Citi Hackers Got Away With $2.7 Million

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

Amateur

Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).

Re:Amateur

[rbarreira]

I think I'll be canceling my Citi card (when I pay it off...).

You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.

Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.

Re:Amateur

[rubycodez]

the banking cartel does the defrauding, and why do you imagine your credit union is independent of it?

Re:Amateur

[dgatwood]

Two words: cash back. Also, I've never seen a credit union that offered true credit cards. Debit cards, sure, but I'm not comfortable using a debit card anywhere unless I've been shopping there for years, because all it takes is one sleazy employee cloning your stripe, and somebody can then guess your PIN numbers and clear out your account without actually stealing your card. And because it is a debit card, your liability when this happens is unlimited.

Re:Amateur

[rbarreira]

Read my post again, I wasn't criticizing credit cards.

Re:Amateur

[chill]

Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.

What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.

They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.

Re:Amateur

[MacGyver2210]

Yeah, but if all their customers leave it will just lead to another bailout by the government.

Look at the airlines: many of them lost their asses when air travel became so much of a hassle and fee-minefield that people stopped flying and started driving/riding the train/bus. Of course, the government was like "No! We're a rich successful country, and we can't let a big industry fail even if they're morons! That makes our country look weak. Cash! Throw it at them hard and quick!"

Welcome to the 21st century, when a company is no longer allowed to fail because of its own shitty service.

Re:Amateur

[pongo000]

Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

Apparently, Texans CU didn't get the memo:

http://www.cutimes.com/2009/12/23/management-shakeup-lawsuits-cuso-bankruptcy-plagued-texans-cu
http://www.cutimes.com/2011/04/27/credit-union-industry-reacts-to-failure-of-big-tex

Funny thing is that members were *never* notified that Texans had its board removed. So much for credit union transparency.

Re:Amateur

[chill]

Yes. Right now, I take size into account when I consider the trustworthiness of a credit union. Texans, with their 16 physical locations in over a dozen different cities and even more ATMs, would be "too big" in my estimation.

Smaller isn't always better, because it is quite possible to be "too small". I can't give you a hard number, but and more than 5 branches and I'd be thinking of them as a normal "bank".

Re:Amateur

I encourage you to check again? I've only ever...used...three credit unions since the late 90's...and all of them offered real credit cards (in addition to debit).

Now-- 2/3 of them, their credit cards were locally branded VISA which were actually owned by the same 'branding company'. They had shoddy integration with their website, and the support number would immediately transfer you to some mega-conglomerate... But it was nonetheless a credit card.

Re:Amateur

[rrohbeck]

Citibank is the worst. They needed to be bailed out after taking on too much risk every few decades. Read up on their history.

Re:Amateur

[frank_adrian314159]

Small regional banks are pretty good, too. Just watch for signs of being overextended and/or being gobbled up by one of the big boys.

Re:Amateur

From my credit union I have both a Visa debit card and an ordinary Visa credit card. The debit card has all the normal protection when used as credit; they even advised me to just not set a PIN and always use it as credit.

Re:Amateur

[jroysdon]

You can cancel your account while still paying it off. It's actually a good thing to do, as it will keep you from charging any more (and prevent fraud charges).

Just make sure you switch to paper statements first, as once you cancel/close your account, you can't access statements online anymore.

I had my CitiBank card compromised twice in one month. The first time I called and told them, and they canceled the account number and overnighted me a replacement card. It sat in the overnight envelope on my coffee table for 3 weeks until I activated it, and within a week I had more fraud charges.

As I never take the physical CitiBank card from home, and only used their Virtual credit card (where you generate a new number each time to use for online purchases), I knew there was something fishy going on. They wouldn't/couldn't tell me which place I'd used my card at had been compromised. I was very clear with them that this was unacceptable, and if I didn't get answers, I was going close my account (which I've had for most of my credit history). They couldn't do anything, and wanted to send me another card. I told them what is the point because in a week, before I even use it, it'll be compromised again. I closed my account after this in April, 2011. Now we find all this out a month or so later.

As much as I don't like BankAmerica, I have switched back to them for their Shop Safe virtual credit cards for all my online purchases. Again, my BankAmerica card never leaves my physical filing cabinet and is never used online. The BofA Shop Safe is a great system in that you can not only set the card to expire in 2 months (minimum requirement), but you can set a limit. I just round up to the nearest dollar, so each purchase "maxes out" the amount available for each Shop Safe virtual card.

I wish more places offered this sort of virtual card (even some method for your physical card to generate a virtual card so a skimmer can be traced and also limited). I wish all banks and credit cards had to offer two-channel authentication for purchases over a customer-set limit (see ING.nl's TAN codes via mobile phone). I wish I could set some cards to not be allowed without physically being present (in other words, block some cards from being able to be used over the phone or online, and require it to be in person and require ID checking), and some cards only allowed to be used online with temporary/virtual card numbers (and never allow the real/physical account number to be used).

These security protections seem so basic, and so easy to implement, and they'd totally knock out the majority of fraud.

The best card companies offer now is an email/SMS message when a purchase over a limit I set is done. That's fine for a credit card, as I'm not liable if I report it as fraud, but it's a pain for a Debit Card as I'm out that money. For that reason I canceled my Debit Cards and have ATM-only cards.

