March 16, 2006 4:00 AM PST

Your secret PIN may not be so secret

Related Stories

FBI widens probe of debit-card theft

February 22, 2006

Congressman wants retailer ID'd in data breach

February 15, 2006
An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards.

The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.

The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.

"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."

The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).

Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.

But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.

Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.

Litan pointed out that most retailers use the same technology and follow many of the same procedures.

At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.

Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.

"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."

Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.

Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.

"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."

See more CNET content tagged:
debit card, retailer, controller, security

38 comments

Join the conversation!
Add your comment
People and Pins
People do some stupid stuff
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card

He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that

<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
People and Pins
People do some stupid stuff
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card

He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that

<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
Close to home
This story hits close to home for me. Just last week--march 9th--two charges appeared on my checking account that I did not make. I was able to get a refund and changed my debit card number. I use it a lot online but I'm going to be more careful about that in the future.
Posted by nmcphers (261 comments )
Reply Link Flag
Close to home
This story hits close to home for me. Just last week--march 9th--two charges appeared on my checking account that I did not make. I was able to get a refund and changed my debit card number. I use it a lot online but I'm going to be more careful about that in the future.
Posted by nmcphers (261 comments )
Reply Link Flag
Someone is not telling all!
Someone is not telling all, and being honest with their custoners at the same time, shades of the English Bank scandal, when all the leading banks in the UK, at one time sent out all cards with a choice of 4 basic pin numbers only to every customer!

This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?

Trust is a two edge sword!
Posted by heystoopid (691 comments )
Reply Link Flag
telephone banking not secure
There are a lot of ways that criminal can get bank information. One of them is to tap the telephones of the banks. When the people call up they give all their identification and do all of their business, simple matter to simply call back and make a bank transfer to a newly created account with phony id.

I know for a fact that this has been done already at a Bank in Canada.

Dianne
Posted by emeraldgate (53 comments )
Link Flag
Someone is not telling all!
Someone is not telling all, and being honest with their custoners at the same time, shades of the English Bank scandal, when all the leading banks in the UK, at one time sent out all cards with a choice of 4 basic pin numbers only to every customer!

This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?

Trust is a two edge sword!
Posted by heystoopid (691 comments )
Reply Link Flag
telephone banking not secure
There are a lot of ways that criminal can get bank information. One of them is to tap the telephones of the banks. When the people call up they give all their identification and do all of their business, simple matter to simply call back and make a bank transfer to a newly created account with phony id.

I know for a fact that this has been done already at a Bank in Canada.

Dianne
Posted by emeraldgate (53 comments )
Link Flag
The real problem is ...
The real problem is of course not that this info is stored and can be breached, but that basic business mosel that requires that a merchant be given info that can be reused to make charges other than the one charge to pay for the purchase made by the customer (and then has to spend lots of money in a setup that would "securely" store this data etc.)

The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
Posted by hadaso (468 comments )
Reply Link Flag
The real problem is ...
The real problem is of course not that this info is stored and can be breached, but that basic business mosel that requires that a merchant be given info that can be reused to make charges other than the one charge to pay for the purchase made by the customer (and then has to spend lots of money in a setup that would "securely" store this data etc.)

The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
Posted by hadaso (468 comments )
Reply Link Flag
Frankly...
None of the stores or other businesses have any need or right to store any of that information. The banking industry needs to fix it so that that vital information is only scanned when the person uses their card, once that is done other information that isn't linked to the customers personal data, things like card number, pin, etc. should not have to be used after it is entered by the customer. Random information for the transaction through the rest of the pipline is generated and use from their on in. Leaving the user's personal and private information out of it. Should a problem come up the bank can use the information from the store and what they have on the customer in question to do their investigation.

