Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PIN Scandal 'Worst Hack Ever'

Zonk posted more than 8 years ago | from the cue-comic-book-guy-voice dept.

365

QuietLagoon writes "The evolving Citibank PIN scandal is getting worse with each passing day. Gregg Keizer of TechWeb News writes: 'The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs 'the worst consumer scam to date.' ... The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.'"

cancel ×

365 comments

Sorry! There are no comments related to the filter you selected.

Someone has been watching too much Simpsons... (-1)

ziggamon2.0 (796017) | more than 8 years ago | (#14897402)

... worst... hack... ever!

Re:Someone has been watching too much Simpsons... (4, Insightful)

Anonymous Coward | more than 8 years ago | (#14897447)

This brings up an issue with financial networks that I just don't understand.

The greatest security online would be to do away with a "pull" charge (where your details are given to the business and the money "pulled" from your account") and adopt a "push" system - where I make an order, get a receipt #, log into MY account with the bank (ie. the SSL connection is between me and my bank) and then I send the money to them. I don't have any extra charges or don't send any money I don't want to. And they don't have my details to lose or get stolen.

But wait, that would mean people would have to do two steps, and people would use their OWN money more often, and not use credit.... can't have that can we. There are a zillion people out there who would sign up for this system, but it's not in the banks interests. Freemarket capitalism (*cough* oligopoly *cough*) fails again.

Re:Someone has been watching too much Simpsons... (5, Interesting)

sjames (1099) | more than 8 years ago | (#14897680)

Smart cards CAN be used for fully secured transactions over untrusted networks but unfortunately, aren't. Consider a smart card and a digital 'wallet' that is actually a simple terminal into the card. Your 'PIN' is actually just a password to log in to your own card.

To process a transaction, The POS terminal generates a transaction record requesting the payment amount, and signs it. Meanwhile, you log into your card and authorize a single transaction for the total amount. You then place your card in the POS terminal's reader. It passes the transaction record to the card. The card, then signs the transaction (unless it is for more than you authorized). The card passes the signed record back to the POS. The POS then sends the record to your bank to cause the amount to transfer to the merchant's account.

The system can also be used offline so long as you're willing to give up the ability to validate the transaction immediatly.

To bootstrap the system, the 'wallet' function can be available in the card reader at the POS terminal. Most people would use that and trust it the same way they now trust the card reader. It would be more trustworthy than the current system since the card would still be required to produce a transaction record (since the private key never leaves the card). Those who do not wish to trust the POS terminals at all can use their own wallet to authorize transactions. A USB interface on the wallet would allow for instant secure online payments. Since the PIN/password never leaves the wallet, it's safe to use at a public terminal (internet cafe for example).

In either scenerio, skimming is prevented since again, the private key never leaves the chip on the card. People already generally understand the need to keep credit/debit cards in their posession.

A side benefit to the system is that you can pre-authorize a transaction amount and then allow a reasonably trusted person to use your card. Unlike current cards where you would have to trust the person with your PIN (and the total balance in your account + your credit limit), you need only trust them with the amount of the single transaction.

More advanced cards might be pre-authorized with a given amount which may be spent in multiple transactions. More advanced cards could have those transactions limited to payments to specific entities. That allows parents to give kids an allowance on a card, send the kids to the store, or emergency cab fare.

A lost card would just mean generating a new key pair and issuing a new card. No need to change account numbers. That means no need to do anything special about pre-authorized monthly billings. Meanwhile, merchants with sporadic connectivity (think vendor booths at fairs, etc.) could at least download a list of revoked keys onto a USB drive to limit fraud problems.

Finally, such a system would be it's own non-repudiatable audit trail. Your reciept is a transaction record signed by you, the other party, their bank and your bank. Nobody can deny knowledge of the transaction. You can easily store the transaction records of your purchaces and your deposits. Even if the bank convieniantly can't find a record of your deposit, YOU can provide the reciept signed by them and (for example) your employer. Each signature can include a datestamp so nobody can float the transaction.

It's amazing to me the vast difference between public perception and the truth about the security of transactions and banking in general. The fact is, nearly anyone, using nothing but the information found printed on your checks can create a fraudulant transaction. A signature means little since the cost of expert analysis is far more than the amount of most checks you write. The fact is that banking routinely relies on taking people's word for it. Nearly any transaction record can be forged (and so, repudiated).

Beyond that, banking depends on a pile of ancient mainframes, private networks (frame relay), 9600 baud modems, COBOL programs, and ancient proprietary record formats.

I suspect that banks don't want to change because the new system would lower the barrier to become a transaction broker (with the costs of fraud removed, you no longer need to have the cushion of millions of transactions a day to survive fraud losses) and because it would remove the excuses to hold money while checks clear. That 'float' is a significant source of invisible income for them. Don't count on companies like Diebold to make something like this available. Of course, the lack of simple immediatly verifiable transaction authorizations (that cannot be repudiated) means we have a vast sea of banking laws that raise the barrier to entry much higher still. Pushing the security onto the smart card means no more need for private networks and proprietary POS systems and reduced interest in ATMs. As you say, Freemarket capitalism (*cough* oligopoly *cough*) fails again.

Even law enforcement stands in the way. They WANT to limit transaction brokering to a few large players so they can push 'know your customer' styled crap for the supposedly non-existant Total Information Awareness.

Re:Someone has been watching too much Simpsons... (0)

Anonymous Coward | more than 8 years ago | (#14897688)

You underestimate human laziness - 2 steps is twice as difficult as 1. People really like convenience, hence the popularity of debit over ATM/pin.

1, 2, 3, 4, 5? (4, Funny)

Quaoar (614366) | more than 8 years ago | (#14897407)

That's amazing! I have the same combination on my luggage!

Re:1, 2, 3, 4, 5? (1, Funny)

Anonymous Coward | more than 8 years ago | (#14897625)

4, 8, 15, 16, 23, 42? err... nevermind.

Ping? (0)

Anonymous Coward | more than 8 years ago | (#14897409)

Did everyone run to Citybank to close their accounts?

PIN Collisions (4, Interesting)

michaelhood (667393) | more than 8 years ago | (#14897410)

When we were assigning alarm codes at our new office, we realized that all 3 of us had the same ATM PIN, because we all tried to choose it for our alarm code but it errored because someone else had already claimed the code. It's a common 4-digit code among the tech community. =( All changed now.

Re:PIN Collisions (5, Funny)

ziggamon2.0 (796017) | more than 8 years ago | (#14897420)

Right... And you figured noone else would be 'leet' enough to figure it out? ;-)

Re:PIN Collisions (1)

michaelhood (667393) | more than 8 years ago | (#14897434)

lol.. it's just that we're all lazy and figure losing a bank PIN is the least of our worries.

