Slashdot Mirror
PIN Scandal 'Worst Hack Ever'
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
Right... And you figured noone else would be 'leet' enough to figure it out? ;-)
Albeit somewhat more painful.
... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.
I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.
Your mileage may differ, of course. But take this seriously.
. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice.
On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.
The system where PINs are (potentially) stored is from an older, kinder time. In fact, a time where most places weren't hooked up to data networks permanently. The idea being that you could store transactions, and encrypted PINs, for a while, then connect and upload the data, and get your money. Obviously this is more suited to credit card transactions.
The system was never designed by, well, competent people, and it was also not designed with modern networks in mind. Today, it would be a no-brainer to use some sort of challenge-response or public key algorithm. Like in "chip&pin" (where the PIN unlocks a public key signing-function on the chip card). But this is a remnant of the 70s.
Every once in a while, a story crops up where it's found out that ancient protocols are still being used between when a customer with a card from bank A withdraws money from an ATM from bank B (usually across borders, since at a national level (speaking about europe here) electronic funds transfers are standardized pretty well).. Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!
This is basically the sort of thing that audits are supposed to catch, because to a lay person the fact that something "just works" is good enough. You only know it's insecure once something bad happens, or if you happen to have a degree in cryptography. In an audit, if you can't answer the question "so, you're sure it uses the latest XYZ123 standard and isn't misconfigured?", then you know you're in trouble. Guilty until proven innocent; rather than Management by Exception..
SCO employee? Check out the bounty
A truly shocking story.
Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here.
You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.
Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details.
Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Another data point in the saga of debit cards.
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
I couldn't tell you, but I wouldn't feel much safer with a longer pin code. If someone gets your card number, what's the chance they'll guess the right one out of 10,000 before the bank shuts the card down? If someone steals a bunch of pin numbers from a computer system, it doesn't really matter if they are 4 digits or 9 digits - the end result is the same. The one advantage I can see with longer pin numbers is that they'd be harder to shoulder surf, but like I said, that wouldn't make me feel much safer. I think a better question is when ATMs will start using two factor authentication.
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data.
No, the PIN will never leaves the PINpad. The PINpads must be type approved by EMVco http://www.emvco.com/ A hash of the PIN is passes from the terminal to the PINpad which validates the PIN supplied by the customer. A signal is passed back to the till which confirms the PIN was valid.
There are strict restrictions placed on the retailer as to how much of the card data can be saved or logged.
In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.
The sotre does not get your PIN.
As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!
The reason for the swipe is simple -
You appear to be worked up about very little.
If you have any more questions I'd be more than pleased to answer them.