Robert
Posted by Heebee Jeebies (632 comments )
Reply Link Flag
Frankly...
None of the stores or other businesses have any need or right to store any of that information. The banking industry needs to fix it so that that vital information is only scanned when the person uses their card, once that is done other information that isn't linked to the customers personal data, things like card number, pin, etc. should not have to be used after it is entered by the customer. Random information for the transaction through the rest of the pipline is generated and use from their on in. Leaving the user's personal and private information out of it. Should a problem come up the bank can use the information from the store and what they have on the customer in question to do their investigation.

Robert
Posted by Heebee Jeebies (632 comments )
Reply Link Flag
Stampeding Giants Running Off The IT Cliff
I imagine in paleolithic times the herd were driven by the predators to kill themselves since the predators knew where the traps were and the herd animals, in this case, dynosaurs, with seeming invincibility to the small predators just obliged their era's cyber crooks by walking or running right off the cliff.

Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.

Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.

An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.

Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.

The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.

In addition to that, the predators are thankful for their prediliction.

That's all I got to say. Ciao now.
Posted by Iohagh (54 comments )
Reply Link Flag
Didn't Take Long
I just knew it wouldn't take long for someone to blame MS and or IBM. Stupid is as stupid does (In this case says.)

Retailers who retain PIN information should be held accountable to their customers. Easy solution - play by the rules mandated by the Debit card issuers and DON'T retain PIN info. There is absolutely no business reason to do so.
Posted by tbsteph (62 comments )
Link Flag
Stampeding Giants Running Off The IT Cliff
I imagine in paleolithic times the herd were driven by the predators to kill themselves since the predators knew where the traps were and the herd animals, in this case, dynosaurs, with seeming invincibility to the small predators just obliged their era's cyber crooks by walking or running right off the cliff.

Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.

Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.

An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.

Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.

The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.

In addition to that, the predators are thankful for their prediliction.

That's all I got to say. Ciao now.
Posted by Iohagh (54 comments )
Reply Link Flag
Didn't Take Long
I just knew it wouldn't take long for someone to blame MS and or IBM. Stupid is as stupid does (In this case says.)

Retailers who retain PIN information should be held accountable to their customers. Easy solution - play by the rules mandated by the Debit card issuers and DON'T retain PIN info. There is absolutely no business reason to do so.
Posted by tbsteph (62 comments )
Link Flag
Chip and Pin?
It seems that there are a lot of people who don't have all the facts, making statements about how to fix this...

First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)

But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.

So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.

To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.

Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.

There is no simple answer.
Posted by dargon19888 (412 comments )
Reply Link Flag
Chip and Pin?
It seems that there are a lot of people who don't have all the facts, making statements about how to fix this...

First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)

But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.

So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.

To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.

Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.

There is no simple answer.
Posted by dargon19888 (412 comments )
Reply Link Flag
WTF???
I don't understand how this happened, All Pin-pads (at least ones I have examined) contain a high-security CPU. This CPU contained in the Pin-Pad itself is responsible for encrypting the PIN number before it is sent to the POS terminal. Otherwise it would be very easy to steal PIN numbers by attaching a device to the pin pad cable and "sniffing" the data. The CPU itself is tamper proof, its firmware is stored in NVRAM and backed up with a lithium battery. Should anyone attempt to tamper with the PIN-pad the CPU should goto SDI (Self Destruct Input) and cause the NVRAM to flash.

The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.

This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.

Things that make you go hmmmmmmmmmm.
Posted by (16 comments )
Reply Link Flag
PIN vs Encrypted PIN...
So you have a string of bytes that represent the encrypted PIN.

Ok, so the vendor stores them along with the cc information taken from the mag stripe.

Encrypted PIN and CC info are sent to the cc processing center for verification.

Doesn't matter if the PIN is encrypted or not.
Is the encryption a one time, one way encryption?
Or can it be reused?

For example. You have a 4 digit pin.
You use crypt() to do a one way encryption.
How hard do you think it would be for someone to decrypt your pin?

As long as the vendor stores this information, you'll still be at risk.

I seriously doubt that they use strong encryption on the PIN entry....