Re:PIN Collisions (2, Insightful)

jcr (53032) | more than 8 years ago | (#14897475)

I tend to use the key number of a car I bought about twenty years ago. Four digits, not particularly easy to guess, but I'll never forget them.

-jcr

Re:PIN Collisions (1)

Carthag (643047) | more than 8 years ago | (#14897724)

About a year ago I was trying to get money at an ATM, but for some reason I just couldn't get it to accept my PIN. Then about a week later I realized I'd been using the PIN from 3 credit cards ago. The brain works in mysterious ways.

Re:PIN Collisions (4, Funny)

Dance_Dance_Karnov (793804) | more than 8 years ago | (#14897498)

admit it, it was 1337 wasn't it.

Re:PIN Collisions (1)

ozbird (127571) | more than 8 years ago | (#14897578)

3142.

Pi as Pin? ;-) (2, Funny)

mfh (56) | more than 8 years ago | (#14897504)

3141, right?

Re:Pi as Pin? ;-) (2, Funny)

Lisandro (799651) | more than 8 years ago | (#14897612)

3141, right?

    Damnit! You sneaky nerds! Is 2718 taken?

Re:Pi as Pin? ;-) (1)

eis271828 (842849) | more than 8 years ago | (#14897665)

Yeah, that's mine. Sorry 'bout that.

Re:Pi as Pin? ;-) (1)

Lisandro (799651) | more than 8 years ago | (#14897694)

Crap. What about 12345? That's the combination of my damn luggage!

Re:Pi as Pin? ;-) (2, Funny)

joecr (922134) | more than 8 years ago | (#14897764)

Well I guess you haven't seen Spaceballs [imdb.com] then, as 12345 was taken way back in 1987.

Try again, but something better.

Re:PIN Collisions (1)

PerlDudeXL (456021) | more than 8 years ago | (#14897666)

Ehh... You can choose your ATM PIN?

Re:PIN Collisions (1)

timmyf2371 (586051) | more than 8 years ago | (#14897710)

I don't know about all countries, but certainly in the UK you can usually change both your debit and credit card PINs.

For security reasons, an automated PIN is generated initially and posted to the cardholder's address; however, this can be changed to a PIN of your own choice via an ATM.

lets go back to barter (1, Funny)

Anonymous Coward | more than 8 years ago | (#14897413)

oh wait we already do that ill give you Mr. Smiths PIN if you give me Ms. Jones ebay account password

Ouch! (-1, Offtopic)

10101001011 (744876) | more than 8 years ago | (#14897414)

I have a feeling some investors are going to be playing PIN the tail on the donkey...
 
  Rimshot!
 
Thank you! Thank you! I'll be here all week. Try the stake and don't forget to tip your hostess with your debit card...

still... (5, Interesting)

LandownEyes (838725) | more than 8 years ago | (#14897418)

At least it's not as bad as the "go into debt because you own too many credit cards" hack that most Americans have fallen victim to.

It's intentional (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14897419)

I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.
Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice. That is to say someone deliberately wrote the spec this way for nefarious reasons. I do wonder though, who benefits? They should haul the sytems analysts through the courts until they start to sing, and say "Yeah I was told to write it this way by xxxxxx"

Re:It's intentional (5, Interesting)

wfberg (24378) | more than 8 years ago | (#14897459)

. You can't call it negligence, not even by the greatest leap of imagination is it possible to make such a mistake, so it must be malice.

On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.

The system where PINs are (potentially) stored is from an older, kinder time. In fact, a time where most places weren't hooked up to data networks permanently. The idea being that you could store transactions, and encrypted PINs, for a while, then connect and upload the data, and get your money. Obviously this is more suited to credit card transactions.

The system was never designed by, well, competent people, and it was also not designed with modern networks in mind. Today, it would be a no-brainer to use some sort of challenge-response or public key algorithm. Like in "chip&pin" (where the PIN unlocks a public key signing-function on the chip card). But this is a remnant of the 70s.

Every once in a while, a story crops up where it's found out that ancient protocols are still being used between when a customer with a card from bank A withdraws money from an ATM from bank B (usually across borders, since at a national level (speaking about europe here) electronic funds transfers are standardized pretty well).. Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!

This is basically the sort of thing that audits are supposed to catch, because to a lay person the fact that something "just works" is good enough. You only know it's insecure once something bad happens, or if you happen to have a degree in cryptography. In an audit, if you can't answer the question "so, you're sure it uses the latest XYZ123 standard and isn't misconfigured?", then you know you're in trouble. Guilty until proven innocent; rather than Management by Exception..

Re:It's intentional (4, Interesting)

MichaelSmith (789609) | more than 8 years ago | (#14897545)

On the contrary, it is negligence. Negligence in replacing outdated systems with newer, more secure ones.

I remember that in the early days here in .au the banks ran batch processing late at night and the ATM's often couldn't connect to verify account balances. The fallback position was that the ATM would just give out the money and the account would eventually go into debt.

I financed a (small) holiday by exploiting that bug.

But the ATM card I use today is exactly like the card I used 20 years ago. And the phone card I carry is probably more secure. It has a value of $5.

Re:It's intentional (0)

Anonymous Coward | more than 8 years ago | (#14897708)

Only a few years ago, for example, it was found out it was possible to carry out a transaction in France with a card from the Netherlands without the actual PIN!

American Express used to be famous for that. They didn't want to "bother" their customers with PINs, but they didn't want their customers to miss out on unattended POS systems like you get at fuel pumps sometimes. Also they don't follow up fraud below a certain amount, so lots of small transactions on different stolen or cloned cards would just slip through the system.

Re:It's intentional (4, Informative)

ozmanjusri (601766) | more than 8 years ago | (#14897463)

Rather similar to the Diebold voting machine scandal, one can only wonder what forces are behind this.

Well, since Diebold probably made the ATMs which were hacked, you could probably look in the same place. Interestingly, the story was broken by a blog. http://www.boingboing.net/2006/03/05/citibank_unde r_fraud.html [boingboing.net]

Re:It's intentional (2, Informative)

ComaVN (325750) | more than 8 years ago | (#14897465)

Yes. Yes, they really do make that kind of mistake. I've seen people make quiz-type webpages with just a client-side javascript that checked the answers (which were, of course, plain-text in the html source). Granted, that was not as important as PIN numbers, but a lot of mediocre programmers just don't step back to reflect on what they've written. As far as they're concerned, it works, and they don't even contemplate ways how malicious users might try to break it.

The quiz was for a job application where someone smart enough to look at the html source would be qualified enough for the job, but still.

