Results 1 to 4 of 4

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

  1. #1
    Senior Member jp_48504's Avatar
    Join Date
    Apr 2005
    Location
    NC
    Posts
    19,168

    PIN Scandal "Worst Hack Ever;" Citibank Only The S

    PIN Scandal "Worst Hack Ever;" Citibank Only The Start



    By Gregg Keizer, TechWeb News

    The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

    Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

    But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president.

    "This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."

    Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

    "That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."

    Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.

    The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.

    In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."

    The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

    Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

    Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

    No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.

    "This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.

    So what's a consumer to do?

    "Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
    I stay current on Americans for Legal Immigration PAC's fight to Secure Our Border and Send Illegals Home via E-mail Alerts (CLICK HERE TO SIGN UP)

  2. #2
    Senior Member JuniusJnr's Avatar
    Join Date
    Apr 2005
    Posts
    5,557
    Bury our money in the back yard in a coffee can, maybe?
    Join our efforts to Secure America's Borders and End Illegal Immigration by Joining ALIPAC's E-Mail Alerts network (CLICK HERE)

  3. #3
    Senior Member Coto's Avatar
    Join Date
    Jan 2006
    Posts
    1,726
    The Citibank scandal took place in Bangalore, India

    http://www.alipac.us/ftopict-18376-citibank.html

    http://www.ecommercetimes.com/story/42112.html

    In spite of the scandal, MPhasis won an information security award.

    Note: If you are a fraud victim, where the fraud took place in India, you have to travel to India to file suit against the vendor company. If you do so, such a lawsuit will take 10 years or more to come to trial, and you are guaranteed to lose the case.

    What part of "We don't owe our jobs to India" are you unable to understand, Senator?

  4. #4
    Senior Member JuniusJnr's Avatar
    Join Date
    Apr 2005
    Posts
    5,557
    un-friggin believeable!

    Where's Pine straw guys with that finger when we need him?
    Join our efforts to Secure America's Borders and End Illegal Immigration by Joining ALIPAC's E-Mail Alerts network (CLICK HERE)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •