PIN Scandal 'Worst Hack Ever'

QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"

If you are a Citibank customer...

[Anonymous Coward]

... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.

I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.

Your mileage may differ, of course. But take this seriously.

Re:It's intentional

[ozmanjusri]

Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this.

Well, since Diebold probably made the ATMs which were hacked, you could probably look in the same place. Interestingly, the story was broken by a blog. http://www.boingboing.net/2006/03/05/citibank_unde r_fraud.html [boingboing.net]

Re:It's intentional

[ComaVN]

Yes. Yes, they really do make that kind of mistake. I've seen people make quiz-type webpages with just a client-side javascript that checked the answers (which were, of course, plain-text in the html source). Granted, that was not as important as PIN numbers, but a lot of mediocre programmers just don't step back to reflect on what they've written. As far as they're concerned, it works, and they don't even contemplate ways how malicious users might try to break it.

The quiz was for a job application where someone smart enough to look at the html source would be qualified enough for the job, but still.

Comment removed

[account_deleted]

Comment removed based on user account deletion

And best of all...

[loraksus]

Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here [boingboing.net].

You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.

Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details [wired.com].

Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.

Re:Supermarkets Defeating Chip & Pin

[Freexe]

It all changed over on Feb 14th here in London with the I 3 my PIN campaign. You can't not use the pin anywhere now

Re:Chip & Pin

[sparckzero]

I work in a small local convenience store in the UK, and as such our machine for doing debit/credit cards is completely seperate to the EPoS system. The PIN never leaves the terminal that the customers use to enter the pin, and is wiped after it has been entered. There is physically no way for us to retrieve the PIN. We used to be able to over-ride PIN entry with a supervisor card, before it became mandatory to use Chip and PIN. Now we can't do that anymore.

What about Visa's $0 Liability

[bobt1956]

It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html [visa.com] Extract from above Link: The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.

Re:Debit cards are the STUPIDEST idea...

[Anonymous Coward]

How American.

Here in the Netherlands, getting a credit card isn't even considered 'normal', and 99% of stores only accept debit cards -- where YOU swipe the card, and YOU enter the pin.

And of course, stores can't accept debit cards without the official tamper-resistant hardware provided by the banks (who have all agreed on a common system for transferring money).

There was a card-cloning scam a few years a go, and all ATMs have been retrofitted with special 'things' in front of the card slot to prevent cloning devices being put on them (and people have been told to not give away their cards to anyone).

It can be done properly, it's just that the proper way isn't always the cheapest way..

Re:Supermarkets Defeating Chip & Pin

[slashnik]

The supermarket now has all the information from the mag stripe, and also has your PIN.

I don't think that the supermarket has your PIN, more like the one way encrypted PIn information is passed from the point of sale terminal to the PIN pad. The PIN pad checks that the PIN entered is valid then the till will request authorisation from the acquirer.

The full system is validated by the acquirers, if the retailer was found to be holding PIN information or modifying the certified PINpad hardware the retailer would be stopped from using the credit card authorisation facility.

Re:Why only 4 digits?

[spood]

I think a better question is when ATMs will start using two factor authentication.

ATMs are already using two-factor: something you have (ATM card) and something you know (PIN). What is it that you want them to be doing instead?

I coded Tesco's system

[Nursie]

Or at least I coded 50% of the chip and PIN software on Tesco's Point of Sale machines. You couldn't be more wrong.

In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.

The sotre does not get your PIN.

As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!

The reason for the swipe is simple -

• The staff don't have to change their action dependant upon whether it's a chip card or not, they just swipe it, sit it in the endof the reader and the transaction processes
• The staff don't have to change their action from Pre-Chip'n'PIN days, they just swipe it and away we go.

You appear to be worked up about very little.

If you have any more questions I'd be more than pleased to answer them.

Cards still have a mag stripe

[Nursie]

However there is a code on there to say that it should be a chip card, however the strip is still there in case the chip or the reader breaks. This is the only real exploit I know of (and I coded the tesco system and I think my software runs sainsbury's now too), that you can break (or cover in something like nail varnish) the chip and then it is at the merchant's discretion as to whether they accept the transaction or not. In the case of fraud the liability is then with the merchant and not the card issuer/scheme.

Conceivably then, you could clone the stripe and put a dummy chip on a card and get away with it at some places, but not all. The chip itself cannot (at present) be cloned with anything other than an electron microscope, AFAICT.

Boing Boing Link

[jmichaelg]

Here's a link to Boing Boing that suggests Citi may indeed be the tip of the iceberg
Visa Usa Notice [boingboing.net]. If Sams Club and OfficeMax are saving Citi Visa pins, they're saving other pins as well.