Re:It's intentional (2, Interesting)

whovian (107062) | more than 8 years ago | (#14897561)

I'm not going to speculate on motives, or get into the politics, but 20 years as a computer scientist and software engineer tells me this is not an accident. Even the worst programmers do not make this sort of mistake.

Allow me to feed your suspicions further.

It's a fear tactic. It's a way to force people to warm up to the idea of mass-implementation of biometric ID. Then when you sign up, not only does the company get a copy of your information, but also the government.

Re:It's intentional (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14897629)

Not to say you are not paranoid....

But something like you are speculating about heaponed before at least once.

Read How ATM fraud nearly brought down British banking [theregister.co.uk] . And for once the register wasn`t overstating the story in the headline. A bunch of programmers figured it would be cool if they rigged the random pin number generator to only choose one from a set of three numbers... Which coincidentaly is also how many times you can try a number before losing the card. In a while everyone with a card from this bank had one of the three numbers.

I am not convinced the current case is "the worst hack ever". I guess the author just already knows all about stories that are kept secret for years.

Chip & Pin (4, Interesting)

slashnik (181800) | more than 8 years ago | (#14897421)

I'm pretty sure that with the new chip and PIN cards that have recently been introduced in the UK, the PIN never leaves the card reader. The PIN is validated within the reader.
The Point of sale system will have no access to this information and thus no chance of the creation of a database of PIN numbers.

The card issuer however will know the PIN

I would still be happier with a photo on the credit/debit card, Its a little more dificult to steal my face.

slashnik

Re:Chip & Pin (5, Funny)

duffel (779835) | more than 8 years ago | (#14897437)

Its a little more dificult to steal my face.

Albeit somewhat more painful.

Supermarkets Defeating Chip & Pin (4, Insightful)

Fzz (153115) | more than 8 years ago | (#14897457)

Unfortunately, increasingly we're seeing supermarkets insist on swiping your chip'n'pin card, rather than relying on you entering the card into the terminal yourself. Tesco and Sainsburys do this, perhaps others do. From the customer's point of view, this completely defeats the security provided by chip'n'pin. The supermarket now has all the information from the mag stripe, and also has your PIN. Anyone obtaining this information can reproduce your ATM card, and drain your account.

In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.

So what's to do? I think the only sensible thing is to refuse point blank to ever hand over a chip'n'pin debit card. If they don't like this, don't pay, and tell them why. And tell others. The stores don't need to swipe your card, but they'll only learn this if enough people object.

Re:Supermarkets Defeating Chip & Pin (0)

Anonymous Coward | more than 8 years ago | (#14897507)

Up until very recently (and possibly still, unless it's change in the last month) in Tescos you only had to swipe your card - the system did not ask for your pin. Zero security, basically.

Re:Supermarkets Defeating Chip & Pin (4, Informative)

Freexe (717562) | more than 8 years ago | (#14897522)

It all changed over on Feb 14th here in London with the I 3 my PIN campaign. You can't not use the pin anywhere now

Re:Supermarkets Defeating Chip & Pin (1)

ArsenneLupin (766289) | more than 8 years ago | (#14897690)

Toll gates on French motorways are the same: no pin, no signature.

Presumably done because signing or entering a pin would be too awkward and delay the queue?

Re:Supermarkets Defeating Chip & Pin (1)

EnglishTim (9662) | more than 8 years ago | (#14897514)

That's terrifying if true. I had assumed the 'chip' part of the 'chip and pin' meant that you wouldn't be able to clone the card with a magentic card reader. Do you have any references to back that up? (Not that I mean to imply that you're lying in any way - I'd just be fascinated to read them!)

Cloning chip&pin (1)

weierstrass (669421) | more than 8 years ago | (#14897637)

ATM's don't read chips (yet?) - just stripes.

In the uk at least.

Re:Cloning chip&pin (1)

timmyf2371 (586051) | more than 8 years ago | (#14897719)

I'm not sure about this actually.

I had my debit card replaced with a shiny new chip & PIN model after my original one was stolen last year.

When I insert the new chip & PIN card into an ATM, the on-screen display now states that it is "processing the card data" and takes significantly longer to do so than my old swipe card.

Re:Cloning chip&pin (1)

markxz (669696) | more than 8 years ago | (#14897736)

The ATMs do read the chips, however if the chip is 'unavaliable' then the magnetic stripe will be used instead.,br.,br. Also if the chip is unreadable in a shop (clear varnish?) the card will often be swiped and a signiture asked for.

Re:Supermarkets Defeating Chip & Pin (1)

sparckzero (960394) | more than 8 years ago | (#14897551)

In contrast, if you insert the card yourself, the system seems somewhat harder to defeat, although I don't actually know what information the store then has access to. Presumably less information, or they wouldn't want to swipe the card in the first place.

As far as I know, the reason it's inserted into the till as opposed to the terminal is to facilitate faster transaction speed. It also prevents the customer from removing the card too early in the process (the card has to be in the slot until the transaction is complete), or putting in the card the wrong way round etc.

I highly, highly doubt that the large chains would store details with the intent of cloning your card. The till operator has -no- access to any of the information stored on the card.

Re:Supermarkets Defeating Chip & Pin (2, Informative)

slashnik (181800) | more than 8 years ago | (#14897608)

The supermarket now has all the information from the mag stripe, and also has your PIN.


I don't think that the supermarket has your PIN, more like the one way encrypted PIn information is passed from the point of sale terminal to the PIN pad. The PIN pad checks that the PIN entered is valid then the till will request authorisation from the acquirer.

The full system is validated by the acquirers, if the retailer was found to be holding PIN information or modifying the certified PINpad hardware the retailer would be stopped from using the credit card authorisation facility.

Re:Supermarkets Defeating Chip & Pin (1)

jb.hl.com (782137) | more than 8 years ago | (#14897626)

Waitrose don't. One Stop don't. My local record place doesn't. Even my local dodgy computer hardware (£3.99 for a keyboard) don't swipe the card first. It just goes straight in the reader, enter PIN, wait 30 seconds, remove card.

On the contrary, Tesco's self service tills (a fine example of making things more complicated than they need to be) require that you swipe your card (and no authorisation is needed! No signature, pin etc...). No chip needed. I haven't been in Sainsbury's for ages, but I'd hazard a guess that they're much the same.

A good question would be: if Waitrose, One Stop, Track Records and that dodgy place all don't need to swipe, why does Tesco?

Re:Supermarkets Defeating Chip & Pin (1)

markxz (669696) | more than 8 years ago | (#14897753)

I think Tesco have a chip reader in the till (below the swipe reader). This was probably done to reduce staff training.

I don't know what useage they make of the information from the swipe reader, but it may be possible to collect if their system is not secure.