Re:Amateur

Yes, use a local credit union. My local credit union outsourced their Visa card 2 years ago. The new company handling Visa service for the credit union (who I have been with for 30+ years) does not accept electronic payments. Which means the credit union has to actually cut a check and mail it to pay their own credit card. Not only that, the time to process a payment has increased from 6-8 days to 12-14 days.

Re:Amateur

[brokeninside]

You can cancel before you pay off.

Either phone them and tell them that you want to close the account or next time they try to change the terms, send them a letter that you don't accept. In either case, the account will be closed with regards to new transactions but you'll be able to continue to pay off the balance at the current rate.

Re:Amateur

[unkiereamus]

A credit union that I used to belong to offers true credit cards: https://www.sccfcu.org/asp/products/product_2_3.asp

Re:Amateur

[bryan1945]

So, basically you're saying you have a very specialized CU for a small number of people that basically does nothing in general? Great, go sign rubycodez up right now! Except that would be just stupid.

Re:Amateur

[Phoghat]

What's in your wallet ?

Re:Amateur

[SolusSD]

What is 'Insightful' about this post? This is your standard 'fuck the man!" BS post with no substance.

Re:Amateur

[tehcyder]

Use a local credit union instead.

You only really get those in the US, plus why would I trust a small organisation with limited capital to look after my money? Are deposits guaranteed as with proper banks?

Re:Amateur

[tehcyder]

So the point of your post is that credit unions don't offer a full banking service, in which case isn't it pretty fucking obvious why people use banks?

Re:Amateur

[chill]

No, the point of my post is that credit unions can offer a variety of services, ranging from the very specialized to full-service banking. This makes it easier to find something that is a more comfortable fit for you individually.

However, their model is different from for-profit banks. In a credit union, the shareholders of the company are the depositors on record. "Maximizing shareholder value" has a totally different meaning than it does for banking corporations. For instance, cramming as many fees and service charges to make the institution a boatload more money doesn't happen.

Re:Amateur

[dgatwood]

I've never had a bank or credit union that didn't pre-assign an initial PIN. Odds are, yours did, too. And just to be cynical, the bad guys probably know what it is already, even if you don't.

2.7million USD

Citigroup suffered about US$2.7 million in losses

- dollars?

Nothing of value was lost.

Re:2.7million USD

[Opportunist]

I guess when you're used to getting billions in bailouts, millions don't really register as an amount anymore.

Re:2.7million USD

[interval1066]

Why was this comment modded down? Its the most enlightened comment in the lot.

Re:2.7million USD

[arunce]

this is funny. really, mod this up.

Ooooh, a couple mill

[GrumblyStuff]

Call me when there's news of the billions in cash that mysteriously was lost in Iraq.

Re:Ooooh, a couple mill

[shentino]

I got a slice of it after receiving an offer in my email yesterday.

Re:Ooooh, a couple mill

Suddenly Paraguay has a lot of assets for infrastructure and modernization. They say it's from a boost in ranching profits and soybean production. (But notice that many other areas in the world with similar production don't see that kind of available funding.)

Guess who has a nice big ranch there?

Anyone notice more than half of the big banks there are also foreign owned? Why such interesting timing in the investment there?

I think the money trail in that country and some other areas of South America need further investigation, as that's where almost everyone involved in the big rip-off is bugging out to.

Re:Ooooh, a couple mill

[MacGyver2210]

All you have to do is send a blank check to this Nigerian prince...

Re:Ooooh, a couple mill

[Nov8tr]

He's not a Prince silly. He's a attorney for a client who died. pfffftttt

Re:Ooooh, a couple mill

[dkf]

All you have to do is send a blank check to this Nigerian prince...

When you do send it, don't forget to sign it "Bernie Madoff".

PCI compliant?

[Virtucon]

I find this funny and sad at the same time. Their PCI certification needs to be revoked. Besides it has been done before to Citi. http://redmondmag.com/articles/2008/07/02/citibank-hack-shines-light-on-pci-compliance.aspx . if a bank can't be compliant then the PCI needs to be abolished because it appears to mean nothing to large financial institutions.

Re:PCI compliant?

[shentino]

Any regulation that depends on enforcement from someone whose congressional superiors you can simply bribe away with campaign contributions will fail.

Re:PCI compliant?

[Opportunist]

Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.

One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.

Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?

So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.

Re:PCI compliant?

Scrap the law instead of fining those who violate the law, sounds like a plan.

Re:PCI compliant?

[Hazel+Bergeron]

I say we return to VLB. When the central processors and the peripheries are forced to work at the same pace, there is less opportunity for corruption. Sure, it might mean the former needs to slow down a bit, but that's essential in dealing with any sleight of hand issues.

Re:PCI compliant?

[dgatwood]

What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.

That one small change to the legal code would end the practices you describe in a heartbeat.

Re:PCI compliant?

[the+eric+conspiracy]

What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its corporate officers should be held liable for any damages.

FTFY.

For all you know the people performing the audit are contractors or employees under orders from their management to certify the audit no matter what they actually find.

Re:PCI compliant?

[Opportunist]

Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.

I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.

To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.

What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...

The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.

Re:PCI compliant?

[Bengie]

They need a way to fine the auditor to the point of bankrupting them for effectively "lying"

Re:PCI compliant?

[shoehornjob]

About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.

Re:PCI compliant?

