Huh? 
Posted on 03/16/2006 11:06:15 AM PST by nickcarraway
An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards.
The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.
The robbery could mark a new era in computer crime, one analyst says.
The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.
"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."
The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).
Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.
Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.
Litan pointed out that most retailers use the same technology and follow many of the same procedures.
At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.
Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.
"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."
Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.
Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.
"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."
My wife doesn't like the computer much, so I would have to input everything myself. Since I travel a lot, it just makes sense for us to do things the old fahioned way.
one pay at the pump station locally requests the zipcode be entered on the keypad. dont know if they are actually using that to verify anything or not.
Very good!
The best thing to do would probably be to build the MD4 hashing into the hardware. While their are many retailers, there are few hardware manufactuers.
Of course, a retailer could still proof an MD4 hash, but it would be traceable right back to the store.
My debit card can be used as either "debit" or "credit". When used as credit, you don't need to use your PIN, and it takes a few days to clear.
I suggest everyone who has this type of card start using it in that manner to circumvent this problem.
You're not the only one. Even my printing now looks spastic. Pretty soon, I'll have to image an old signature and download the image into a signature printing machine.
Hmmm....
Interesting.
--Boris
You guys are gonna be hurtin' when the EM pulse hits, and all the electricity stops...
The worst thing about that would be the inability to log on to Free Republic.
I want to just use gold.
Heh. I use that sometimes for usernames or passwords for non-critical accounts. For anything that matters I generate random characters.
That can be rough on the teeth, and it's awkward to have to go around with a scale all the time....what with the calibration required, etc.
Old school, me too.
Good idea. I see no advantage of debit cards over credit cards anyway.
I like checks. They're nice and slow when you use them in person.
We'll all be in a world of hurt if that happens.
If you think checks are somehow more secure...
Oh, nevermind. Be happy.
Huh?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.