I thought the whole point of having the intergrated card reader/pin pads was to reduce the distance that the pin had to travel.

Re:Supermarkets Defeating Chip & Pin (4, Interesting)

ArsenneLupin (766289) | more than 8 years ago | (#14897685)

In contrast, if you insert the card yourself, the system seems somewhat harder to defeat

You still don't know whether that card reader into which you inserted the card yourself is legit. With so many different designs and appearances of readers out there, how can you know?

Formerly, equipment to build fake readers was hard to come by, but this is unfortunately no longer true.

Re:Supermarkets Defeating Chip & Pin (1)

ambrosen (176977) | more than 8 years ago | (#14897726)

Isn't it the case that they swipe the card through the magnetic reader and at the end of the swipe it lodges in the chip reader? It certainly is in the Tescos and Sainsbury's I use. Still, no point in my spoiling a good bit of righteous anger, is it?

Re:Supermarkets Defeating Chip & Pin (1)

Fzz (153115) | more than 8 years ago | (#14897779)

Sure, but the point is that the store then has the entire contents of the mag stripe, and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data. So the contents of the magstrip and the PIN are in the same device. That's all you need to clone the ATM card. You don't need to clone the chip to produce a workable ATM card - just the stripe and the PIN. Now, I've no clue if they store that information, but the point is they don't need the contents of the stripe in the first place.

Re:Supermarkets Defeating Chip & Pin (5, Interesting)

slashnik (181800) | more than 8 years ago | (#14897813)

and they have to transfer the PIN from the keypad to the card via the terminal that has the mag stripe data.

No, the PIN will never leaves the PINpad. The PINpads must be type approved by EMVco http://www.emvco.com/ [emvco.com] A hash of the PIN is passes from the terminal to the PINpad which validates the PIN supplied by the customer. A signal is passed back to the till which confirms the PIN was valid.

There are strict restrictions placed on the retailer as to how much of the card data can be saved or logged.

Re:Chip & Pin (1)

jcr (53032) | more than 8 years ago | (#14897482)

Its a little more dificult to steal my face.

Don't count on it. Face rcognition software can be fooled by a mannikin

-jcr

Re:Chip & Pin (1)

Ours (596171) | more than 8 years ago | (#14897502)

I have that on all my picture on all my credit cards.
In the rare occasions people do check for my signature they go "oh that's useful, a picture".
I don't know why they don't do the same everywhere. Signature validation is bull as some people are good at faking them, people suck at validating them and everybodies signature changes slightly depending on the situation.
Looking at my face and comparing it to a color picture sounds so much easier and safer.
The only workaround would be changing the picture on the card but it's printed on it so it starts getting complicated and costly for the thief.

Re:Chip & Pin (1)

wfberg (24378) | more than 8 years ago | (#14897546)

The only workaround would be changing the picture on the card but it's printed on it so it starts getting complicated and costly for the thief.

They only need to copy the information on the magnetic stripe (which is read out in its entirety every time it's swiped) onto a card that doesn't have a picture on it. That card can pretty much look like anything, seeing as regular credit cards are imprinted with all sorts of crap these days anyway. It would be nice for the name&numbers to match up, but not really necessary.

Re:Chip & Pin (1)

weierstrass (669421) | more than 8 years ago | (#14897644)

>They only need to copy the information on the magnetic stripe onto a card that doesn't have a picture on it. or a picture of Osama bin Laden (or whoever) on it. cloning magnetic cards is not rocket science.

Re:Chip & Pin (0, Offtopic)

loraksus (171574) | more than 8 years ago | (#14897542)

Its a little more dificult to steal my face.

Trust me, two minutes with a scalpel and it would be in my frying pan, simmering with some fava beans while I drank a nice Chianti. Or I could do the Ed Gein thing.

Re:Chip & Pin (3, Informative)

sparckzero (960394) | more than 8 years ago | (#14897547)

I work in a small local convenience store in the UK, and as such our machine for doing debit/credit cards is completely seperate to the EPoS system. The PIN never leaves the terminal that the customers use to enter the pin, and is wiped after it has been entered. There is physically no way for us to retrieve the PIN. We used to be able to over-ride PIN entry with a supervisor card, before it became mandatory to use Chip and PIN. Now we can't do that anymore.

Re:Chip & Pin (1)

jellomizer (103300) | more than 8 years ago | (#14897573)

Its a little more dificult to steal my face.
You must have never played Space Quest III. All you need to do work as a janitor go to the CEOs office when he is not there and take his card. then you go to the photo copy room and take the picture of the CEO (Which is conveniently placed above the copy machine ) and make a color copy of it. Then you put back the original. then when you need to get to the door you use the picture in front of the scanner and bingo you are in.

Re:Chip & Pin (0)

Anonymous Coward | more than 8 years ago | (#14897729)

almost true..
Chip card is configured to authorise low amounts offline without PIN leaving the POS device (which contains card reader). But every once in a while there is online authorisation where PIN travels to the issuer. Usualy PIN is encrypted and decypted 4 times (POS device - acquirer- card scheme network - issuer) but there are strict standards in place for encryption and decryption to happen in highly secure tamper proof/evident devices.

Damn... (3, Funny)

matr0x_x (919985) | more than 8 years ago | (#14897422)

Half of my is laughing because I'm picturing the comic book guy saying "Worst Hack Ever" - the other half is genuinely a little frightened at the lack of security guarding my finances :(

Multinational Mayhem (1)

brindafella (702231) | more than 8 years ago | (#14897438)

Okay, take one system then multiply it across various similar systems. Soon, you get a repeatable pattern that folk just love to take advantage of. For example, the crackers. You have to love naivety!

If you are a Citibank customer... (5, Informative)

Anonymous Coward | more than 8 years ago | (#14897443)

... Change your fucking PIN right now. Don't be fooled by the Visa logo... Debit card fraud is not like credit card fraud, where the companies will almost always clear the charges at no (or minimal) cost to you. If a criminal steals your money through debit card theft you probably won't get it back.

I was the victim of debit card abuse (from a different bank), I believe (from talking to other people in my neighborhood) that a gas station was logging debit #'s and PINs customers used at the pump, manufacturing cards and taking cash from ATM's. I was hit for about $2000 and it would have been more if I didn't catch it. The bank would not clear the charges, the police of course took a report but did nothing to follow up. I fought tooth and nail to get the bank to reimburse me, but they basically said it was my word against theirs. I demanded to see the ATM camera photos but they said they would only release them to the police, and of course the police refused to help with my request.

Your mileage may differ, of course. But take this seriously.

Re:If you are a Citibank customer... (5, Informative)

jcr (53032) | more than 8 years ago | (#14897493)

I demanded to see the ATM camera photos but they said they would only release them to the police

If you file suit, you can subpeona them.

