Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

PIN Scandal 'Worst Hack Ever' 365

Posted by Zonk
from the cue-comic-book-guy-voice dept.
QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"
This discussion has been archived. No new comments can be posted.

PIN Scandal 'Worst Hack Ever'

Comments Filter:
  • by Quaoar (614366) on Saturday March 11, 2006 @05:49AM (#14897407)
    That's amazing! I have the same combination on my luggage!
    • Re:1, 2, 3, 4, 5? (Score:3, Interesting)

      by iamdrscience (541136)
      The store I work at takes debit cards and while I don't go out of my way to check out peoples' PINs, I've definitely noticed somebody who has picked that PIN at least once. Another one I remember is somebody who picked 4444. Actually, now that I think about it, it may have even been a 6 digit PIN that was all fours. I mean, I guess it doesn't really matter what your PIN is, but I just can't imagine somebody deciding to make it all the same digit.
      • Re:1, 2, 3, 4, 5? (Score:3, Insightful)

        by B3ryllium (571199)
        Statistically speaking, it's no less secure than any other sequence. Especially at six digits, that actually makes it more secure from a brute force attack ...

        This issue has absolutely nothing to do with the choice of pin, it has to do with latent storage of the pin. aka, not the consumer's fault.
        • Re:1, 2, 3, 4, 5? (Score:3, Insightful)

          by iamdrscience (541136)

          Statistically speaking, it's no less secure than any other sequence. Especially at six digits, that actually makes it more secure from a brute force attack ...

          This is what I meant when I said that "I guess it doesn't really matter what your PIN is".

          However, now that I think about it having an "obvious" PIN also makes it easier for somebody to glean your PIN. That's not a big problem because it's not usually how PINs are gotten, but it does happen. Also, like another response to your post pointed out, if yo

      • I randomly picked mine, and it still came out 9, 9, 9, 9.
  • PIN Collisions (Score:5, Interesting)

    by michaelhood (667393) on Saturday March 11, 2006 @05:51AM (#14897410)
    When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.
  • still... (Score:5, Interesting)

    by LandownEyes (838725) on Saturday March 11, 2006 @05:55AM (#14897418)
    At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.
  • It's intentional (Score:2, Interesting)

    by Anonymous Coward
    I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
    Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this
    • Re:It's intentional (Score:5, Interesting)

      by wfberg (24378) on Saturday March 11, 2006 @06:17AM (#14897459)
      . You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice.

      On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.

      The system where PINs are (potentially) stored is from an older, kinder time. In fact, a time where most places weren't hooked up to data networks permanently. The idea being that you could store transactions, and encrypted PINs, for a while, then connect and upload the data, and get your money. Obviously this is more suited to credit card transactions.

      The system was never designed by, well, competent people, and it was also not designed with modern networks in mind. Today, it would be a no-brainer to use some sort of challenge-response or public key algorithm. Like in "chip&pin" (where the PIN unlocks a public key signing-function on the chip card). But this is a remnant of the 70s.

      Every once in a while, a story crops up where it's found out that ancient protocols are still being used between when a customer with a card from bank A withdraws money from an ATM from bank B (usually across borders, since at a national level (speaking about europe here) electronic funds transfers are standardized pretty well).. Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!

      This is basically the sort of thing that audits are supposed to catch, because to a lay person the fact that something "just works" is good enough. You only know it's insecure once something bad happens, or if you happen to have a degree in cryptography. In an audit, if you can't answer the question "so, you're sure it uses the latest XYZ123 standard and isn't misconfigured?", then you know you're in trouble. Guilty until proven innocent; rather than Management by Exception..
      • Re:It's intentional (Score:5, Interesting)

        by MichaelSmith (789609) on Saturday March 11, 2006 @06:57AM (#14897545) Homepage Journal
        On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.

        I remember that in the early days here in .au the banks ran batch processing late at night and the ATM's often couldn't connect to verify account balances. The fallback position was that the ATM would just give out the money and the account would eventually go into debt.

