- Related Stories
-
Banks do battle with debit-card fraud
March 16, 2006 -
New debit card fraud tied to West Coast case
March 7, 2006 -
Short shelf life for data breach laws?
March 2, 2006
Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent.
Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.
Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts.
Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant.
One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax.
The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added.
Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system.
What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign.
One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card firms.
During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slipups he said.
"You could totally understand how they could forget to turn off some switch," he said.
But Williams said there's no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data.
Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.
"It's really the responsibility of a company doing business to protect their customers," said Williams. "Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach."
See more CNET content tagged:
Visa International,
Fujitsu,
VeriSign Inc.,
merchant,
OfficeMax Inc.
recently i was asked to sign the signature capture device 3 times because my first signatures didnt go through. 'go thru what?' i asked. the cashier was either ignorant or didnt wanna let me in on the secret. think about it: she asked for my zip code, my phone number and she had my debit card account number and my signature. because i had a best buy card, they also sometimes asked for my social at the counter. i signed it incorrectly a second time because i really have no idea what my sig looks like.
now i only use cash. i dont give away personal information. they dont need it. i've been giving my zip code and phone number for years - and i've never seen any change in the store's products. its supposed to personalize the experience so that the store wont waste money on things the local populace doesnt buy. but i dont see why they need my signature and social in a database.
best buy, you wanna help me? tell that fat bouncer at the door to worry less about seeing my receipt and more about helping me get my purchace thru the friggin door. its insulting. as if i'd come off register 1 with a PC and an HD TV, after giving them my social, zip code, phone number and signature, then scan my debit card, smile at the camera above the door and then make a run for it.
now i shop for electronics online. if and when i do venture to a circuit city or best buy - i use cash only and i give false information.
mark d.
off' used in this article? It makes it sound like it was a simple
mistake that this happened.
It was purposeful hacking done to facilitate theft. There is no other
reason why a PIN should be stored at a merchant.
The PINS were intentionally stored and then intentionally used -- perhaps by a different party than the party who stored the PINs.
But doesn't this storage transgression make for two crimes?
A: Storing the personal information breaks their contractual legal obligations.
B. And AIDING and ABETTING the thieves, by providing data ("accidently" or otherwise) should make OfficeMax at least an ACCESSORY to that felony.
These companies should be punished on both counts.
retail) and be done with the fraud thing?
I noticed your posting. I had the same question a while back but there are some other considerations which factor in. First off, people aren't fond of biometrics. They feel it is invasive to privacy. Next up, some privacy legislation requires biometrics to be optional (an truly optional - not optional as in "you can choose not to use it but its at your peril" - there has to be another good alternative available). These two things alone make it a poor business choice in most cases. Lastly, it doesn't necessarily solve the problem. If software security holes allow PIN numbers to be read in the clear, what's to prevent similar programming holes from allowing a fingerprint to be re-created? The encryption could be weak in the system or even non-existent. I tested a system recently where a replay attack was possible because of an error in the driver code. Its easier to replace a card and a PIN than a fingerprint that has been compromised.
Chip cards are coming and they will likely address these issues but without the privacy concerns that surround biometrics.
http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines
http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines
MasterCard, Visa, AmEx, et. al. have created an entity named PCI (Payment Card Industry) which has consolidated data security standards (DSS) from several of the founding companies into a single standard. PCI DSS enforcement is rumored to be turned over to a 3rd party.
The fines, should they be levied, are significant. Penalties vary, but include the revocation of merchant rights for MasterCard, Visa, or American Express. Additionally, a merchant is responsible for all entities that participate in the storage, process, or handling of credit card data.
- VISA Blames The Consumer
-
by Stating
March 19, 2006 10:00 AM PST
- Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
-
Reply to this comment
-
-
- VISA, Master Card, et. al. hold the merchant responsible
-
by jtpickering
March 20, 2006 9:49 AM PST
- Caveat lector ? My reply is limited to space, among other things. Reseach PCI DSS, Visa?s CISP program, and MasterCard?s SDP program for a more thorough understanding of this topic.
-
-
(14 Comments)No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.
It's the same old garbage that if you were hacked, it's YOUR FAULT. To VISA I say, "Kiss My Grits."
/personal/security/protect_yourself/id_theft/how_it_happens%2EhtmlA post stated:
?Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.
It's the same old garbage that if you were hacked, it's YOUR FAULT.?
On the site you mention, under ?Use credit and debit cards safely? it says (in part): ?When using your credit card do not volunteer any personal information.? The page goes on to give some good advice. I will admit it does not specifically state that you shouldn?t give personal info to the merchant, but if a reasonable person reads the information, he/she will come to the conclusion that personal information (other than identity authentication) is not required to complete a credit/debit card transaction.
A sale is a business transaction, not an exchange of personal information - caveat emptor. You do not owe the merchant your phone number, zip code, or mother?s maiden name when you want to buy goods from them. If the merchant won?t complete the transaction without that information, get creative.