-jcr

Re:If you are a Citibank customer... (1)

loraksus (171574) | more than 8 years ago | (#14897533)

What is the point? He'll have to pay court fees and spend hours, if not days, on this and when he gets them, the police won't do a damn thing. If, by some small miracle, the police catch the perp, there is virtually no chance of getting any money from the perp and the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees).

A call to a congressman or your local "news crew that deals with fraud" might help, but I'm guessing both will stay away from a situation like this.

Re:If you are a Citibank customer... (4, Interesting)

jcr (53032) | more than 8 years ago | (#14897539)

the bank has more lawyers than he does (and $2000 isn't much when you're talking legal fees).

Which makes it quite likely that the bank will make the business decision to refund his money, since it will be cheaper than even the prep work for the bank to show up in court.

-jcr

Re:If you are a Citibank customer... (0)

Anonymous Coward | more than 8 years ago | (#14897752)

Changing your PIN will not help if someone has a copy of the magstripe and a PIN that matches that copy. At least over here with bank cards, it would be possible to change the PIN, but no bank around here allows their customers to do so for two reasons: People would just pick guessable PINs, and worst of all, only the difference between the original PIN will be stored on the card. With the system used here, it's impossible to choose your PIN in the same (semi) secure way that's used to generate the original one, since the real PIN is calculated from a hash of your account number, bank routing number, the card sequence number (which isn't that sequential) and maybe your name that's encrypted with a hopefully secret key. Obviously, this hash will still be valid with an 'old' copy of your card and your old PIN, even if you 'change' the PIN on your original. The only way to be safe if you suspect that someone has your PIN is to give the card back to the bank and order a new one.

Throw a match in the gas station.... POOOF (0)

Anonymous Coward | more than 8 years ago | (#14897785)

Then go back to the station, and drop the flaming ZIPPO into the gas tank/storage tank and run like hell.

Enjoy the BBQ

Re:If you are a Citibank customer... (1)

Rytr23 (704409) | more than 8 years ago | (#14897786)

This sounds like the exception... a couple years ago I was checking my bank account online and noticed some odd charges. I called the bank and asked for the merchant and it turns out some tool ordered sneakers and other sporting goods and had them shipped to Ireland. I let my bank know I had never been to Ireland and they nixed the card immediately. I went into the nearest branch, signed a form stating I did not make the purchases and got my new card and the next day my money was back in my account. My current Bank is actually proactive and has sent me debit cards with new numbers, I guess I use mine a bit too much for their liking..:)

So glad I never got a PIN (1)

chivo243 (808298) | more than 8 years ago | (#14897477)

But not for this reason, my reason was it was too freaking easy to pop the plastic card in the wall and run up 20% interest on each withdrawl, plus the fee to pay the machine to do it's job?

returned my debit card (1)

toppk (135746) | more than 8 years ago | (#14897505)

As soon as I got my bank card with the visa/mastercard logo three years ago, I called the bank and told them no thanks, send me a normal card. I hope that means I have no debit card capabilities on my account, but who knows for sure. In anycase, I haven't gotten hit yet.

I really enjoyed how all the propaganda for debit card talked about the convinience of debit over writting checks, when it's really for people who cannot get a credit card, and it seems to be more and more inferior to a credit card. I guess the banks really want to only credit cards in the hands of people that will not pay the bill in full each month.

The only real identity theft security will come when more massive fraud occurs and the banks do the math on what the lack of trust and fixing the messes is costing them over real security.

I love how congress passes laws like DCMA but never passes a law banning unnecessary identity storage by all these corporations. At least pass a vague regulation like HIPPA or SOX for the credit agencies.

Re:returned my debit card (1)

ctr2sprt (574731) | more than 8 years ago | (#14897563)

It's just too easy to get in trouble with a credit card, especially when you're young and the concept of managing real money is new and unfamiliar. I don't know many people in their 40s with big credit card debt, but I know lots of people in their 20s and 30s (the latter mostly still paying off debt they accumulated as the former) with big debt. Debit cards are much more effective at forcing you to live within your means since I don't think they'll let you overdraft at all any more. They certainly won't let you go over by more than $100 or so.

So I guess I'd revise your comment. Debit cards are for people who can't or shouldn't get credit cards.

Re:returned my debit card (0)

Anonymous Coward | more than 8 years ago | (#14897587)

Are checks common in the US? I've seen some people using them in France but where I live, Spain, I hardly ever see anybody pay with one. I use my debit card all the time when I go shopping because almost no shop will accept checks these days, too much fraud. With a debit card you either have the cash or don't. If your card is rejected they now it instantly. Too bad we're still using magnetic cards that are a joke security-wise.

Re:returned my debit card (1)

AngryNick (891056) | more than 8 years ago | (#14897591)

I agree that having a check card is stupid if you don't need it, but by returning the Visa/MC branded card and asking for a "normal" card (i.e. debit card), I think you still fall squarely in the affected category.

Most banks in the US issue branded "check cards" that can used anywhere like a credit card (without a PIN) or as a debit card (with a PIN). I assume that when you requested a traditional card, they gave you a plain debit card which can be used at an ATM or any retailer who accepts debit cards (with a PIN). The retailers are the point where the PIN is being compromised.

In my book, debit cards are only for ATM machines and the only thing that goes in any other card reader is a real credit card -- that is not tied directly to my checking account. I suspect there are fewer skimmers hooked up to bank ATMs than there are to unattended gas pumps. I may be wrong, but it makes me feel good.

None of this would matter if we could just get rid of all the bad people.

Re:returned my debit card (0)

Anonymous Coward | more than 8 years ago | (#14897632)

Credit cards have fees, and negative interest and penalty fees and all kinds of complicated crap. Plus, I'm just opposed to debt of any kind. Free debit cards for me, I've sent back credit cards (which I didn't ask for in the first place).
I would appreciate the extra security of a credit card. I'd even pay a fee for it! Banks don't seem to offer "secure debit" though.

And best of all... (5, Informative)

loraksus (171574) | more than 8 years ago | (#14897517)

Citibank is handling this just like you'd expect a credit card company would, with horrid customer service.
If you're out of the country? Tough shit. Virtually all usage outside the USA will result in your card being automatically killed and the only way (apparantly) for to continue using your card is to have a new card shipped to your home address, activate the card from your home phone, and even then, their CSRs say that if you use it outside the usa, it may get automatically killed again.
See one such story here [boingboing.net] .

You know, if this was bigger, it could be a good thing for everyone. Maybe then people would start taking things seriously. And although I usually don't think that we need new legislation, maybe in this case, it would be a good idea.
I'd like to to see criminal penalties applied against the directors of companies for losing customer information in the same way people can go to the pokey for screwing up under SOX.