        I financed a (small) holiday by exploiting that bug.

        But the ATM card I use today is exactly like the card I used 20 years ago. And the phone card I carry is probably more secure. It has a value of $5.

    • Re:It's intentional (Score:5, Informative)

      by ozmanjusri (601766) <(moc.liamtoh) (ta) (bob_eissua)> on Saturday March 11, 2006 @06:19AM (#14897463) Journal
      Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this.

      Well, since Diebold probably made the ATMs which were hacked, you could probably look in the same place. Interestingly, the story was broken by a blog. http://www.boingboing.net/2006/03/05/citibank_unde r_fraud.html [boingboing.net]

    • Re:It's intentional (Score:2, Informative)

      by ComaVN (325750)
      Yes. Yes, they really do make that kind of mistake. I've seen people make quiz-type webpages with just a client-side javascript that checked the answers (which were, of course, plain-text in the html source). Granted, that was not as important as PIN numbers, but a lot of mediocre programmers just don't step back to reflect on what they've written. As far as they're concerned, it works, and they don't even contemplate ways how malicious users might try to break it.

      The quiz was for a job application where so
    • Re:It's intentional (Score:2, Interesting)

      by whovian (107062)
      I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.

      Allow me to feed your suspicions further.

      It's a fear tactic. It's a way to force people to warm up to the idea of mass-implementation of biometric ID. Then when you sign up, not only does the company get a copy of your information, but also the government.
    • I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
      Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice.


      See my .sig

      Michael
    • by elmegil (12001) *
      I'm with those who say it's negligence. BTW, you are aware that many/most of the ATM machines out there are made by Diebold, right?

      I'm no conspiracy nut who thinks Deibold deliberately threw the election (if they actually got caught, it'd be the end of the company), but I do think that they're incompetent programmers who wouldn't know security best practices if you whacked them with a book full of them. And I think that this problem ("pins left in temporary files") sounds very much like the same kind of s

  • Chip & Pin (Score:5, Interesting)

    by slashnik (181800) on Saturday March 11, 2006 @05:56AM (#14897421)
    I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
    The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.

    The card issuer however will know the PIN

    I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.

    slashnik
    • by duffel (779835) on Saturday March 11, 2006 @06:02AM (#14897437)
      Its a little more dificult to steal my face.

      Albeit somewhat more painful.
    • by Fzz (153115) on Saturday March 11, 2006 @06:16AM (#14897457)
      Unfortunately, increasingly we're seeing supermarkets insist on swiping your chip'n'pin card, rather than relying on you entering the card into the terminal yourself. Tesco and Sainsburys do this, perhaps others do. From the customer's point of view, this completely defeats the security provided by chip'n'pin. The supermarket now has all the information from the mag stripe, and also has your PIN. Anyone obtaining this information can reproduce your ATM card, and drain your account.

      In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.

      So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.

      • That's terrifying if true. I had assumed the 'chip' part of the 'chip and pin' meant that you wouldn't be able to clone the card with a magentic card reader. Do you have any references to back that up? (Not that I mean to imply that you're lying in any way - I'd just be fascinated to read them!)
        • However there is a code on there to say that it should be a chip card, however the strip is still there in case the chip or the reader breaks. This is the only real exploit I know of (and I coded the tesco system and I think my software runs sainsbury's now too), that you can break (or cover in something like nail varnish) the chip and then it is at the merchant's discretion as to whether they accept the transaction or not. In the case of fraud the liability is then with the merchant and not the card issuer
      • The supermarket now has all the information from the mag stripe, and also has your PIN.

        I don't think that the supermarket has your PIN, more like the one way encrypted PIn information is passed from the point of sale terminal to the PIN pad. The PIN pad checks that the PIN entered is valid then the till will request authorisation from the acquirer.

        The full system is validated by the acquirers, if the retailer was found to be holding PIN information or modifying the certified PINpad hardware the retailer wou

        • I don't think that the supermarket has your PIN, more like the one way encrypted PIn information is passed from the point of sale terminal to the PIN pad. The PIN pad checks that the PIN entered is valid then the till will request authorisation from the acquirer.

