Dan
03-12-2006, 09:05
I've always use my check card as a credit card and not a debit card. Two reasons...
1. I get charged for a debit transaction at most place, while using it as a credit card the retailer has to pay any charges.
2. I've always wondered about if retailers stored pins ...retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad...
Anyway on to the PIN Scandal...
PIN Scandal 'Worst Hack Ever'; Citibank Only The Start
The scam has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, all of which have re-issued debit cards in recent weeks, says a Gartner research vice president.
By Gregg Keizer
TechWeb News
Mar 9, 2006 04:35 PM
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
International Citibank Customers Shaken By Data Breach
Bank halts PIN-based transactions in three countries after customer data is compromised at a third-party company.
By Larry Greenemeier
InformationWeek
Mar 8, 2006 04:00 PM
Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.
The bank did not disclose when the breach occurred. Once alerted to the breach, the company "began enhanced monitoring of the affected accounts for fraud" and in mid-February detected several hundred fraudulent cash withdrawals in the three countries, the company said in a statement. Citibank proceeded to block all transactions in those countries that rely on PIN authentication.
"We are in the process of contacting affected customers individually and issuing new cards," the company's statement said. "We can provide new cards to customers affected by this third-party breach anywhere in the world they may be traveling."
Citibank would not name the third-party business whose systems were breached. The bank also did not specify how or when its affected customers were notified that they could no longer make PIN-based transactions. Some Citibank customers have used blogs to relate their experiences dealing with the bank. One Canadian, through a blog entry dated March 5, noted that he found out about the problem after an ATM transaction was denied, rather than through official notification from his bank.
This is not Citigroup's first brush with data insecurity. In June, the bank revealed that a box of unencrypted tapes containing information on 3.9 million customers was lost in transit. Citigroup shipped the box May 2 via UPS Inc., but it never arrived at its destination, an Experian credit bureau in Texas. The tapes contained names, Social Security numbers, account numbers, and payment histories of CitiFinancial customers.
Citigroup is by no means alone in its inability to protect customer data. In fact, the list is extensive, and growing. Ameriprise Financial in January revealed that unencrypted data, including Social Security numbers of 226,000 customers and employees, was stolen from a laptop. Some H&R Block customers rang in the New Year by finding out that their Social Security numbers were included in the tracking number used to mail them packages containing the company's TaxCut software. Kaiser Permanente last year was fined $200,000 for a data breach that affected 150 customers.
These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can't be easily fixed.
1. I get charged for a debit transaction at most place, while using it as a credit card the retailer has to pay any charges.
2. I've always wondered about if retailers stored pins ...retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad...
Anyway on to the PIN Scandal...
PIN Scandal 'Worst Hack Ever'; Citibank Only The Start
The scam has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, all of which have re-issued debit cards in recent weeks, says a Gartner research vice president.
By Gregg Keizer
TechWeb News
Mar 9, 2006 04:35 PM
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
International Citibank Customers Shaken By Data Breach
Bank halts PIN-based transactions in three countries after customer data is compromised at a third-party company.
By Larry Greenemeier
InformationWeek
Mar 8, 2006 04:00 PM
Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.
The bank did not disclose when the breach occurred. Once alerted to the breach, the company "began enhanced monitoring of the affected accounts for fraud" and in mid-February detected several hundred fraudulent cash withdrawals in the three countries, the company said in a statement. Citibank proceeded to block all transactions in those countries that rely on PIN authentication.
"We are in the process of contacting affected customers individually and issuing new cards," the company's statement said. "We can provide new cards to customers affected by this third-party breach anywhere in the world they may be traveling."
Citibank would not name the third-party business whose systems were breached. The bank also did not specify how or when its affected customers were notified that they could no longer make PIN-based transactions. Some Citibank customers have used blogs to relate their experiences dealing with the bank. One Canadian, through a blog entry dated March 5, noted that he found out about the problem after an ATM transaction was denied, rather than through official notification from his bank.
This is not Citigroup's first brush with data insecurity. In June, the bank revealed that a box of unencrypted tapes containing information on 3.9 million customers was lost in transit. Citigroup shipped the box May 2 via UPS Inc., but it never arrived at its destination, an Experian credit bureau in Texas. The tapes contained names, Social Security numbers, account numbers, and payment histories of CitiFinancial customers.
Citigroup is by no means alone in its inability to protect customer data. In fact, the list is extensive, and growing. Ameriprise Financial in January revealed that unencrypted data, including Social Security numbers of 226,000 customers and employees, was stolen from a laptop. Some H&R Block customers rang in the New Year by finding out that their Social Security numbers were included in the tracking number used to mail them packages containing the company's TaxCut software. Kaiser Permanente last year was fined $200,000 for a data breach that affected 150 customers.
These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can't be easily fixed.