[1s44c]

PCI isn't security. No set of rules mandated by people that don't understand IT could be. PCI, SOx, and all the other government mandated rules are just well intentioned attempts to tell people how to get security. It can't cover every aspect needed so it's doomed to failure.

Re:PCI compliant?

[Opportunist]

The employee of the auditing corp? Be reasonable, he was probably facing the decision of signing a cert or being fired.

That won't change jack. Now, if his CEO would have to face personal responsibility... but then, could you see a mere auditor holding the CEO of a huge international auditing co at his balls? Be nice or I sign this bogus cert?

Give companies an incentive to be secure besides getting useless certificates that certify nothing and you'll see change. Nothing else will.

Re:PCI compliant?

[Firehed]

PCI needs to be clarified and enforced properly. If you've read the spec (I have), you'd realize how utterly vague parts of it are, and pointless other parts are. There are some perfectly valid things in there that should be second nature to anyone but never hurts to have on a checklist (run firewalls, do not use default passwords on your software, etc.), some things that are good to have (unless there's a business requirement to do so such as in an admin panel, do not display more than bin+last4 of card), and other parts that are so unclear as to be completely pointless - namely almost everything regarding actual data storage.

Obviously Citi screwed up here, since even the PCI non-spec around access controls covers altering the querystring to get different account info and performing no checks based on the authenticated user's ability to view that card data.

The real issue is that even the spirit (never mind the letter) of the PCI spec is almost pointless. It's something that's part of working with the credit card networks, not any sort of federal mandate. Basically if you're out of spec, it gives Visa and Mastercard valid grounds to cut off your ability to issue and/or process payments over their network. So if Citi fails an audit, it just means they must take a badge off their site. There's no requirement that they get shut off, and given the amount of volume they do it's a certainty that they would not.

Re:PCI compliant?

[Virtucon]

Well I also wonder if Visa and MC would actually fine Citibank considering how much revenue they derive from their card holders. PCI was supposed to help reduce the amount of fraud by enforcing minimum security standards on people accepting payments and dealing in the transaction stream. It remains to be seen if now a large financial institution will be held accountable by the PCI consortium for these actions. I definitely know the FTC would be involved but again, they'll get a slap on the wrist because that's what happens. It's all very sad and hypocritical for one of the biggest banks in the world to be guilty of letting this kind of information get out of their control. Yes, their liability in this would probably not even show up on the RADAR and would probably just be a footnote in the quarterly earnings reports but still, how can you hold retailers accountable when the banks aren't even doing the right thing?

Re:PCI compliant?

[jroysdon]

Right, so management needs to be financially and criminally held liable for this sort of thing. If it affects their pocket book and they might face jail time for not following the rules, perhaps they'll be something done differently?

Re:PCI compliant?

[jroysdon]

This is where whistle-blower laws need to be improved. Should a CEO or management do this, they should be financially penalized and face jail time, and the whistle blower should be financially well taken care of.

Basically, and auditor should be untouchable. They should be able to follow the rules, and if not, huge fines should face the management and a large portion of that should go to the auditor.

Auditor's personal financial records need to be an open book, otherwise this would set them up to be able to be black mailers and/or accept bribes.

Re:PCI compliant?

[Bert64]

You make some good points, and it's not just PCI, but various government security standards too...

You have a list of "approved products", a list which is very expensive and time consuming to get on to. As a result, the approved products tend to be several releases behind and often have known vulnerabilities.. You also ensure that only a few vendors will bother to go through the process thus creating a cartel and forcing smaller players or open source out of the market. Few of those vendors will bother certifying all versions of their products either.

As for what the certification entails, the process is as expected, utterly flawed... The vendor supplies a list of features and an auditor verifies that those features exist.... No checking is done as to the actual security of the product, no audit is done of the source code, no check is done to see if those features are easily circumvented etc... For instance, various versions of Windows got through some of these evaluation criteria, despite gaping security holes such as effectively storing user passwords in plain text.

As for bailouts, there is a simple answer to that... If a company is "too big to fail" then that company is simply "too big"... The government should investigate any company of substantial size and determine the potential economic impact should they collapse... If that impact is too damaging, then the company should be split up into smaller competing parts. This would also break up monopolies and increase competition, a big win for everyone else.
The idea of bailouts is ridiculous, since it effectively eliminates any risk... These companies are now free to take any gamble they want, safe in the knowledge that the government will bail them out if they fail, while letting them keep the profits if they win.

Re:PCI compliant?

Getting your PCI certification has nothing to do with being secure. PCI is a great start but not the end all to security nirvana.We all know that security is a full time job and it's 24x7. people need to be reveiwing logs by the minute if you are in any business that takes in credit card numbers.
So we need to ask the question

1. Who was reveiwing the logs?
2. Who is monitoring the network 24x7?

From what I understand someone was doing multiple login's using different CC number's. Why didn't that raise a flag with network security. i.e. multiple log-ins from the same IP with different credit card numbers?

What I see here is programmers not utilizing OWASP standards, and this is the case 99% of the time, whenver I call this out programmers get defensive, I don't blame them but if you don't call it out when does it become a priority that programmers need to take security into consideration when setting up these portals.
Also third party companies hire outside contractors and all they care about is getting the project done and on time. Security is not even on the forefront.
But then security is a technical escalation of exploits so what passes vulnerability assesment today may not pass tomorrow.

Re:PCI compliant?

