. Also, you don't get to see the hash, the link I told you about, between the PIN Pad and the card reader is a direct link and is encrypted itself (think SSL, I think they use certificates for authentication and then key exchange, then an encrypted link much like SSL though I'm not sure of the details.)
1 - the swipe data alone is no where near enough to make cloned card. You need a lot more data AND access to the master keys used by the card issuer.
2 - The link between the PIN Pad and the reader is direct and encrypted.
3 - With EMV (the UK scheme) no PIN is used in a magnetic transaction. Signature is used and the fraud liability is with the merchant. There is NO way to do a stripe'n'PIN transaction.
4 - The scenario would not be prevented if there was no strip because there is no scenario.
VISA *might* number the cards differently or they might be able to find out directly (and automagically) from VISA. If VISA gives them the account and routing information for the bank, the bank will let them withdraw as much money as they want from the account as they want until you scream "fraud". The fact that a business only needs rudimentary information off a single unsigned check to drain your checking account and possibly your savings if the bank starts withdrawing from there is one of the most glaring problems with a lot of US banks.