As to liabilty... If you can prove that it was a specific merchant, and that they did not meet current guidelines on security... then yeah. They are liable....
Posted by dargon19888 (412 comments )
Link Flag
WTF???
I don't understand how this happened, All Pin-pads (at least ones I have examined) contain a high-security CPU. This CPU contained in the Pin-Pad itself is responsible for encrypting the PIN number before it is sent to the POS terminal. Otherwise it would be very easy to steal PIN numbers by attaching a device to the pin pad cable and "sniffing" the data. The CPU itself is tamper proof, its firmware is stored in NVRAM and backed up with a lithium battery. Should anyone attempt to tamper with the PIN-pad the CPU should goto SDI (Self Destruct Input) and cause the NVRAM to flash.

The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.

This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.

Things that make you go hmmmmmmmmmm.
Posted by (16 comments )
Reply Link Flag
PIN vs Encrypted PIN...
So you have a string of bytes that represent the encrypted PIN.

Ok, so the vendor stores them along with the cc information taken from the mag stripe.

Encrypted PIN and CC info are sent to the cc processing center for verification.

Doesn't matter if the PIN is encrypted or not.
Is the encryption a one time, one way encryption?
Or can it be reused?

For example. You have a 4 digit pin.
You use crypt() to do a one way encryption.
How hard do you think it would be for someone to decrypt your pin?

As long as the vendor stores this information, you'll still be at risk.

I seriously doubt that they use strong encryption on the PIN entry....

As to liabilty... If you can prove that it was a specific merchant, and that they did not meet current guidelines on security... then yeah. They are liable....
Posted by dargon19888 (412 comments )
Link Flag
Video to steal info?
What about the possibility that video cameras covering the cash register area could be used to read pin number entries to match with card numbers?

The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.

The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
Posted by RavingEniac (57 comments )
Reply Link Flag
Video to steal info?
What about the possibility that video cameras covering the cash register area could be used to read pin number entries to match with card numbers?

The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.