          The card stripe is read as the card is inserted, then at the bottom of the swipe slot the card lodges in the chip reader. You then enter your PIN into the remote keypad. The keypad encrypts the PIN [chipandpin.org] using triple-DES (keyed using a shared key) to

      • Waitrose don't. One Stop don't. My local record place doesn't. Even my local dodgy computer hardware (£3.99 for a keyboard) don't swipe the card first. It just goes straight in the reader, enter PIN, wait 30 seconds, remove card.

        On the contrary, Tesco's self service tills (a fine example of making things more complicated than they need to be) require that you swipe your card (and no authorisation is needed! No signature, pin etc...). No chip needed. I haven't been in Sainsbury's for ages, but I'd haza
      • by ArsenneLupin (766289) on Saturday March 11, 2006 @08:00AM (#14897685)
        In contrast, if you insert the card yourself, the system seems somewhat harder to defeat

        You still don't know whether that card reader into which you inserted the card yourself is legit. With so many different designs and appearances of readers out there, how can you know?

        Formerly, equipment to build fake readers was hard to come by, but this is unfortunately no longer true.

      • Isn't it the case that they swipe the card through the magnetic reader and at the end of the swipe it lodges in the chip reader? It certainly is in the Tescos and Sainsbury's I use. Still, no point in my spoiling a good bit of righteous anger, is it?
        • Sure, but the point is that the store then has the entire contents of the mag stripe, and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data. So the contents of the magstrip and the PIN are in the same device. That's all you need to clone the ATM card. You don't need to clone the chip to produce a workable ATM card - just the stripe and the PIN. Now, I've no clue if they store that information, but the point is they don't need the contents of the stri
        • by slashnik (181800) on Saturday March 11, 2006 @08:47AM (#14897813)
          and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data.

          No, the PIN will never leaves the PINpad. The PINpads must be type approved by EMVco http://www.emvco.com/ [emvco.com] A hash of the PIN is passes from the terminal to the PINpad which validates the PIN supplied by the customer. A signal is passed back to the till which confirms the PIN was valid.

          There are strict restrictions placed on the retailer as to how much of the card data can be saved or logged.
      • by Nursie (632944) on Saturday March 11, 2006 @11:09AM (#14898334)
        Or at least I coded 50% of the chip and PIN software on Tesco's Point of Sale machines. You couldn't be more wrong.

        In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.

        The sotre does not get your PIN.

        As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!

        The reason for the swipe is simple -
        • The staff don't have to change their action dependant upon whether it's a chip card or not, they just swipe it, sit it in the endof the reader and the transaction processes
        • The staff don't have to change their action from Pre-Chip'n'PIN days, they just swipe it and away we go.

        You appear to be worked up about very little.

        If you have any more questions I'd be more than pleased to answer them.
    • Its a little more dificult to steal my face.

      Don't count on it. Face rcognition software can be fooled by a mannikin

      -jcr
    • I have that on all my picture on all my credit cards.
      In the rare occasions people do check for my signature they go "oh that's useful, a picture".
      I don't know why they don't do the same everywhere. Signature validation is bull as some people are good at faking them, people suck at validating them and everybodies signature changes slightly depending on the situation.
      Looking at my face and comparing it to a color picture sounds so much easier and safer.
      The only workaround would be changing the picture on
      • The only workaround would be changing the picture on the card but it's printed on it so it starts getting complicated and costly for the thief.

