Posted on 03/16/2006 11:06:15 AM PST by nickcarraway
An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards.
The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.
The robbery could mark a new era in computer crime, one analyst says.
The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.
"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."
The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).
Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.
Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.
Litan pointed out that most retailers use the same technology and follow many of the same procedures.
At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.
Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.
"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."
Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.
Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.
"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."
mark
Would not cutting off such retailer from use of the cards send a powerful message to not break the rules?
Make the retailer responsible to make the losses good!
That or they were in the offshore data center.
I still use checks.
Ping
2548
Did I guess correct?
An IT guy at my company says that two of the most common passwords are "open" and "openup". He says that many nitwits at our company try to use "password" or some truncated version but the software won't allow it.
DUH
As I noted on another thread I understand that many know-it-all techies use the requisite digits for Pi as their passwords.
Ding, ding, ding ... we have a winner
You know, I tried to write one of those out the other day and got a hand cramp and couldn't finish.
I think I'm forgetting how to write by hand. It's actually kind of scary.
Did I guess correct?
Nope... Bosco
Now that I think about it, if I keep hanging out on FreeRepublic I'm going to not know how to carry on a conversation because I have forgotten how to talk...and keep looking for the Post button.
(Although it wouldn't kill me to have a Preview button in real life...)
I don't use my computer to bank or pay bills, either.
Amazing.
There is very little I do traditionally anymore. Life is kind of on automatic. I just check in regularly to make sure it is all being taken care of properly.
Retailers have the ability to store your pin, buying habits, and electronic signature. You know those little pads that you sign the receipt and it goes into the computer? It probably wasnt a single retailer but rather one of the upstream companies.
I don't know about the US, but in Canada all credit/debit terminals, in particular the PIN pad, are supplied by the banks and then integrated with the POS systems. I worked in the POS industry until 2000 and I was told that the whole authentication process went on inside the bank's equipment - PINs in the clear never pass through the retailer's equipment. Depending on the design of the system, though, encrypted PINs might pass through the retailer's system, and I suspect that the encryption used might not be unbreakable.
I know Kreskin.
bttt
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.