[John3]

I wish I still had mod points to bump up your comment. The whole PCI compliance scam is a pet peeve of mine. I own a hardware store and we're fully compliant, but it cost a bunch and is a real pain considering that we're trying to protect credit cards and a system that is essentially poorly secured in the first place. There are thousands and thousands of independent business owners that are not anywhere near compliant, and they have no clue how to get in compliance. They are just scared that when a breach happens they will lose their merchant privileges and maybe be held liable for the losses. Meanwhile, Citi and other large targets get broken into regularly for millions and millions in losses.

I certainly don't think that small merchants can be lax in their security procedures, but I think the bankcard industry needs to subsidize the security updates and do a much better job of educating and assisting the retail store owners. These are restaurant owners, deli owners, clothing stores, hardware stores, and other businesses where the owner is not real tech or security savvy. They know how to cook a meal, slice ham on a machine, measure an inseam, or cut a key. These folks take credit cards (and pay the insane fees) because the must to stay in business. They are saddled with bankcards that are inherently insecure (seriously, check the signature on the back of the card?).

Sorry, I'm ranting...but I still wish I had the mod points I had yesterday.

Re:PCI compliant?

[Opportunist]

Heh, while I like the idea of being untouchable, I doubt it's a good idea either. You could easily hold whole corporations ransom or, in case you don't like them, keep failing them. There needn't be even any monetary incentives to do so if the auditor in question has a personal grunge against a certain company.

In other words, don't send me to audit Sony.

The whole process needs an overhaul. And I don't think creating overly complicated rules or regulations is going to do it, neither is sending CEOs to prison. It can be summed up simply with one statement: Give companies a good reason to WANT to be secure. Create stiff fines for the loss of data and if someone wants to store financial or personal data, he gets audited by a government mandated audit. No checkboxes, no spreadsheets, no tick-this-off-to-pass test. A bunch of auditors get sent into the company with one order: Hack 'em. No rules of engagement (aside of "no deliberate damage") and pay them on a per-incident base, you get 20% of the fine they'll have to pay.

Rest assured, all sides will be VERY well motivated to perform at peak levels!

Re:PCI compliant?

[snowgirl]

Compliance auditing is a circle jerk business. It's like peer review, just worse...

God, this reminds me of code reviews. I would send them out, and get back a "Looks good!" email... to which I would note that in the time between me sending them the code review and me receiving their "looks good!" I found two bugs and one of them was a flagrant syntax error.

I tried to reform the process, but imagine how well that went over? If you said that I got the response "looks good!" and then it was never touched again, you'd be right.

Re:PCI compliant?

[sgt+scrub]

Ah the beauty of just providing the tools for the people doing the "tests". I feel for you. The part where a client gets pwnd and you were the one confirming their compliance rocks. I've had more than one call that start, "I'm the new guy" because of it. Anyway, money. Sure wish I was the guy with lots of it.

Re:PCI compliant?

[Opportunist]

At first, I was worried when a company that I audited got pwned. Then I was bothered. Now I just open a new window and read Dilbert, and 5 seconds later I forgot about it.

In all seriousness. First I was worried that I might be liable. I'm not. If I ticked down the checkboxes correctly, I'm not. Then I was bothered that they simply ignored my recommendations because they didn't give half a shit about their own security after they got the signature on the all-holy toilet paper called certificate. Now I guess I'm jaded enough to just realized that I shouldn't care. I mean, it's like your doc worrying about your insanely unhealthy lifestyle when you yourself don't care that you're one heartbeat away from a stroke.

Re:PCI compliant?

Hell, try figuring out proper signage for a magazine (explosives storage building) per ATF regulations. The building has to be well marked with danger signs to make sure people clearly understand the danger, but the signs can't be in a direct line with the building, because people shoot signs and a bullet continuing on into your building full of explosives would apparently be bad. Also, you can't tell people that there are explosives in the building, because that would make it a theft target (and nowadays possible a terrorism target). The ATF puts all these requirements (and more) on the signage - they won't spell out what signs are acceptable, they just give you a series of contradictory rules the signs must follow. Rules often made up by bureaucrats who have no experience in the industry they are trying to regulate.

The more they make the regulations impossible to follow, the more they can say after the fact "but he wasn't really in compliance, we just discovered," after the fact. They aren't trying to fix anything, just look good to outsiders while playing CYA.

Re:PCI compliant?

[Opportunist]

Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.

Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probably not, unless it is explicitly part of the review. I'll look for the lines that deal with database access, cookies and XSS vulnerabilities. Whether your results are correct or whether it looks like a monkey tried to write HTML is usually not the scope of a security code review.

Re:PCI compliant?

[Opportunist]

So the freedom of the CEO of a auditing company hinges on his auditors ability to do their job? I somehow don't think that's a good idea, a disgruntled employee might abuse that power fairly quickly.

If we're talking about the company that actually drops the ball and leaks data, we can talk. If the CEO neglects security to the point where he cannot show that he has done what is reasonably possible (educate his staff, hire security auditors that don't just check off boxes but actually audit the shit out of his boxes...), he should hang.

But humans make errors. Even the best audited companies could be subject to 0days. But I'm sure we can work out something reasonable that gives CEOs an incentive to secure the customer data they so love to get their hands at.

Re:PCI compliant?

[snowgirl]

Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.

Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probably not, unless it is explicitly part of the review. I'll look for the lines that deal with database access, cookies and XSS vulnerabilities. Whether your results are correct or whether it looks like a monkey tried to write HTML is usually not the scope of a security code review.

And all of the same bugs were skipped and missed in the code reviews I've seen.

And how do you check all that stuff without reading the code for real? And if you don't have time to sit down and read-through and understand everything I wrote, why aren't there people whose job it is to do precisely that. Journalism and publishers have editors whose job is explicitly to read and understand and provide feedback. If we're relying upon other writers to do the exact same thing, when they're too busy to read anything, then we're simply already condemning ourselves to failure.

I honestly find your response to be arrogant and idiotic. Our jobs are to program code and produce good code, not only our own, but those of our co-workers that ask for our help as well. What the fuck is a code-review for if not to catch bugs, and errors.

Re:PCI compliant?

[Opportunist]

There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.

Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.

Re:PCI compliant?

[jroysdon]

Somehow you've missed what I'm saying. This is not about leaking data. I'm not even talking about inept auditors. This is about an auditor finding problems, and management telling them to ignore them, not report them, and/or minimize them.

Perhaps you've never had to deal with management with this sort of thing? It happens all the time, but if you want to keep your job you just document it in your private files and leave it at that.

Re:PCI compliant?

[Opportunist]

I have, and what am I going to do? Send the incriminating order (which I'd have to gain with illegal means, since recording people without their consent is not legal in my country and you may rest assured that you'll NEVER get an order like that by mail) to Wikileaks? My next job would include the phrase "want fries with that".

The main problem is that everyone involved has a vested interest in not performing at peak level. Hell, what do you think is easier, to ignore security holes (and pretend I just missed them) or record all of them? What's easier for the company, to close them or to badger to "miss" it? What's easier for my CEO, to report it and maybe having to justify not granting the cert or just to grant it, knowing nobody would bother to check?

Give people an incentive to perform.

Re:PCI compliant?

[snowgirl]

There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.

Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.

I think we're running into an is/ought problem... I'm saying the purpose of code reviews ought be to find bugs, and help correct them. You're saying that code reviews regardless of what they ought be, are in fact actually just signatures on a form in order to permit a check-in, and thus get degraded down to the most minimal aspect... no review, just a sign off.

I can't hardly argue with you about what reality actually is, as it's pretty much what I'm complaining about. And since you declare yourself to be jaded and disillusioned, it's highly likely that you agree with me as well that it's a horrible state of affairs that code reviews are simply another check-box hurdle that people avoid as much as possible, and you are simply providing satirical comment.

Perhaps we actually have an understanding now?

Re:PCI compliant?

[Opportunist]

Ok, you're right. From the is/ought to be point of view, of course a code review should be more than a checkbox-ticking chore. The problem is that nobody in the game WANTS it to be more than that.

The auditor doesn't want to, because while getting paid by the hour, no customer would agree to you spending about as much time reading code than the programmer spent writing it, just at about the triple (or more, hey, I'm actually cheap...) hourly rate. Plus, bluntly, reading the n-th php code dealing with database interaction is already boring enough.

The customer (i.e. the CEO of the company) doesn't want it because he'd have to pay more and the auditor might even find bugs and refuse to sign the all-holy toilet paper before they're fixed, resulting in delays and cost.

And finally the programmer's zeal to head back to ancient code he probably didn't even write himself but has to maintain now, didn't ever bother to read it in detail and has already enough workload on his head that he's working constant overtime isn't too high either.

So, who do you think would complain?

Re:PCI compliant?

[Opportunist]

And lemme guess: There's nobody actually overseeing those rules, unless they want your company to have troubles?

Our jobs ain't so different.

Re:PCI compliant?

[snowgirl]

So, who do you think would complain?

That pedantic bitch that everyone doesn't like, because she makes them do real code reviews, rather than just checking off boxes? You know, because if she's going to do something, she's going to do it right...

My ex-boss also didn't like me doing root-cause analysis and figuring out what really caused XY bug/error/failure. He just wanted it fixed, and for me to move on.

Re:PCI compliant?

[Opportunist]

That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.

Re:PCI compliant?

[snowgirl]

That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.

Except she's the best programmer in the group... thus, you direct her outrage at code reviews in order to implement a reform of the code reviews, she wastes months and months on the reform, then once it is complete, you don't implement it, and then you start working on firing her... (you don't fire her immediately, because you have your HR department to CYA so she doesn't sue for discrimination, you know, given that women comprise some 10% of computer programmers in many organisations.)

Sounds like you know the game better than I do... lol

Can you see the dialogue happen at citi?

[Opportunist]

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? Get the hell out of my office and come back when something serious happens!

Re:Can you see the dialogue happen at citi?

[Nidi62]

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!

CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?

CSO: 2.7 millions.

CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!

Fixed that for you

Re:Can you see the dialogue happen at citi?

[Opportunist]

I doubt the CEO would tell the CSO that he makes more in bonuses than what the CSO thinks is money. He might get a wee bit pissed at the CEO, and you do NOT want a pissed off CSO as a CEO. He can make your life pretty miserable if he doesn't care about his own.

Re:Can you see the dialogue happen at citi?

The CSO is probably making 2.7M in bonuses himself.

Re:Can you see the dialogue happen at citi?

[Opportunist]

In this case, are they hiring?

