PIN Scandal 'Worst Hack Ever' 365
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
PIN Collisions (Score:5, Interesting)
still... (Score:5, Interesting)
It's intentional (Score:2, Interesting)
Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this way for nefarious reasons. I do wonder though, who benefits? They should haul the sytems analysts through the courts until they start to sing, and say "Yeah I was told to write it this way by xxxxxx"
Chip & Pin (Score:5, Interesting)
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.
The card issuer however will know the PIN
I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.
slashnik
Re:It's intentional (Score:5, Interesting)
On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.
The system where PINs are (potentially) stored is from an older, kinder time. In fact, a time where most places weren't hooked up to data networks permanently. The idea being that you could store transactions, and encrypted PINs, for a while, then connect and upload the data, and get your money. Obviously this is more suited to credit card transactions.
The system was never designed by, well, competent people, and it was also not designed with modern networks in mind. Today, it would be a no-brainer to use some sort of challenge-response or public key algorithm. Like in "chip&pin" (where the PIN unlocks a public key signing-function on the chip card). But this is a remnant of the 70s.
Every once in a while, a story crops up where it's found out that ancient protocols are still being used between when a customer with a card from bank A withdraws money from an ATM from bank B (usually across borders, since at a national level (speaking about europe here) electronic funds transfers are standardized pretty well).. Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!
This is basically the sort of thing that audits are supposed to catch, because to a lay person the fact that something "just works" is good enough. You only know it's insecure once something bad happens, or if you happen to have a degree in cryptography. In an audit, if you can't answer the question "so, you're sure it uses the latest XYZ123 standard and isn't misconfigured?", then you know you're in trouble. Guilty until proven innocent; rather than Management by Exception..
Re:PIN Collisions (Score:5, Interesting)
A truly shocking story.
ATM ate my debit card (Score:5, Interesting)
A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.
This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.
Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.
The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.
The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.
It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.
To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
Comment removed (Score:5, Interesting)
Re:It's intentional (Score:5, Interesting)
I remember that in the early days here in .au the banks ran batch processing late at night and the ATM's often couldn't connect to verify account balances. The fallback position was that the ATM would just give out the money and the account would eventually go into debt.
I financed a (small) holiday by exploiting that bug.
But the ATM card I use today is exactly like the card I used 20 years ago. And the phone card I carry is probably more secure. It has a value of $5.
Is it just Citi? (Score:5, Interesting)
Re:It's intentional (Score:2, Interesting)
Allow me to feed your suspicions further.
It's a fear tactic. It's a way to force people to warm up to the idea of mass-implementation of biometric ID. Then when you sign up, not only does the company get a copy of your information, but also the government.
Re:It's intentional (Score:1, Interesting)
But something like you are speculating about heaponed before at least once.
Read How ATM fraud nearly brought down British banking [theregister.co.uk]. And for once the register wasn`t overstating the story in the headline. A bunch of programmers figured it would be cool if they rigged the random pin number generator to only choose one from a set of three numbers... Which coincidentaly is also how many times you can try a number before losing the card. In a while everyone with a card from this bank had one of the three numbers.
I am not convinced the current case is "the worst hack ever". I guess the author just already knows all about stories that are kept secret for years.
Skimming a huge problem in Canada... (Score:5, Interesting)
Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.
I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.
I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.
On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
Re:Someone has been watching too much Simpsons... (Score:5, Interesting)
Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.
To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.
The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.
To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).
In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.
A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.
More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.
A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.
Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.
It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).
Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record
Re:Supermarkets Defeating Chip & Pin (Score:5, Interesting)
You still don't know whether that card reader into which you inserted the card yourself is legit. With so many different designs and appearances of readers out there, how can you know?
Formerly, equipment to build fake readers was hard to come by, but this is unfortunately no longer true.
I've been expecting this for years (Score:1, Interesting)
Then I worked on my first US banking integrated solution. I was astounded when I realized I'd actually be working with RAW pin #'s and have a customer's full Track-2 data from thier debit card. With those two pieces of info I could duplicate thier card and use it anywhere. All that's required is one unsavory developer in cahoots with one merchant. I am surprised it's never happenend sooner.
In the Canadian interac system the banks supply the pin pads that have built in software so that it deals with the magstripe and the pin and insures only the encrypted PIN # is available to the developer. Further each pin pad has 3 encryption keys and with each transaction the response from the bank (which has to be decrypted by the pin pad) includes a new key to replace 1 of the 3 on the pinpad. It's quite common if there's communication errors for the keys to get out of sync and require a couple transaction retries to get resynced but it's far far far better then the US system.
I lived is the US for a couple years since those days developing debit interfaces and I've never swiped my bank card at ANY merchant vendor machine. But back in Canada debit is king and I use it daily and with confidence it's safe.