        They only need to copy the information on the magnetic stripe (which is read out in its entirety every time it's swiped) onto a card that doesn't have a picture on it. That card can pretty much look like anything, seeing as regular credit cards are imprinted with all sorts of crap these days anyway. It would be nice for the name&numbers to match up, but not reall
    • Re:Chip & Pin (Score:3, Informative)

      by sparckzero (960394)
      I work in a small local convenience store in the UK, and as such our machine for doing debit/credit cards is completely seperate to the EPoS system. The PIN never leaves the terminal that the customers use to enter the pin, and is wiped after it has been entered. There is physically no way for us to retrieve the PIN. We used to be able to over-ride PIN entry with a supervisor card, before it became mandatory to use Chip and PIN. Now we can't do that anymore.
    • Its a little more dificult to steal my face.
      You must have never played Space Quest III. All you need to do work as a janitor go to the CEOs office when he is not there and take his card. then you go to the photo copy room and take the picture of the CEO (Which is conveniently placed above the copy machine ) and make a color copy of it. Then you put back the original. then when you need to get to the door you use the picture in front of the scanner and bingo you are in.
    • Move to the Scandinavian countries. I was on a holiday last week in an area which is mostly Scandinavian tourist turf. All of them had parts of their ID printed on the back of the card. Including a picture.
    • I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.

      Actually the PIN is validated by the card. The PIN is mangled through a one way transform by the POS terminal which passes the result to the card. The card then validates or rejects the result.

      This opens (opened actually, the protocol changed slightly since then) the door to devices known as "yes cards" which would just reply "yes t

  • Damn... (Score:3, Funny)

    by matr0x_x (919985) on Saturday March 11, 2006 @05:56AM (#14897422) Homepage
    Half of my is laughing because I'm picturing the comic book guy saying "Worst Hack Ever" - the other half is genuinely a little frightened at the lack of security guarding my finances :(
  • by Anonymous Coward on Saturday March 11, 2006 @06:05AM (#14897443)
    ... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.

    I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.

    Your mileage may differ, of course. But take this seriously.

    • by jcr (53032) <.jcr. .at. .mac.com.> on Saturday March 11, 2006 @06:31AM (#14897493) Journal
      I demanded to see the ATM camera photos but they said they would only release them to the police

      If you file suit, you can subpeona them.

      -jcr
      • What is the point? He'll have to pay court fees and spend hours, if not days, on this and when he gets them, the police won't do a damn thing. If, by some small miracle, the police catch the perp, there is virtually no chance of getting any money from the perp and the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees).

        A call to a congressman or your local "news crew that deals with fraud" might help, but I'm guessing both will stay away from a situation like this.
        • by jcr (53032) <.jcr. .at. .mac.com.> on Saturday March 11, 2006 @06:55AM (#14897539) Journal
          the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees).

          Which makes it quite likely that the bank will make the business decision to refund his money, since it will be cheaper than even the prep work for the bank to show up in court.

          -jcr
          • >Which makes it quite likely that the bank will make the business decision to refund his money,

            I don't think so.

            If they pay one person, they will be more inclinded to pay others with the exact same case. Or at least encourage others to followup more.

            Its cheaper in the long run for them to have it known that;
            "Don't mess with banks, they will throw expensive lawyers at you." than
            "Just get a lawyer to send a letter and the banks will do what ever you say, regardless of any existing legal contracts."
        • Small claims court can be used. A subpeona is good from any court.

          "He'll have to pay court fees and spend hours, if not days, on this and when he gets them, the police won't do a damn thing."

          I always get the police to act even if they don't want to act. All I do is ask the officer(s) if the police department is abdicating it's responsibility in the matter, and if so, to put it in writing. If they abdicate then the responsibility falls on me, and then tell them to stay out of my way, and not interfere wit
    • I am with Royal Bank of Canada (RBC,) within the past 3 years, I had one or both of my cards cancelled 4 times because of a potential problem (I was making purchases in the area, where there was a known problem.) So the bank always cancelled the card(s) and forced me to get new cards and new PIN. One time there was 500 dollars stolen from my business card (only 500, because it was a maximum allowed per day,) and there were multiple registered attempts to steal more money, the bank investigated (to make sur
  • And best of all... (Score:5, Informative)

    by loraksus (171574) on Saturday March 11, 2006 @06:42AM (#14897517) Homepage
    Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
    If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
    See one such story here [boingboing.net].

    You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
    I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.

    Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
    See here for details [wired.com].