I'm not for sale, but nobody said anything about renting. ;)

Re:Can you see the dialogue happen at citi?

[phantomfive]

He won't care as long as he's getting paid a lot too.

Bad year for Bin Laden Group...

:)

This problem just cannot be solved

[osgeek]

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

If only credit card numbers weren't special since what really mattered was signed transactions.

If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.

Call me a dreamer, but someday in the next hundred years, I think that all those "huge" technological problems could be solved and we could end this problem of having our credit card and social security numbers being exposed.

Re:This problem just cannot be solved

[gweihir]

Wrong. The simple, easy and obvious solutions is known to anybody that knows the first thing web application security:

DO NOT KEEP CRITICAL STATE CLIENT_SIDE.

I do not know what cretins designed this solutions. But the violated very basic principles. If it took the attackers longer than half a day to find this vulnerability, then they are also exceedingly incompetent. It is one of the first things checked in a security evaluation (or hacking attempt).

Re:This problem just cannot be solved

[kamukwam]

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

In Europe it is often already required to enter a PIN when paying something with a credit card. I am wondering why they didn't introduce it in the USA yet...

Re:This problem just cannot be solved

[Hazel+Bergeron]

Because the merchant is liable for fraudulent transactions when no PIN is entered. Liable plus a fine on chargeback. Liable plus a fine plus a threat of increased discount percentage.

Small businesses are the backbone of modern America: if you want to conquer America you have to break its backbone.

Re:This problem just cannot be solved

[kamukwam]

Well, then they should simply make it impossible to pay without a PIN. Actually it should've been like that from the start and there wouldn't have been so much problems with stolen credit card numbers.

Re:This problem just cannot be solved

[NJRoadfan]

Actually its simple, banks in the US are cheap. Chip and PIN costs money to implement. American Express rolled out chips in their first issue Blue credit card, but later phased it out... cost more then a regular credit card and nobody used the feature (lack of infrastructure in the US, hardly anyone has a chip and PIN terminal here). Same goes for things like implementing two factor authentication for online banking. Its likely the only way a US based bank will improve security is if they are forced to through legislation.

Re:This problem just cannot be solved

[Hazel+Bergeron]

You mean the government, right? The bank has little incentive because it profits from the fraudulent transaction (as long as there's not so much fraud that the banks actually get negative publicity and lose customers to all the great alternatives for online payment).

Re:This problem just cannot be solved

One of the local fast food chains started offering those locally. Except they are broken most of the time (I've seen it work once in the last year). Not something to build confidence in the public here.

Re:This problem just cannot be solved

[Hazel+Bergeron]

Makes sense. FWIW I have a UK Amex Blue card, all recent issues of which have been chip/PIN. It was launched with the simple benefit of straight cashback on all purchases, which is far too generous and lacking in leeching middle men, so I don't think it's offered any more to new customers. Now Amex UK is all "Nectar points" and "BA miles" and other such barrel-scraping bullshit.

Re:This problem just cannot be solved

[misexistentialist]

The cost of the terminal would be paid by the retailers, and they are cheap too. If the card companies and retailers who take the losses don't care why should the government? Europeans like chip-and-pin because they like living in a locked-down society.

Re:This problem just cannot be solved

[gl4ss]

if they had done the system like that, no pin would help them. the cc number itself was a 'pin' in this context, their billing address being another pin. sms confimations? yeah, that would have helped a bit.

Re:This problem just cannot be solved

In Europe it is often already required to enter a PIN when paying something with a credit card.

This is also a bad design. You have to trust the hardware you're entering your pin into.

The GP's idea would authenticate the merchant's device, and provide a way to ensure you're authorizing that specific vendor for that specific item, and only for that specific amount.

For example, when the person brings out the "enter your PIN" device, it would instead just broadcast something to your phone which has their PKI-signed merchant ID and the amount they're requesting (maybe even include information on the item/service you're paying for). Your phone would prompt for a password to unlock a certificate which is then used to sign the response.

At no point do you have to trust the vendor, nor does the vendor have to trust you.

Re:This problem just cannot be solved

[shoehornjob]

The credit card companies would have to overhaul the entire infrastructure and that would cost money. The goverment could stop giving them tax writeoff's for business losses. That might jump start the process a bit.

Re:This problem just cannot be solved

[NJRoadfan]

The only place I have seen a chip and PIN terminal here is at one local CVS. Its likely a universal model because it has RFID for contactless card transactions too. Those RFID terminals are catching on, but only really at retailers that have their own branded credit card with a big bank like Chase. Its part of their agreement with the bank to install the RFID terminals because all the cards they issue have the chips.

Re:This problem just cannot be solved

That's the solution to this particular incident, and we've all acknowledged that Citi was beyond incompetent in this case. But the poster was referring to the problem of credit card numbers in general and was likely referring to the situation in other countries where credit cards are smart cards that enable real cryptography in credit card transactions which would make the credit card number alone almost worthless.

Re:This problem just cannot be solved

[Hazel+Bergeron]

So now my mobile 'phone is the device which gets cracked and keylogged for access to the signing certificates which approve dozens of credit card transactions?

I understand your proposal but I hear it as, "Now, rather than only keeping it in your head and typing it on dedicated terminals, you enter your PIN-substitute on a computer you use for general Internet access etc."