Note: As an aside the behind the scenes processing required for a credit/debit card transaction in the US is incredible. It's essentially chaos! The only savior is ignorance is bliss and most of the developers for the US system haven't since the back end of the Canadian banking system which is very structured, simple and reliable.
Re:Why only 4 digits? (Score:3, Interesting)
Re:Supermarkets Defeating Chip & Pin (Score:5, Interesting)
No, the PIN will never leaves the PINpad. The PINpads must be type approved by EMVco http://www.emvco.com/ [emvco.com] A hash of the PIN is passes from the terminal to the PINpad which validates the PIN supplied by the customer. A signal is passed back to the till which confirms the PIN was valid.
There are strict restrictions placed on the retailer as to how much of the card data can be saved or logged.
Re:I've been expecting this for years (Score:3, Interesting)
I guess that the cryptographic engine that communicates to the Interac network must be supplied and approved by whatever payment provider the merchant chooses (GlobalPayments, etc.), but the pin pad keys themselves are usually integrated into the design of the front panel. I, therefore, have no assurance that the interface I'm entering my pin into is directly connected to the cryptographic system, without any sort of eavesdropping in the middle.
We had a problem with this a few years back here in Ontario, I can only assume that it will crop up elsewhere.
At least when I'm at a grocery store and I use a VeriFone SC500 (or whatever brand that store uses) with its seals intact, I can be reasonably confident that the device hasn't been modified to steal my pin. (Not 100% sure, of course, but the design of an ATM makes it much easier to subvert the electronics than a vendor-supplied pin pad does.) Of course, when the clerk swipes my card into their POS system rather than swiping it directly into the pad, I still have to be alert for cameras, shoulder-surfers, etc.
I found my debit card suddenly non-functional one day, and shortly thereafter got a call from the bank. Any card that had been used at a certain prominent gas station here in Hamilton had been hotlisted by the Interac folks, due to some sort of pin-harvesting scheme. Inconvenient, yes, but nice to know the banks at least try to stay on top of this sort of stuff.
Re:Supermarkets Defeating Chip & Pin (Score:3, Interesting)
The card stripe is read as the card is inserted, then at the bottom of the swipe slot the card lodges in the chip reader. You then enter your PIN into the remote keypad. The keypad encrypts the PIN [chipandpin.org] using triple-DES (keyed using a shared key) to transfer the PIN to the terminal. So, it's hard to eavesdrop the PIN in transit, but the PIN does end up in the same system as the swiped card data. Which means that (in principle at least) it's exactly as secure or insecure as the systems in the US that have been compromised.
Basically chip and pin is not there to protect the customers - it's there to protect the stores. But as no signature is involved, it's now harder for you to claim it wasn't you. And before, you couldn't give away your ATM PIN in UK stores, now you can.
Re:1, 2, 3, 4, 5? (Score:3, Interesting)
Citibank... Shittybank! (Score:1, Interesting)
Dude, if only you knew of the stupid inner workings of Citibank... They pushed the concept of "matrix structure" too far, nobody is really accountable for any shit in there. The worst thing is that, given their strucutre, it is really hard to prove that xxxxxx told them to do so. In the end, the analysts get screwed over and managers sail along happily.
One-Time PIN (Score:4, Interesting)
But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
Re:PIN Collisions (Score:3, Interesting)
I have account in 2 banks and they do things differently:
Desjardins ( the local Quebec cooperative financial group... www.desjardins.com) uses 5 digits Pins numbers but you have to change the number at a counter...
NBC (National bank of Canada nbc.ca) uses 4 digits Pin numbers but you can change it at any NBC ATM)
My credits cards don't have any Pin numbers... everything is still done by signature...
Re:Supermarkets Defeating Chip & Pin (Score:3, Interesting)
By entering an incorrect pincode. When it is accepted, the device apparently is not validating the pincode.
Of course this does not work when the fraudulent device is in fact a real one with addition of a tap of client information, but the real devices are supposed to be designed in such a way that this is not easily possible.
The banks could be adding an extra confidence message to online devices, like displaying your date of birth after you have swiped the card and before entering the PIN. This makes it easier to confirm that the device is actually communicating with the bank and is not a standalone device (which you should avoid).
Re:This is FUD (unless Issuer coluding with Mercha (Score:1, Interesting)
So if you can derive the encryption key for thousands of cards from viewing the actual PIN's plus
co-ordinating with the actual magstripes then you can just take any other magstripe
and figure out the PIN.
However this is not a crack or a Hack: this is an cryptographic somewhat-brute-force attack.
So maybe the only fault here is the storage of thousands of magstripes.
(as was previously mentioned)
Re:Why only 4 digits? (Score:2, Interesting)
I would like to see something along the lines of biometrics at ATMs (don't bother with the arguments against biometrics-i know. it's about raising the bar, not foolproofing.) or Secure ID tokens.