Then again, this breach isn't the worst we've heard about this week. 17 million records (names, phone numbers, addresses, e-mail addresses, IP addresses, logins, passwords, credit-card types and purchase amounts - everything except credit-card numbers) were discovered floating around the net.
See here for details [wired.com] .

Oh, and if your card was used, good luck with trying to fix your credit
The credit sytstem could use an overhaul.

ATM ate my debit card (5, Interesting)

morkeld (104557) | more than 8 years ago | (#14897528)

Another data point in the saga of debit cards.

A different bank's ATM machine ate my debit card. I then continued on my way to lunch expecting to be able to call up the bank later that day and get my card from the nearest branch. You see, this wasn't the first time the machine on campus ate my ATM card and that was the established protocol.

This time, however, the person who got my ATM card out of the machine was the next person in line. They then took the card and proceeded to rampage around the local stores using my card to purchases clothes and shoes; lots of shoes.

Being a debit card, it was drawing the money directly from my checking account. At the time, I was a college student and was basically leaving paycheck to paycheck. I wasn't in debt and I paid all my bills on time, I just didn't make enough money to save anything.

The checks for my rent and all my bills had already been mailed, but not processsed yet. By the time I called the bank about 3 hours after it ate my ATM card, I didn't have any cash left to pay the bills. I was a college student too, so they immediately accuse me of being the one going around on this spending spree as some sort of scam against them. I was quite livid, to say the least.

The next 3 months was a nightmare. Purchases that hadn't posted yet at the time of the theft were being rejected and I was constantly being called and written by merchants trying to get their money back. Of course, everyone eventually did get paid because this was fraud and the bank gave me back most of money. It still took me quite a while to get everything put back correctly on my credit.

It was amazing to me how many purchases waited to post to my account 3 or 4 or even 5 days after I made the purchase. I was being contacted by people that sold coffee, the grocery store, the campus book store and many more because this was all right at the start of classes.

To this DAY, 7 years later, I refuse to get a debit card and always insist on an ATM only card.

Re:ATM ate my debit card (1)

flynn_nrg (266463) | more than 8 years ago | (#14897603)

Where I live the shop must ask you for a legal document that proves you're the owner of the card. In my case it's my identity card, and the name must match what's written on the debit card. If it doesn't you can't pay, plain and simple. I assume that if the picture on your ID card doesn't match they won't let you pay either. So why aren't shops over there asking for proof? In case my card was stolen the thief would have a hard time putting it to use because every time I pay with it I get an SMS on my phone, so I'd know even if they succeded and cancel the card with one simple phone call.

And the weakest link was... (1)

Opportunist (166417) | more than 8 years ago | (#14897548)

...the user.

Storing the pin data on the same machine as the decryption code is dumb. Storing the pin in the first place is dumb. Combine them and you get VERY dumb.

When do people realize that security isn't something you can simply brush off to your IT department? Security is the minimum of system security and user security. Compromise one, compromise the whole system!

It's time for some secrurity awareness training. Especially in sensitive areas! I've been working for an auditing company, you'd be amazed (or frightend) to hear some of the security related stories that happened there. The outcry alone when I had the nerve of requiring passwords with at least 8 figure and at least capitals and numbers...

Why only 4 digits? (3, Insightful)

matth (22742) | more than 8 years ago | (#14897558)

Something I've often wondered about. Why are ATM PINs only allowed to be 4 digits?!?!

Re:Why only 4 digits? (5, Insightful)

cimmer (809369) | more than 8 years ago | (#14897583)

I couldn't tell you, but I wouldn't feel much safer with a longer pin code. If someone gets your card number, what's the chance they'll guess the right one out of 10,000 before the bank shuts the card down? If someone steals a bunch of pin numbers from a computer system, it doesn't really matter if they are 4 digits or 9 digits - the end result is the same. The one advantage I can see with longer pin numbers is that they'd be harder to shoulder surf, but like I said, that wouldn't make me feel much safer. I think a better question is when ATMs will start using two factor authentication.

Re:Why only 4 digits? (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14897759)

Well, since the chip's unlocking of the public-key signature can be used as an oracle to whether or not you got the PIN right, and you can exploit a bug to reset the counter in a fraction of a second (which you couldn't do with an ATM), and it takes just a few seconds to try all 10,000 combinations... ...not to mention the problems that could be caused by modified, fraudulent Chip&Pin terminals logging PINs and storing the chip and possibly swipe too. ...and also not to mention the plain-and-simple shoulder-surfing problem caused by a proliferation of places where you enter your PIN, such as a supermarket queue, where people are standing behind you or where they can effectively shoulder-surf you a lot of the time and aren't necessarily expected to be as far back as they would at an ATM, despite the fact that the shoulder-surfing danger is identical...

Is it just Citi? (4, Interesting)

jmichaelg (148257) | more than 8 years ago | (#14897560)

If the retailers have been storing the Pin locally why would this just be a Citi issue. Wouldn't any debit card that went through their network be at risk?

Debit cards are the STUPIDEST idea... (1)

kcbrown (7426) | more than 8 years ago | (#14897574)

A "credit card" that draws directly from your checking account? Without even needing a PIN (since it acts like a credit card)? So that if you lose it, whoever picks it up can purchase things with it and the money in question gets drawn directly from your account?

What completely-out-of-his-mind moron decided this would be a good idea?

I'm sorry, but I refuse to get an account with a debit card. I will always insist on an ATM card and make sure the account in question cannot have a debit card issued against it.

Now, admittedly the particular case in TFA involves PINs, so ATM cards would ostensibly be susceptible to the same attack, but it beats not having anything at all protecting your account...

Re:Debit cards are the STUPIDEST idea... (1, Informative)

Anonymous Coward | more than 8 years ago | (#14897604)

How American.

Here in the Netherlands, getting a credit card isn't even considered 'normal', and 99% of stores only accept debit cards -- where YOU swipe the card, and YOU enter the pin.

And of course, stores can't accept debit cards without the official tamper-resistant hardware provided by the banks (who have all agreed on a common system for transferring money).

There was a card-cloning scam a few years a go, and all ATMs have been retrofitted with special 'things' in front of the card slot to prevent cloning devices being put on them (and people have been told to not give away their cards to anyone).

It can be done properly, it's just that the proper way isn't always the cheapest way..

Re:Debit cards are the STUPIDEST idea... (1)

pe1chl (90186) | more than 8 years ago | (#14897792)

The problem with the Dutch system is that in any case where money is taken from your card and a PIN code was entered on the device, the bank assumes the customer guilty of giving away his PIN, and this customer has to prove that he/she didn't.
Of course it is IMPOSSIBLE TO PROVE that you did NOT give your PIN to someone else!