Re:This problem just cannot be solved

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

If only credit card numbers weren't special since what really mattered was signed transactions.

If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.

http://www.google.com/wallet/

Re:This problem just cannot be solved

[Nick+Ives]

This is beyond silly. The reason Chip & Pin happened in Europe is because payment card operators in Europe got together and decided to do it. They told retailers they didn't have to use it if they didn't want to, but they would be more liable for fraudulent transactions if they didn't.

Given that the increased liability would cost more than the chip & pin terminals, everyone moved over.

Re:This problem just cannot be solved

It'd be better with a dedicated device sure... but who would want to carry an additional pager-sized device as well as another service contract?

Of course, I guess my view of mobile phone security has been skewed by my selection of Blackberry.
Sure they're outdated compared to other smartphones, but they do take security seriously :)
(and believe me, that's the only think keeping me with this horribly outdated platform)

Could have been stopped and will be in the future

Banks across the US are weak in a lot of online security, but I know for a fact that most of them are actively engaged in making it better and are spending a lot of money to do so. Even this problem with Citi would have been easily caught and mitigated if they had Silver Tail Systems installed, for example. Most of the large banks in the US are moving in this direction of behavioral analytics instead of purely transactional.

Hacking

I do my hacking with a machete. Hack into a bank and cause problems for 360k people, you had better fear my hack.

Most insecure ebanking ever.

[gweihir]

Several things went wrong here:

- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.

- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).

- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.

The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

Re:Most insecure ebanking ever.

[MacGyver2210]

The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

This. For everyone on Wall Street with a title of VP or higher. Now.

Re:Most insecure ebanking ever.

The developers and evaluators should be forbidden to work. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in any place where they have the power to make decisions of any kind.

There, fixed that for you.

Can you tell I'm a web developer that's fed up with guys like these making me look bad just because I happen to be in the same field? End users can't tell the difference between my code and there's because when mine doesn't do this, there's no way for them to understand it couldn't do this (encrypt, and even then don't trust client information). Most end users don't understand anything about this problem, no matter how it is described to them. They just see some overpaid programmer who screwed up.

Re:Most insecure ebanking ever.

Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

Re:Most insecure ebanking ever.

[gweihir]

The developers and evaluators should be forbidden to work. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in any place where they have the power to make decisions of any kind.

There, fixed that for you.

Well, a bit harsh, but I cannot say I fundamentally disagree.

Can you tell I'm a web developer that's fed up with guys like these making me look bad just because I happen to be in the same field? End users can't tell the difference between my code and there's because when mine doesn't do this, there's no way for them to understand it couldn't do this (encrypt, and even then don't trust client information). Most end users don't understand anything about this problem, no matter how it is described to them. They just see some overpaid programmer who screwed up.

That is why you need to have competent (and preferably outside) evaluation for anything that has security functionality. Of course, that is expensive and does not add to the functionality. Even worse, if the security folks say, "this is not secure", or even worse, "no way can this be made secure, you project failed" the manager in question is exposed as incompetent (as he/she should be). So the people that would need to get the security evaluation done have the most to lose. On the other hand, that is possibly the only way to weed out the elCheapo developers that have no clue. Meaningful certifications do not exist. Creating something like a "licensed software security engineer" or "licensed security programmer" may help a bit, but that would cause high demand for these people and you might have to treat and pay them well. Which is something the management layer definitely does not want to do. Also, there is a high risk of these certifications being meaningless.

The only option I see is to a) make it a legal requirement to have a high security level on anything storing customer data and connected to the web and b) if things like security evaluation are not done competently or not done at all, make the managers responsible personally liable.

Re:Most insecure ebanking ever.

[nomadic]

Developer skills were never part of the equation.

They never are on Slashdot, where all programmers are brilliant, handsome, and competent.

Re:Most insecure ebanking ever.

[gweihir]

Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

Unfortunately, you are perfectly right. I have seen this several times now. The way to deal with it is make the people getting the bonus personally liable (civilly and criminally) if it goes wrong.

Re:Most insecure ebanking ever.

Get real, the development was outsourced to someone in a foreign country that doesn't give a crap.

Re:Most insecure ebanking ever.

This is about incompetent techies. You can blame the company if you want, but it was the techies that did it. Period.

The tech world gets off on blaming management a lot and never takes any responsibility themselves.

Yes, I'm a techie. I don't expect a manager to know technical issues. That's my job.

Re:Most insecure ebanking ever.

[Adambomb]

Many companies refuse to approve implementing costly security, and will fire techies who raise concerns about that too often and then hire incompetent techies who don't think to question the lack of security.

Who is really at fault in this case, the fool or the fool who hired him.

Re:Most insecure ebanking ever.

[gmhowell]

Developer skills were never part of the equation.

They never are on Slashdot, where all programmers are brilliant, handsome, and competent.

Slashdot HQ is in Lake Woebegone?

Re:Most insecure ebanking ever.

[Jedi+Alec]

And his job is to make sure you are competent and delivering the product the company is paying you for.

If he doesn't understand technical issues himself that's fine, but in that case he still requires a method to determine whether or not you are doing a good job.

Oh the irony...

[ilguido]

-2006: Citigroup and M$ Develop a New Digital Identity Solution

-2008: Citi's Market Montage Solution Supports 200,000 Updates per Second with SQL Server 2005

- june 2011: Citigroup hacker attack affected more customers than first thought

-a week later, in the neighborhood of Redmont (about the PSN outage): "As a company, you can look back 8, 9 years ago, when Bill Gates wrote his Trustworthy Computing Memo that basically said, 'We need to change the way we architect our products and it has to be designed into the way we architect our products and services.' So it’s in our DNA, across the company. This is not just an IEB thing. So this has really been a multi-year effort for us as a company and it’ll continue to be one because this future, which we think is very much about services and very much cloud based - whether it be entertainment consumption or productivity - in order to do that, you have to have a secure environment. So we’re going to continue to do that and we don’t want to see any of our competitors hurt along the way. We think that’s bad for consumers."

Re:Oh the irony...

lulz, i guess you missed the article about how their system was hacked. It was not because of SQL but due to how they built their system. Also, during that magic timeline you posted I bet Citi put more of their services online which exposed them more. I would first question their ability to build secure software. From what i have heard their goals in getting things done do not always match up to getting things done the way it should be done.

sigh!

[kyuubi1]

.. and yes, my money is safe under the pillow than in a electrified, triple encrypted, titanium vault.

They did it using URL stuffing

As in running a perl script that generated a randomly changing URL string and WGETing on it - such sophistication - must be the Chinese again .. :)

"Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

what PCI compliant means

All PCI compliance means is the finance house filling in a bunch of forms and posting them back to some authority with a big cheque :)

this is the fault of ...

Visa and MasterCard, which allow middle-man entities to process charges without requiring tertiary security information

That's all?

[hamburgler007]

If only 2.7 million was lost, something seriously fucked up is going on. They should be spending more than that just for a 3rd party to audit their security.

Re:That's all?

[tom229]

That's kinda what I was thinking. Smells a little conspiracy...ey.. to me. We're seeing so much of this lately it almost seems like it's a reason being engineered to squash net neutrality/freedom.

Wisconsin Pensions

[hackus]

Maybe we could use the same technique and recover all of the pension funds looted by Wall Street for the State of Wisconsin?

-Hack

being not-for-profit...

[brokeninside]

... while it means that they don't have the goal of maximizing shareholder's equity, doesn't meant that they don't exhibit profit-seeking behavior. It just means that the profit isn't paid out in the form of dividends. It could, as one example, be paid out in the form of executive compensation.

Moreover, many credit unions are for-profit concerns. But the dividends go to account holders rather than third-party investors that don't deposit money into the credit union. And the money that is deposited is used by members rather than non-members. Rather than your deposits going towards providing the backing for third-parties to get loans, etc., they go towards loans, etc., for members of the credit union. This distinction starts to break down, however, when the credit union decides to invest the money in instruments to increase dividends to the members.

Missing the point.

You're focussing on the incredibly weak security of their web site. Even if it was a lot, lot better, there would still no doubt be exploitable vulnerabilities. Parent is making the point that if the information stored in the web site did not need to be secret in the first place - because you can't do anything with it - then who cares about the security of the web application.

I've just been employed to design products which encrypt cardholder data at rest and in transit... and none of this would be necessary if the U.S. just started using EMV like everyone else in the world. No mag stripe, chips on the cards which can sign transactions, etc. The cardholder number should not need to be secret in the first place.

Re:Missing the point.

[gweihir]

Agreed. I think the two options here are EMV and old-fashioned paper for credit cards. In the later case they may ask for an ID on larger sums. Have not seem mag-stripe for a long time.

Couldn't happen to nicer people.

My finances are a mess. Entirely my own fault. But there's only one financial organization I've ever regretted getting involved with. Given the option, I'd pay them back in nickels, after I'd rubbed every one of those nickels on my balls.

Numbers

[G4Cube]

For 10 years when you lost a # to fraud the next card was different by only the last 4 numbers.

Asking for it

[Hyperhaplo]

Here in Aus they have implemented a new system whereby you do not need to enter a pin or sign if it is a "small" amount (less than $100 at MacD's and less than $35 at Coles / Kmart stores) - Paypass / paywave.

It's been in for a couple of months, and is gradually gaining acceptance. There's a few problems though; one being the marketing material which clearly states that '.. there is no risk..'.

Let's see here. If I get mugged, said mugger can use my CC to their heart's content - so long as it is less than $100 at Macd's or less than $35 at a Coles (chain of stores et al).

The information provided states that any money lost on a stolen card will be refunded *after* the card is reported stolen. So, this opens up two new avenues:

1) Get mugged, and have your credit card joy ridden for a couple of hours

2) Get mugged, and have your credit card chip cloned

or even better, let's go for option
3) Your card information is recorded, and 'mysterious' $35 amounts keep appearing on your bills.. until you cancel the card..

I have asked, repeatedly, as to how to have this functionality disabled. Yes, I am security conscious enough that I want the 'hassle' of putting my pin in Every Single Time. Yes, even for 'small' purchases. Apparently, it can't be done - short of shredding your credit card.

Mainly, I am now concerned with young thugs trying to mug me. The "Zero Liability: If your card is ever lost or stolen, youâ(TM)re protected with Zero Liability for unauthorized purchases." ( Reference: http://usa.visa.com/personal/cards/paywave/index.html ) will *not* help with a broken arm or missing teeth.

Find them and put them in charge

[IHateEverybody]

They seem to have stolen less than the bankers themselves.