Posted on 03/16/2006 11:06:15 AM PST by nickcarraway
An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards.
The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.
The robbery could mark a new era in computer crime, one analyst says.
The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.
"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."
The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).
Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.
Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.
Litan pointed out that most retailers use the same technology and follow many of the same procedures.
At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.
Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.
"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."
Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.
Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.
"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."
It's a mild level of anti-fraud protection, designed to stop those who try to use a card they found or someone left in the machine. Most in-house gas cards don't use PINs, so asking for the ZIP is a slight improvement from having no security.
Even at the supermarket?
That's not why I use checks. I often make online purchases with my credit card. I just don't bank online.
I never said that. I just prefer using checks for bill paying, and usually at the store. I don't use online banking, as I explained earlier.
Damn! I have to change mine first thing in the morning.
Almost always, especially if it's over $10 or so.
I have a machine that can test if your Pin is secure or not. This is a free service. Please Freepmail me your account number and pin and I'll get back to you if there is any potential for fraud.
I have a gold card... it shows the retailer that I have good credit and should be treated better than the other customers!
High School Student Recites 8,784 digits of Pi
:^)
So that was YOU in line in front of me at the grocery the other day....
I use "1234".. It's so simple, nobody would ever try it... would they?
This is a stupidity test, right?
I said "please". (grin)
Why does it take over a minute to write a check? I was a cashier at a groccery store and every other person could write a check in 20 seconds but the other half it took a good 1-2 minutes.
>>>The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.
More on that here:
http://www.freerepublic.com/focus/f-news/1596689/posts
New Jersey Banks Warn Consumers on PIN Usage
I understand.
I think the other half is trying to remember what day (date) it is. I cant remember the last time I used a check in a store. I have had the same box of checks for almost 3 years.
55
see post 55
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.