It happens many times that cards are stolen, and money is taken a few minutes afterwards and with a correct PIN on first attempt.
Very often the customer claims that he did not give away his PIN, but I am not aware of any case where the customer has been able to PROVE this.
It may be that criminal groups already have the pin validation keys, and can check (and thus easily recover) a PIN for a card they have stolen. But there is nothing a customer can do about this, because banks can simply claim that it is not true without having to prove it (which they, similarly, would not be able to do).

So, it is a very biased scheme, where all the risk is at the customers and banks can quietly lay back keeping an ancient and insecure system with a magnetic stripe and 4-digit code in place.
Which system administrator would allow his users to use a 4-digit password??? Or would use a magnetic card that anyone can copy as an identity device?

Re:Debit cards are the STUPIDEST idea... (1)

jonwil (467024) | more than 8 years ago | (#14897735)

I LOVE my visa debit card.
It is very usefull to be able to buy things from places that only accept credit cards (such as online shops) but using my money instead of the banks money.

Worser hack (0, Offtopic)

1u3hr (530656) | more than 8 years ago | (#14897588)

In Hong Kong a list of 20,000 people who had lodged complaints against police was found on a local website. The list included name, address, ID numbers; sufficient for identity theft, but also made many people nervous of retaliation for their complaints. Details of police complainants still on Net [thestandard.com.hk] .

What about Visa's $0 Liability (3, Informative)

bobt1956 (945961) | more than 8 years ago | (#14897595)

It appears theres a clause for Debit cards used at ATM's... http://usa.visa.com/personal/security/visa_securit y_program/zero_liability.html [visa.com] Extract from above Link: The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.

Skimming a huge problem in Canada... (4, Interesting)

Hamster Lover (558288) | more than 8 years ago | (#14897640)

Debit cards are extremely popular Canada. In fact, I believe we have the highest per capita use of debit cards anywhere in the world (Australia is apparently not far behind). The system even has its own name, Interac, and is so ubiquitous that I never carry cash because every merchant, and do I mean every merchant, is supplied with Interac. It's been this way for so long (Interac really took off around 1994 or so) that no one accepts cheques and hardly anyone carries cash.

Therein lies the problem. If I pop in to a local convenience store 99 times out of 100 they'll have Interac, but you don't really know how trustworthy they are. In the last few years thieves have caught on that no one really carries cash and have come up with imaginitve ways of skimming your card and stealing your PIN. There is a sense of relative safety and attractiveness in skimming debit cards instead of credit cards as they can then take a cloned card and PIN directly to a bank machine and receive cash. No fence, no signatures, no ID requirements, etc. The cost of equipment is relatively low: magnetic card reader/writer and a high quality digital video camera, the penalties almost laughable if you manage to get caught and the potential gain is just about limitless.

I read somehwere, and I am too lazy to Google it, that debit card fraud took in $44 million in 2003 from around 27,000 people. That's approximately $1600 per person. I can't afford to lose that much and the banks don't seem to care. If you kick up a fuss and manage to get the media's attention then they'll do something about it and reimburse you, but count yourself lucky. At an estimated cost of $500 million to switch Interac to something like the chip and PIN system in the UK they can afford to lose a few customers here and there.

I do technical support for point of sale systems and during our end of year discussions in the MIS department I learned that debit card use fell in terms of dollars spent for the first time in twelve years. Credit card use increased to make up the difference. I can only conclude that card skimming has become so prevalent, or at least the public perception has, that it has already seriously eroded confidence in the Interac system. I was really shocked to learn that. It's also possible that people didn't have as much money as in years past and moved to credit cards, but countering a twelve year trend seems too co-incidental.

On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience.

Monitoring a huge problem in Canada... (0)

Anonymous Coward | more than 8 years ago | (#14897744)

"On the positive side, the Royal Bank does seem to be at least a little proactive in that they do monitor your account for unusually large cash withdrawals and have a system of daily transaction limits. I have been called twice by their security department in that last few years and told to report to the closest branch and have my card replaced. I was told simply that I used my card at a merchant where a suspected security breach (read: skimming operation) occurred. Inconvenient, but my savings are worth the inconvenience."

Compare and contrast [slashdot.org] the pervailing attitude towards monitoring in this story verses the other.

Well, the Royal Bank never made it a secret... (1)

Hamster Lover (558288) | more than 8 years ago | (#14897782)

When I was called the Royal Bank was obviously as positive as possible about the potential security threat, but they called me none the less. It wasn't like there was this huge mystery when my card wouldn't work, they explained what happned and why my account was frozen.

As someone pointed out, freezing the account of the Texas couple due to concerns about terrorist financing failed because they were alerted to the problem. It would make a lot more sense if the bank accepted the payment, processed their account and then passed the information to DHS for them to monitor rather than stumbling around in some keystone cops attempt at thwarting terrorist financing.

"hardly anyone carries cash"? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14897748)

People like you are the problem. Shred your fucking debit card and start carrying cash! It's a lot safer--sure, if I get mugged I might lose $200 (which has never happened in over 10 years of carrying significant amounts of cash around, by the way). But at least I don't have to worry about some scammer getting my debit card info and draining my whole fucking account.

As a bonus, they don't collect any useful data about my purchasing habits either since they have nothing to correlate them with.

Not just Citibank (1)

LRdM (516608) | more than 8 years ago | (#14897650)

It's not just Citibank, my Wells Fargo cards won't do PIN transactions in the UK either. I've been informed that one can still withdraw cash on a Visa card by going into a bank and doing a cash advance. Ironically, most of the ID-anal-retentive UK banks require 2 forms of photo ID, one being a passport and one being a UK driving license, which doesn't help us foreigners. HSBC only needed a passport and any second form of photo ID. It has been difficult enough trying to do purchases on a non chip-n-pin card. Retailers seem to forget that if a card doesn't have a chip, like a foreign card, you can still swipe it.

This is FUD (unless Issuer coluding with Merchant) (-1)

Anonymous Coward | more than 8 years ago | (#14897684)

1. The PIN information on the (magstripe of the) card is only decryptable by the issuer.
2. The only place that I know of (I have been in this part of the industry for 20 years) that the decryption key is kept outside of the CARD Issuer's CARD CREATION SYSTEM (which is definitively outside of any potential hack) is sometimes, and only sometimes, in the ISSUER's own network OR Visa's or MC's (where the PIN-info encryption key is encrypted under yet another encryption key etc.).

Since this is apparently a story about Point-of-Sale Debit Card use and "hacking" a Merchant, or Merchant-connected system (and taking the image of the magstripes) I cannot see how any crack based on actually hacking any SINGLE network/system can be behind this.