    Oh, and if your card was used, good luck with trying to fix your credit
    The credit sytstem could use an overhaul.
  • by morkeld (104557) on Saturday March 11, 2006 @06:50AM (#14897528)
    Another data point in the saga of debit cards.

    A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.

    This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.

    Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.

    The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.

    The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.

    It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.

    To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.
    • Where I live the shop must ask you for a legal document that proves you're the owner of the card. In my case it's my identity card, and the name must match what's written on the debit card. If it doesn't you can't pay, plain and simple. I assume that if the picture on your ID card doesn't match they won't let you pay either. So why aren't shops over there asking for proof? In case my card was stolen the thief would have a hard time putting it to use because every time I pay with it I get an SMS on my phone,
    • I am sorry, can you please explain to me how was the person who got your debit card capable of buying all these products without your PIN? I don't understand it probably because I know that my debit cards are useless to anyone who doesn't have the proper PIN, and they will be locked if someone (including me,) tries to use the card with a wrong PIN 3 times in one day.
      • Correction, not only 3 times in one day but 3 times in a row in one day.
      • I am sorry, can you please explain to me how was the person who got your debit card capable of buying all these products without your PIN?

        In the US, you can run a debit card transaction in two modes:

        1. "Debit" mode, which works like an ATM card (swipe card, enter PIN). It's also billed like one, so if you bank charges an ATM fee you'll get one. Hence this mode isn't used very often.
        2. "Credit" mode, which works like any other credit card (swipe card, sign; although sometimes you don't even have to sign
    • Isn't this what a PIN is supposed to prevent?

      Sure they got your card but that shouldn't get them much if they don't know the PIN.

      Unless it's those American "debit" cards that pretend to be credit cards - which I guess it is if transactions take tim to get posted.

      I much prefered my Australian card, didn't pretend to be a credit card, took money directly from my savings account (read checking account, but without checks for if you're American) at the time of the transaction, required a PIN. Sure if the mercha
  • ...the user.

    Storing the pin data on the same machine as the decryption code is dumb. Storing the pin in the first place is dumb. Combine them and you get VERY dumb.

    When do people realize that security isn't something you can simply brush off to your IT department? Security is the minimum of system security and user security. Compromise one, compromise the whole system!

    It's time for some secrurity awareness training. Especially in sensitive areas! I've been working for an auditing company, you'd be amazed (o
  • Why only 4 digits? (Score:4, Insightful)

    by matth (22742) on Saturday March 11, 2006 @07:06AM (#14897558) Homepage
    Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!
    • by cimmer (809369) on Saturday March 11, 2006 @07:18AM (#14897583)
      I couldn't tell you, but I wouldn't feel much safer with a longer pin code. If someone gets your card number, what's the chance they'll guess the right one out of 10,000 before the bank shuts the card down? If someone steals a bunch of pin numbers from a computer system, it doesn't really matter if they are 4 digits or 9 digits - the end result is the same. The one advantage I can see with longer pin numbers is that they'd be harder to shoulder surf, but like I said, that wouldn't make me feel much safer. I think a better question is when ATMs will start using two factor authentication.
      • by Anonymous Coward
        Well, since the chip's unlocking of the public-key signature can be used as an oracle to whether or not you got the PIN right, and you can exploit a bug to reset the counter in a fraction of a second (which you couldn't do with an ATM), and it takes just a few seconds to try all 10,000 combinations... ...not to mention the problems that could be caused by modified, fraudulent Chip&Pin terminals logging PINs and storing the chip and possibly swipe too. ...and also not to mention the plain-and-simple shou
      • The PIN is usually encoded using different master keys. You will actually find that in reality, less than 33% of the available key space is available. Six digit codes are much better but infrequent.
      • by spood (256582)
        I think a better question is when ATMs will start using two factor authentication.