Hear that thumping? It's the hearts of a thousand excited product liability lawyers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I doubt it's a retailer

[Ritchie70]

I think it's probably an acquirer-processor who was compromised rather than a retailer. I think this because:

1. It can't possibly be difficult to spot the common retailer or processor for the compromised cards. The investigators know what company was compromised by now.
2. The company that was compromised hasn't been announced. If a retailer, all the banks and A/P's would be throwing that retailer out for sacrifice. The A/P has a lot more to lose - probably go out of business entirely.
3. At least at the retailer I work for, we don't even HAVE the key to decode the encrypted PIN block. In our POS, the PIN is encrypted in the card reader, in a module of the card reader that I understand to be seperate from the parts that can be easily programmed. The key is managed with the DUKPT standard (Derived Unique Key Per Transfer) based on a super-secret seed that's only known to the card reader manufacturer and the AP. That key is used for either DES or DES3 encryption (I'm not sure which) of the PIN, into the "encrypted PIN block" which is transmitted thru our system intact to the AP, who passes it (or the decrypted PIN, I'm not sure) to the issuing bank for validation. Even if you try to take the card reader apart to extract the DUKPT seed it's unlikely you can - removing a case screw, or even dropping the unit too hard, will wipe the seed.

Re:still...

[LandownEyes]

Not always though...I've got a good friend who works in the collections department for A Big City(i) credit card company, what she's see happen over and over is someone who has never been late on their payment will pay their card off but keep it open for future use, because they have a $0 balance when the statement comes they'll just throw it away without looking at it (yes, a mistake on the customer's part). So what happens is, the Big City(i) credit card company sometimes adds on an "opt-out card protection" plan that costs a few dollars a month and the customer thinking they have a $0 balance because they haven't made any purchases lately doesn't look at the statement. When the few dollar cost of the protection plan doesn't get paid the customer is hit with a $30+ late fee and their interest rate shoots up. Now, here is where it gets really good. Because the customer has never been late before, the Big City(i) credit card company won't call them about the late payment until the third month the account is behind. So the for each of the next two months the customer gets another card protection charge and a $30+ late fee, plus interest (at the new higher rate) on the previous balance. When the customer finally does get a call, they owe $150+ to the Big City(i) credit card company and are on the verge of having their credit score affected. If you complain about it or try to have it resolved, the person doing the collecting doesn't have the authority to credit the charges, so they have to contact the crediting department, who will almost always either flat refuse it, or pass you on to another person (or back to collections). Reminds me a bit about the insurance company in The Rain Maker, no one has the power(or desire) to fix anything, and even someone who may want to fix the problem, AND works for the Big City(i) credit card company (such as my friend in collections) is at a loss as to how resolve the situation. Now, you can always try and contact the BBB or your attorney general (which some people rightly do) but really, for $150 who wants to spend all that time So yes, the customer made a mistake by not looking at their statements, but it's just an example of how credit cards (even unused) can spin out of control in a hurry.

Just as an addendum, you'd be surprised to see how many people are working at the Big City(i) credit card company and putting a huge portion of their paycheck towards paying off credit card debt. Now, that's really living under the Umbrella. (http://www.citigroup.com/citigroup/domain/image/h _cg.gif [citigroup.com])

A couple of problems with that approach

[Nursie]

If you get the PIN wrong a set number of times (usually three) the card locks itself. The hash is seeded with transaction dependant data. Also, you don't get to see the hash, the link I told you about, between the PIN Pad and the card reader is a direct link and is encrypted itself (think SSL, I think they use certificates for authentication and then key exchange, then an encrypted link much like SSL though I'm not sure of the details.)

No, no they couldn't

[Nursie]

1 - the swipe data alone is no where near enough to make cloned card. You need a lot more data AND access to the master keys used by the card issuer.
2 - The link between the PIN Pad and the reader is direct and encrypted.
3 - With EMV (the UK scheme) no PIN is used in a magnetic transaction. Signature is used and the fraud liability is with the merchant. There is NO way to do a stripe'n'PIN transaction.
4 - The scenario would not be prevented if there was no strip because there is no scenario.

Re:If you are a Citibank customer...

[SpacePunk]

Small claims court can be used. A subpeona is good from any court.

"He'll have to pay court fees and spend hours, if not days, on this and when he gets them, the police won't do a damn thing."

I always get the police to act even if they don't want to act. All I do is ask the officer(s) if the police department is abdicating it's responsibility in the matter, and if so, to put it in writing. If they abdicate then the responsibility falls on me, and then tell them to stay out of my way, and not interfere with me in pursuit and resolution of the matter. So far, I've had no takers, and the police do their job.

"If, by some small miracle, the police catch the perp, there is virtually no chance of getting any money from the perp and the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees)."

By doing nothing you do two things. You tell the criminal that it's ok to steal money from others, and you tall the other criminal (the bank) that it's ok to allow your money to be stolen.