The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
Posted by RavingEniac (57 comments )
Reply Link Flag
Simple Solution
How about bringing back the old school credit card machines back with a new twist. These machines could be seperate unit like they used to be but add the encryption features to the machine itself. Then have the credit/debit amount associated with the transaction number. Then the only info the pos software receives from the credit card machine is the amount, credit or debit, and the transaction number (start of day is 1 and end of day is the number of transactions for that day) to associate the purchase with.
Posted by thepollutedone (6 comments )
Reply Link Flag
Simple Solution
How about bringing back the old school credit card machines back with a new twist. These machines could be seperate unit like they used to be but add the encryption features to the machine itself. Then have the credit/debit amount associated with the transaction number. Then the only info the pos software receives from the credit card machine is the amount, credit or debit, and the transaction number (start of day is 1 and end of day is the number of transactions for that day) to associate the purchase with.
Posted by thepollutedone (6 comments )
Reply Link Flag
How safe is your PIN
I live in Pennsylvania and I encountered fraud to my checking account in January of 2005. At the time I don't think the "fraud" department beleived me when I said I only had one card and that it was in my hand at that time. They indicated that this was unusual and maybe a "fluke". Someone had made a visa card with the numbers on my mac/visa card and overdrew my account within an hour. The banks fraud dept contacted me - thankfully. It took me up to two weeks to get my money back and I ended up closing my account and open another so I could recieve my paycheck and pay my bills. The women at the bank said that this was a bad year for fraud - it was only January. I told all my friends, but no one had heard of this happening, so they didn't worry. It seemed unbelievable that it would be so easy as getting your numbers. I believe this is a problem that began at least a year ago using just the mac/visa. I will never have a mac/visa again. I do, however, have a mac with a pin which I use everywhere. Now I think I will stop using that and go only cash or check. Thank you for the update. I do wonder if a rumor that I've been hearing is correct - banks are only liable for up to $500.00 if your account has had fraud. This might be something the public should be made more aware of if this is true considering some people's bills total more than that on a monthly basis.
Posted by kacb3 (4 comments )
Reply Link Flag
How safe is your PIN
I live in Pennsylvania and I encountered fraud to my checking account in January of 2005. At the time I don't think the "fraud" department beleived me when I said I only had one card and that it was in my hand at that time. They indicated that this was unusual and maybe a "fluke". Someone had made a visa card with the numbers on my mac/visa card and overdrew my account within an hour. The banks fraud dept contacted me - thankfully. It took me up to two weeks to get my money back and I ended up closing my account and open another so I could recieve my paycheck and pay my bills. The women at the bank said that this was a bad year for fraud - it was only January. I told all my friends, but no one had heard of this happening, so they didn't worry. It seemed unbelievable that it would be so easy as getting your numbers. I believe this is a problem that began at least a year ago using just the mac/visa. I will never have a mac/visa again. I do, however, have a mac with a pin which I use everywhere. Now I think I will stop using that and go only cash or check. Thank you for the update. I do wonder if a rumor that I've been hearing is correct - banks are only liable for up to $500.00 if your account has had fraud. This might be something the public should be made more aware of if this is true considering some people's bills total more than that on a monthly basis.
Posted by kacb3 (4 comments )
Reply Link Flag
How safe is your PIN
I live in Pennsylvania and I encountered fraud to my checking account in January of 2005. At the time I don't think the "fraud" department beleived me when I said I only had one card and that it was in my hand at that time. They indicated that this was unusual and maybe a "fluke". Someone had made a visa card with the numbers on my mac/visa card and overdrew my account within an hour. The banks fraud dept contacted me - thankfully. It took me up to two weeks to get my money back and I ended up closing my account and open another so I could recieve my paycheck and pay my bills. The women at the bank said that this was a bad year for fraud - it was only January. I told all my friends, but no one had heard of this happening, so they didn't worry. It seemed unbelievable that it would be so easy as getting your numbers. I believe this is a problem that began at least a year ago using just the mac/visa. I will never have a mac/visa again. I do, however, have a mac with a pin which I use everywhere. Now I think I will stop using that and go only cash or check. Thank you for the update. I do wonder if a rumor that I've been hearing is correct - banks are only liable for up to $500.00 if your account has had fraud. This might be something the public should be made more aware of if this is true considering some people's bills total more than that on a monthly basis.
Posted by kacb3 (4 comments )
Reply Link Flag
How safe is your PIN
I live in Pennsylvania and I encountered fraud to my checking account in January of 2005. At the time I don't think the "fraud" department beleived me when I said I only had one card and that it was in my hand at that time. They indicated that this was unusual and maybe a "fluke". Someone had made a visa card with the numbers on my mac/visa card and overdrew my account within an hour. The banks fraud dept contacted me - thankfully. It took me up to two weeks to get my money back and I ended up closing my account and open another so I could recieve my paycheck and pay my bills. The women at the bank said that this was a bad year for fraud - it was only January. I told all my friends, but no one had heard of this happening, so they didn't worry. It seemed unbelievable that it would be so easy as getting your numbers. I believe this is a problem that began at least a year ago using just the mac/visa. I will never have a mac/visa again. I do, however, have a mac with a pin which I use everywhere. Now I think I will stop using that and go only cash or check. Thank you for the update. I do wonder if a rumor that I've been hearing is correct - banks are only liable for up to $500.00 if your account has had fraud. This might be something the public should be made more aware of if this is true considering some people's bills total more than that on a monthly basis.
Posted by kacb3 (4 comments )
Reply Link Flag
Can we trusts banks empolyees
I am from California. Two bank issues credit cards
were activated and used with out my knowledges.
American Express fraud unit was able to stop
the unauthorized transaction.But Bank Of America
fraud department did not detect and the charge went into collection department. I am asking BA to investigate and dispute. BA reported to Credit Buraeu
and now I have bad report on my outstanding credit report. That make us wonder, can we trust our
private informations with banks employees.
Posted by jonliu992 (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.