        ATMs are already using two-factor: something you have (ATM card) and something you know (PIN). What is it that you want them to be doing instead?
    • I have an ATM card from the largest non-government bank in Brazil (Bradesco), and I was required to come up with a PIN of six digits or more. This is the PIN I use for cash withdrawals or to authorize debit purchases at stores.
      Interesting point: debit cards like the ones in the USA, the ones accepted as credit cards, but that "behind the scenes" just debit the money from the owner's account, do not appear to exist in Brazil. Here we have two different types of cards: credit cards and ATM (here called "
  • Is it just Citi? (Score:5, Interesting)

    by jmichaelg (148257) on Saturday March 11, 2006 @07:07AM (#14897560) Journal
    If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?
  • by bobt1956 (945961) on Saturday March 11, 2006 @07:23AM (#14897595)
    It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html [visa.com] Extract from above Link: The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.
  • by Hamster Lover (558288) * on Saturday March 11, 2006 @07:41AM (#14897640) Journal
    Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.

    Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.

    I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.

    I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.

    On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.
  • by Overzeetop (214511) on Saturday March 11, 2006 @08:05AM (#14897699) Journal
    for the mainstream population to embrace the debit card concept. Maybe I'm just paranoid, but if I'm going to be slinging plastic left and right, I want it to be somebody elses money until I get the statement and verify that all the charges to (insert 16 digits here) are, in fact, ones which I have authorized. Its just too easy to swipe a number and go to town.

    Do you trust yourself (with a high credit limit) less than you trust someone making $5/hr, or some shady internet site with your bank account? Oh, sure, you can dispute that charge. But guess what - that money is gone from your account until they decide to credit you back that transaction. If you don't discover the error for a few days or *gasp* until the end of the month when your statement comes in, you could be writing rubber (e)checks for all your monthly expenses. I wouldn't want to bet a couple hundred dollars that the bank will reimburse you for your NSF fees and vendor NSF charges - especially since I've asked, and several managers have confirmed that they will not reimburse those charges.

    I'm sure there's a small population out there who cannot get even a secured credit card. Okay, I'm fine with that - situations vary. But these things seem to be way too popular/numerous to be limited to those folks. To me, debit cards are the worst of both worlds - your money available on a card (nearly as bad as cash), but with the merchants and banks tracking your every purchase. *shakes head*

    Disclaimer: I carry cash for most personal transactions. That's how I budget. I take out a fixed dollar amount each week, and when that's gone, I stop spending money for the week. If that cash gets lost or stolen, odds are good that I'm probably going to be out less than $50. Disappointing, but that's a pretty small sum, and its never happened in my adult lifetime. Big purchases & net transactions go on credit card, the latter amount being subtracted from the next week's withdrawel. Since I keep 2-3 months of expenses in my checking account, a debit card is a liability I do not want.
    • Coming from the opposite end of the spectrum (as I use credit cards whenever possible and cash when I have to), I also deplore the idea of a debit card. If you are responsible with money, there's nothing you need a debit card for. If you want to act like you're pulling money directly from checking, then record the amount in your balance book as if it were a debit card transaction. (You are carrying a balance book, aren't you?) As long as your paying off the card monthly, you'll pay no fees for charging
  • An Implant in you hand or your head?
  • One-Time PIN (Score:4, Interesting)

    by Doc Ruby (173196) on Saturday March 11, 2006 @09:17AM (#14897912) Homepage Journal
    When will damages cost the account managers more than switching from plaintext permanent passwords to one-time pad pins? It's not that expensive to switch, but of course much cheaper. Even better is a OTP-encrypted message containing the senderID, recipientID, money amount, and expiration date.

    But I guess insurance companies love paying the damages, which rarely accrue to the account manager - rather, to the account holder.
  • My take on it (Score:3, Informative)

    by austad (22163) on Saturday March 11, 2006 @11:49AM (#14898497) Homepage
    See my article here on this. Bottom line, I don't think it's necessarily a problem with retailers storing PINs, it's a fundamental implementation problem.

    http://www.signal15.com/articles/2006/03/09/atm-ca rd-fraud-and-bank-negligence [signal15.com]

Take an astronaut to launch.

Working...