I.e. The implied hack is impossible unless the Card Issuer is letting the Merchant or Merchant processor verify PIN's purely on the entered PIN and the magstripe (never heard of this before and would be a obviously unforgivable security design to anyone in the industry).

Failing that, the expected reality would require hacking into at least 3 separate unrelated technologies and systems/networks. Not to mention finding at least 2 or 3 separate keys that are not transmitted or stored together, and be lucky enough that a large percentage of the magstripes copied are from the same card number prefix from the same Issuer to make things practical.

So is the problem industry wide? Unlikely.

Social engineering and/or corrupt individuals is a more likely answer to all of this.
A bad design? Possibly but I doubt we will ever really hear about this unless it goes to open court ;-}

I've been expecting this for years (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14897692)

Have worked on building integrated debit/credit card systems for the grocery industry in Canada, for years I've built integrated solutions for every Canadian bank at one time or another. Having some low-level access to the system I've always felt it was well thought out and generally secure.

Then I worked on my first US banking integrated solution. I was astounded when I realized I'd actually be working with RAW pin #'s and have a customer's full Track-2 data from thier debit card. With those two pieces of info I could duplicate thier card and use it anywhere. All that's required is one unsavory developer in cahoots with one merchant. I am surprised it's never happenend sooner.

In the Canadian interac system the banks supply the pin pads that have built in software so that it deals with the magstripe and the pin and insures only the encrypted PIN # is available to the developer. Further each pin pad has 3 encryption keys and with each transaction the response from the bank (which has to be decrypted by the pin pad) includes a new key to replace 1 of the 3 on the pinpad. It's quite common if there's communication errors for the keys to get out of sync and require a couple transaction retries to get resynced but it's far far far better then the US system.

I lived is the US for a couple years since those days developing debit interfaces and I've never swiped my bank card at ANY merchant vendor machine. But back in Canada debit is king and I use it daily and with confidence it's safe.

Note: As an aside the behind the scenes processing required for a credit/debit card transaction in the US is incredible. It's essentially chaos! The only savior is ignorance is bliss and most of the developers for the US system haven't since the back end of the Canadian banking system which is very structured, simple and reliable.

Re:I've been expecting this for years (2, Interesting)

Adam Schumacher (267) | more than 8 years ago | (#14897815)

What worries me is the new crop of stand-alone ATMs. These units are operated by companies other than banks, and exist solely to collect $1.50 - $2.50 per transaction as a service fee.

  I guess that the cryptographic engine that communicates to the Interac network must be supplied and approved by whatever payment provider the merchant chooses (GlobalPayments, etc.), but the pin pad keys themselves are usually integrated into the design of the front panel. I, therefore, have no assurance that the interface I'm entering my pin into is directly connected to the cryptographic system, without any sort of eavesdropping in the middle.

We had a problem with this a few years back here in Ontario, I can only assume that it will crop up elsewhere.

At least when I'm at a grocery store and I use a VeriFone SC500 (or whatever brand that store uses) with its seals intact, I can be reasonably confident that the device hasn't been modified to steal my pin. (Not 100% sure, of course, but the design of an ATM makes it much easier to subvert the electronics than a vendor-supplied pin pad does.) Of course, when the clerk swipes my card into their POS system rather than swiping it directly into the pad, I still have to be alert for cameras, shoulder-surfers, etc.

I found my debit card suddenly non-functional one day, and shortly thereafter got a call from the bank. Any card that had been used at a certain prominent gas station here in Hamilton had been hotlisted by the Interac folks, due to some sort of pin-harvesting scheme. Inconvenient, yes, but nice to know the banks at least try to stay on top of this sort of stuff.

I have yet to understand the need... (2, Insightful)

Overzeetop (214511) | more than 8 years ago | (#14897699)

for the mainstream population to embrace the debit card concept. Maybe I'm just paranoid, but if I'm going to be slinging plastic left and right, I want it to be somebody elses money until I get the statement and verify that all the charges to (insert 16 digits here) are, in fact, ones which I have authorized. Its just too easy to swipe a number and go to town.

Do you trust yourself (with a high credit limit) less than you trust someone making $5/hr, or some shady internet site with your bank account? Oh, sure, you can dispute that charge. But guess what - that money is gone from your account until they decide to credit you back that transaction. If you don't discover the error for a few days or *gasp* until the end of the month when your statement comes in, you could be writing rubber (e)checks for all your monthly expenses. I wouldn't want to bet a couple hundred dollars that the bank will reimburse you for your NSF fees and vendor NSF charges - especially since I've asked, and several managers have confirmed that they will not reimburse those charges.

I'm sure there's a small population out there who cannot get even a secured credit card. Okay, I'm fine with that - situations vary. But these things seem to be way too popular/numerous to be limited to those folks. To me, debit cards are the worst of both worlds - your money available on a card (nearly as bad as cash), but with the merchants and banks tracking your every purchase. *shakes head*

Disclaimer: I carry cash for most personal transactions. That's how I budget. I take out a fixed dollar amount each week, and when that's gone, I stop spending money for the week. If that cash gets lost or stolen, odds are good that I'm probably going to be out less than $50. Disappointing, but that's a pretty small sum, and its never happened in my adult lifetime. Big purchases & net transactions go on credit card, the latter amount being subtracted from the next week's withdrawel. Since I keep 2-3 months of expenses in my checking account, a debit card is a liability I do not want.

It's "Crack" not "Hack" dammit (0, Offtopic)

hey! (33014) | more than 8 years ago | (#14897707)

Dear Slashdot

Degnebbit! "Hacking" is a word for clever creative activities. "Cracking" is the correct word for breaking system security. Although in this case, plain old "fraud" would be better, as you can't "crack" what isn't there. Thank you for your attention in this matter, which clearly is an simple oversight. I'm sure you will be more diligent in the future.

I'll be checking in in another five years, but until then,

All your base &c.,

R. Van Winkle Esq.

It's Not the Retailers (1)

Mikkeles (698461) | more than 8 years ago | (#14897731)

'The problem...is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad.'

No, the problem is that the numbers are stored at all at the PIN entering end.

If your entire security is dependent solely on an operational directive (in this case: erase entered PIN immediately), then it will fail.
(Also, by Murphy's and others' laws: at the worst time ;^)

how does Cox Cable charge ATM card without PIN? (0)

Anonymous Coward | more than 8 years ago | (#14897796)

Can anyone explain how the Cox Cable online bill payment system can detect my bank card with visa logo as an ATM card (based on the card number alone) then charge it as such without my pin or experation date off the card? They don't even give me an option to charge it only as a debit/credit card instead of ATM like Bellsouth does.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?