Comments on: Prosecutor: Debit card crime ring busted

Authorities link 14 people to credit and debit card information that a prosecutor says was stolen from OfficeMax and other businesses.

[Seaspray0]

Chain should be held accountable

By what right did the chain have to store the pin number? They didn't need it. When you make a transaction, it gets verified with the bank. They had no right to keep it on file... but they did. They should be held accountable for the losses. It would be a good lesson in the responsibility that comes with storing personal data.

[NoelWeb]

I agree, some responsibility should be held...

Without a doubt, the only way this is going to stop is to hold retailers who choose to retain customer-payment-information insecurely completely responsible. They should be held liable for the damages caused, and also be required to carry insurance if they choose to retain customer-payment-information like PIN numbers and such.
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.

[Seaspray0]

Chain should be held accountable

By what right did the chain have to store the pin number? They didn't need it. When you make a transaction, it gets verified with the bank. They had no right to keep it on file... but they did. They should be held accountable for the losses. It would be a good lesson in the responsibility that comes with storing personal data.

[NoelWeb]

I agree, some responsibility should be held...

Without a doubt, the only way this is going to stop is to hold retailers who choose to retain customer-payment-information insecurely completely responsible. They should be held liable for the damages caused, and also be required to carry insurance if they choose to retain customer-payment-information like PIN numbers and such.
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.

[picklesdaddy]

Many are at fault

Those who stole the debit card data are obviously the ones who need to be prosecuted, but are they the only ones who are at fault? How about the merchant who stored the pin numbers in a database so that they could be stolen. This is as irresponsible as it gets. I hope this practice isn't widespread. My debit card number was among those that needed to be cancelled. I am now questioning the loyalties of my credit union. They are keeping secret the identity of the merchant who caused this problem. They should be publishing the identity of this merchant to their customers. They need to do this so that debit card holders can protect themselves by shopping elsewhere.

[picklesdaddy]

Many are at fault

Those who stole the debit card data are obviously the ones who need to be prosecuted, but are they the only ones who are at fault? How about the merchant who stored the pin numbers in a database so that they could be stolen. This is as irresponsible as it gets. I hope this practice isn't widespread. My debit card number was among those that needed to be cancelled. I am now questioning the loyalties of my credit union. They are keeping secret the identity of the merchant who caused this problem. They should be publishing the identity of this merchant to their customers. They need to do this so that debit card holders can protect themselves by shopping elsewhere.

User Beware

When using a debit card, one should always be concerned about the transmission and storage functions carried out on one's behalf by any company swiping the card. By using a third party card, such as a credit card, one mitigates the risk for direct fraud somewhat by not keying in a direct access PIN code for a personal bank account.

Let the credit card companies deal with the risk since one typically pays for it anyways.

User Beware

When using a debit card, one should always be concerned about the transmission and storage functions carried out on one's behalf by any company swiping the card. By using a third party card, such as a credit card, one mitigates the risk for direct fraud somewhat by not keying in a direct access PIN code for a personal bank account.

Let the credit card companies deal with the risk since one typically pays for it anyways.

[Stating]

Bricks And Mortar And Stovepiping

What this story tells me is that one needs to keep the majority of one's cash and cash equivalents in bricks and mortar institutions like banks and not have these accounts be electronically accessable via cards. You need to keep only a small amount of money in a card accessable account, and then periodically go down to your local bank and use a paper deposit/transfer slip to move the money between your large protected account and your small unprotected account.

The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.

[Stating]

Bricks And Mortar And Stovepiping

What this story tells me is that one needs to keep the majority of one's cash and cash equivalents in bricks and mortar institutions like banks and not have these accounts be electronically accessable via cards. You need to keep only a small amount of money in a card accessable account, and then periodically go down to your local bank and use a paper deposit/transfer slip to move the money between your large protected account and your small unprotected account.

The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.

[Magicland]

It was Office Max

I was one of those whose numbers were stolen. My wife, who has an account at the same financial institution, wasn't. The only place on my account that doesn't also show up on hers is Office Max, where I purchased ink for my printer.

[Magicland]

It was Office Max

I was one of those whose numbers were stolen. My wife, who has an account at the same financial institution, wasn't. The only place on my account that doesn't also show up on hers is Office Max, where I purchased ink for my printer.

[tbsteph]

Why Retain a PIN?

For what purpose was Office Max capturing and storing PIN numbers particularly from customers who visited one of their brick and mortar stores? I cannot think of one legitimate purpose.

Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.

[tbsteph]

Why Retain a PIN?

For what purpose was Office Max capturing and storing PIN numbers particularly from customers who visited one of their brick and mortar stores? I cannot think of one legitimate purpose.

Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.

[nightstar]

Wal-Mart/Sams Club Too

My card was involved with this also. The only place I have ever entered my PIN, besides the ATM, was Wal-Mart. I have never bought anything from Office Max. I know my local Wal-Mart forces me to enter my PIN even though I choose credit. They have changed this in recent days. One should have the choice to choose credit/debit on their bank card and not be forced to one or the other.

[nightstar]

Wal-Mart/Sams Club Too

My card was involved with this also. The only place I have ever entered my PIN, besides the ATM, was Wal-Mart. I have never bought anything from Office Max. I know my local Wal-Mart forces me to enter my PIN even though I choose credit. They have changed this in recent days. One should have the choice to choose credit/debit on their bank card and not be forced to one or the other.

[heystoopid]

One small problem

One small problem, called lack of trust, the top four major banks in the country involved in the scam, whilst issuing large numbers of replacement cards, deliberately took the combined steps of initially telling total lies and virtual propaganda, when customers queried why the existing cards became suddenly locked out!

It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!

Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!

If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!

Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!

Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?

This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!

[heystoopid]

One small problem

One small problem, called lack of trust, the top four major banks in the country involved in the scam, whilst issuing large numbers of replacement cards, deliberately took the combined steps of initially telling total lies and virtual propaganda, when customers queried why the existing cards became suddenly locked out!

It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!

Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!

If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!

Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!

Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?

This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!

[polov]

My card info and pin were stolen

I am furious at Citibank. My card and pin info were stolen and used on the 18th to withdraw several hundred dollars. From the article, the suspected vendor I've shopped with is Officemax. I work in IT, know SQL - couldn't they have simply queried all of their customers who shopped at these compromised vendors in the last year and notified them?

[polov]

My card info and pin were stolen

I am furious at Citibank. My card and pin info were stolen and used on the 18th to withdraw several hundred dollars. From the article, the suspected vendor I've shopped with is Officemax. I work in IT, know SQL - couldn't they have simply queried all of their customers who shopped at these compromised vendors in the last year and notified them?