PIN Scandal 'Worst Hack Ever' 365
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
If you are a Citibank customer... (Score:5, Informative)
I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.
Your mileage may differ, of course. But take this seriously.
Re:It's intentional (Score:5, Informative)
Well, since Diebold probably made the ATMs which were hacked, you could probably look in the same place. Interestingly, the story was broken by a blog. http://www.boingboing.net/2006/03/05/citibank_unde r_fraud.html [boingboing.net]
Re:It's intentional (Score:2, Informative)
The quiz was for a job application where someone smart enough to look at the html source would be qualified enough for the job, but still.
Comment removed (Score:5, Informative)
And best of all... (Score:5, Informative)
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here [boingboing.net].
You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.
Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details [wired.com].
Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.
Re:Supermarkets Defeating Chip & Pin (Score:5, Informative)
Re:Chip & Pin (Score:3, Informative)
What about Visa's $0 Liability (Score:3, Informative)
Re:Debit cards are the STUPIDEST idea... (Score:1, Informative)
Here in the Netherlands, getting a credit card isn't even considered 'normal', and 99% of stores only accept debit cards -- where YOU swipe the card, and YOU enter the pin.
And of course, stores can't accept debit cards without the official tamper-resistant hardware provided by the banks (who have all agreed on a common system for transferring money).
There was a card-cloning scam a few years a go, and all ATMs have been retrofitted with special 'things' in front of the card slot to prevent cloning devices being put on them (and people have been told to not give away their cards to anyone).
It can be done properly, it's just that the proper way isn't always the cheapest way..
Re:Supermarkets Defeating Chip & Pin (Score:3, Informative)
I don't think that the supermarket has your PIN, more like the one way encrypted PIn information is passed from the point of sale terminal to the PIN pad. The PIN pad checks that the PIN entered is valid then the till will request authorisation from the acquirer.
The full system is validated by the acquirers, if the retailer was found to be holding PIN information or modifying the certified PINpad hardware the retailer would be stopped from using the credit card authorisation facility.
Re:Why only 4 digits? (Score:3, Informative)
ATMs are already using two-factor: something you have (ATM card) and something you know (PIN). What is it that you want them to be doing instead?
I coded Tesco's system (Score:5, Informative)
In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.
The sotre does not get your PIN.
As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!
The reason for the swipe is simple -
You appear to be worked up about very little.
If you have any more questions I'd be more than pleased to answer them.
Cards still have a mag stripe (Score:3, Informative)
Conceivably then, you could clone the stripe and put a dummy chip on a card and get away with it at some places, but not all. The chip itself cannot (at present) be cloned with anything other than an electron microscope, AFAICT.
Boing Boing Link (Score:4, Informative)
Visa Usa Notice [boingboing.net]. If Sams Club and OfficeMax are saving Citi Visa pins, they're saving other pins as well.
Hear that thumping? It's the hearts of a thousand excited product liability lawyers.
Comment removed (Score:3, Informative)
I doubt it's a retailer (Score:2, Informative)
Re:still... (Score:3, Informative)
Just as an addendum, you'd be surprised to see how many people are working at the Big City(i) credit card company and putting a huge portion of their paycheck towards paying off credit card debt. Now, that's really living under the Umbrella. (http://www.citigroup.com/citigroup/domain/image/
A couple of problems with that approach (Score:3, Informative)
No, no they couldn't (Score:3, Informative)
2 - The link between the PIN Pad and the reader is direct and encrypted.
3 - With EMV (the UK scheme) no PIN is used in a magnetic transaction. Signature is used and the fraud liability is with the merchant. There is NO way to do a stripe'n'PIN transaction.
4 - The scenario would not be prevented if there was no strip because there is no scenario.
Re:If you are a Citibank customer... (Score:3, Informative)
"He'll have to pay court fees and spend hours, if not days, on this and when he gets them, the police won't do a damn thing."
I always get the police to act even if they don't want to act. All I do is ask the officer(s) if the police department is abdicating it's responsibility in the matter, and if so, to put it in writing. If they abdicate then the responsibility falls on me, and then tell them to stay out of my way, and not interfere with me in pursuit and resolution of the matter. So far, I've had no takers, and the police do their job.
"If, by some small miracle, the police catch the perp, there is virtually no chance of getting any money from the perp and the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees)."
By doing nothing you do two things. You tell the criminal that it's ok to steal money from others, and you tall the other criminal (the bank) that it's ok to allow your money to be stolen.