Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
That's amazing! I have the same combination on my luggage!
I'll form my OWN solar system! With blackjack! And hookers!
When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.
At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.
The card issuer however will know the PIN
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
slashnik
Half of my is laughing because I'm picturing the comic book guy saying "Worst Hack Ever" - the other half is genuinely a little frightened at the lack of security guarding my finances :(
LINUX ONLINE POKER: Linux Poker
... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.
I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.
Your mileage may differ, of course. But take this seriously.
This brings up an issue with financial networks that I just don't understand.
The greatest security online would be to do away with a "pull" charge (where your details are given to the business and the money "pulled" from your account") and adopt a "push" system - where I make an order, get a receipt #, log into MY account with the bank (ie. the SSL connection is between me and my bank) and then I send the money to them. I don't have any extra charges or don't send any money I don't want to. And they don't have my details to lose or get stolen.
But wait, that would mean people would have to do two steps, and people would use their OWN money more often, and not use credit.... can't have that can we. There are a zillion people out there who would sign up for this system, but it's not in the banks interests. Freemarket capitalism (*cough* oligopoly *cough*) fails again.
In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.
So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.
. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice.
On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.
The system where PINs are (potentially) stored is from an older, kinder time. In fact, a time where most places weren't hooked up to data networks permanently. The idea being that you could store transactions, and encrypted PINs, for a while, then connect and upload the data, and get your money. Obviously this is more suited to credit card transactions.
The system was never designed by, well, competent people, and it was also not designed with modern networks in mind. Today, it would be a no-brainer to use some sort of challenge-response or public key algorithm. Like in "chip&pin" (where the PIN unlocks a public key signing-function on the chip card). But this is a remnant of the 70s.
Every once in a while, a story crops up where it's found out that ancient protocols are still being used between when a customer with a card from bank A withdraws money from an ATM from bank B (usually across borders, since at a national level (speaking about europe here) electronic funds transfers are standardized pretty well).. Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!
This is basically the sort of thing that audits are supposed to catch, because to a lay person the fact that something "just works" is good enough. You only know it's insecure once something bad happens, or if you happen to have a degree in cryptography. In an audit, if you can't answer the question "so, you're sure it uses the latest XYZ123 standard and isn't misconfigured?", then you know you're in trouble. Guilty until proven innocent; rather than Management by Exception..
SCO employee? Check out the bounty
Well, since Diebold probably made the ATMs which were hacked, you could probably look in the same place. Interestingly, the story was broken by a blog. http://www.boingboing.net/2006/03/05/citibank_unde r_fraud.html
"I've got more toys than Teruhisa Kitahara."
Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here.
You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.
Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details.
Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Another data point in the saga of debit cards.
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
I remember that in the early days here in .au the banks ran batch processing late at night and the ATM's often couldn't connect to verify account balances. The fallback position was that the ATM would just give out the money and the account would eventually go into debt.
I financed a (small) holiday by exploiting that bug.
But the ATM card I use today is exactly like the card I used 20 years ago. And the phone card I carry is probably more secure. It has a value of $5.
http://michaelsmith.id.au
Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!
If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?
It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html
Extract from above Link:
The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.
Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.
Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.
I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.
I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.
On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
When will damages cost the account managers more than switching from plaintext permanent passwords to one-time pad pins? It's not that expensive to switch, but of course much cheaper. Even better is a OTP-encrypted message containing the senderID, recipientID, money amount, and expiration date.
But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
--
make install -not war
In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.
The sotre does not get your PIN.
As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!
The reason for the swipe is simple -
You appear to be worked up about very little.
If you have any more questions I'd be more than pleased to answer them.
Visa Usa Notice. If Sams Club and OfficeMax are saving Citi Visa pins, they're saving other pins as well.
Hear that thumping? It's the hearts of a thousand excited product liability lawyers.
but of all things we must secure in the war against terrorism, you'd think the bank accounts would be the single greatest priority.
You don't need terrorists to steal bank accounts. Ordinary Americans will be glad to do it instead.
Not everything is linked to terrorism. A stolen bank account or 50 doesn't strike terror into my soul.