Manage updates with the Download App
March 16, 2006 4:00 AM PST
Your secret PIN may not be so secret
- Related Stories
-
FBI widens probe of debit-card theft
February 22, 2006 -
Congressman wants retailer ID'd in data breach
February 15, 2006
The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.
The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.
"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."
The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).
Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.
Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.
Litan pointed out that most retailers use the same technology and follow many of the same procedures.
At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.
Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.
"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."
Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.
Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.
"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."
See more CNET content tagged:
debit card, retailer, controller, security
38 comments
Join the conversation! Add your comment
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card
He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that
<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card
He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that
<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?
Trust is a two edge sword!
I know for a fact that this has been done already at a Bank in Canada.
Dianne
This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?
Trust is a two edge sword!
I know for a fact that this has been done already at a Bank in Canada.
Dianne
The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
Robert
Robert
Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.
Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.
An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.
Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.
The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.
In addition to that, the predators are thankful for their prediliction.
That's all I got to say. Ciao now.
Retailers who retain PIN information should be held accountable to their customers. Easy solution - play by the rules mandated by the Debit card issuers and DON'T retain PIN info. There is absolutely no business reason to do so.
Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.
Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.
An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.
Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.
The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.
In addition to that, the predators are thankful for their prediliction.
That's all I got to say. Ciao now.
Retailers who retain PIN information should be held accountable to their customers. Easy solution - play by the rules mandated by the Debit card issuers and DON'T retain PIN info. There is absolutely no business reason to do so.
First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)
But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.
So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.
To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.
Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.
There is no simple answer.
First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)
But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.
So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.
To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.
Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.
There is no simple answer.
The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.
This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.
Things that make you go hmmmmmmmmmm.
Ok, so the vendor stores them along with the cc information taken from the mag stripe.
Encrypted PIN and CC info are sent to the cc processing center for verification.
Doesn't matter if the PIN is encrypted or not.
Is the encryption a one time, one way encryption?
Or can it be reused?
For example. You have a 4 digit pin.
You use crypt() to do a one way encryption.
How hard do you think it would be for someone to decrypt your pin?
As long as the vendor stores this information, you'll still be at risk.
I seriously doubt that they use strong encryption on the PIN entry....
As to liabilty... If you can prove that it was a specific merchant, and that they did not meet current guidelines on security... then yeah. They are liable....
The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.
This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.
Things that make you go hmmmmmmmmmm.
Ok, so the vendor stores them along with the cc information taken from the mag stripe.
Encrypted PIN and CC info are sent to the cc processing center for verification.
Doesn't matter if the PIN is encrypted or not.
Is the encryption a one time, one way encryption?
Or can it be reused?
For example. You have a 4 digit pin.
You use crypt() to do a one way encryption.
How hard do you think it would be for someone to decrypt your pin?
As long as the vendor stores this information, you'll still be at risk.
I seriously doubt that they use strong encryption on the PIN entry....
As to liabilty... If you can prove that it was a specific merchant, and that they did not meet current guidelines on security... then yeah. They are liable....
The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.
The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.
The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
were activated and used with out my knowledges.
American Express fraud unit was able to stop
the unauthorized transaction.But Bank Of America
fraud department did not detect and the charge went into collection department. I am asking BA to investigate and dispute. BA reported to Credit Buraeu
and now I have bad report on my outstanding credit report. That make us wonder, can we trust our
private informations with banks employees.