What is Digg?73 Comments
- jwolf, on 10/12/2007, -3/+22Heck, in 1991 a young John Connor knew how to do this!
If only the T-1000 had killed him, this security hole would have been plugged over a decade ago. - merreborn, on 10/12/2007, -1/+8Why do retailers store PINs? There should be strict rules about PIN storage procedures. The data should be stored long enough to verify its validity, and no longer.
- breckinloggins, on 10/12/2007, -1/+7The secret service investigates all kind and manner of frauds involving actual currency (as opposed to Credit Cards). Even though it's not printed money, it's still "actual currency" from the SS's perspective.
- Berkana, on 10/12/2007, -0/+5Here's how they do it:
http://www.utexas.edu/police/alerts/atm_scam/
They put a false front on the card reader that pre-reads your card, and the brochure holder holds a hidden camera that reads your PIN as you enter it, and transmits the images to a receiver nearby.
If you see one of these devices, destroy it, and notify the bank ASAP. - mspencer712, on 10/12/2007, -1/+6I work for a payment processor, First National Merchant Solutions. We deploy the same kind of equipment being discussed in this article. I do technical support for those same machines, so I am familiar with how they work. I am not being paid to write this post, but this post violates no employee regulations. Any opinions in this post are my own, and do not represent those of my employer.
Based on my limited understanding of pin-based debit, I would say there are three "classes" of pin encryption device (PED) hardware out there. This isn't official, and I'm making these "classes" up just for this post. This is a brain dump of my professional experience with pin pads. People who know more about this are probably also prohibited from talking about it.
First type: the pin pad is loaded with secret key material (bits) in a secure facility at the payment processor. (No, I won't tell you where ours is.) This key material is probably specific to that payment processor. The pin pad contains tamper-resistant hardware, designed to erase the secret key material if it detects possible tampering. (It also erases the secret key material and has to be sent back to us for other reasons, like being unplugged while powered on, or the moon being full tonight or something, but we won't go into this. *grumble*)
When the merchant enters a debit transaction, the pin pad is told to request a pin number. The customer types their pin, and the pin stays in the pin pad hardware. The terminal then initiates a connection for authorization, just like a credit card sale. The debit network sends a challenge, which is passed to the pin pad. The pin pad creates a response, which is sent back through the terminal to the debit network. The debit network then sends a response, and the pin pad erases the pin number. Unless you have the secret key material in the pin pad, you can't reverse that challenge/response pair and get a pin number.
For this kind of pin pad, even if the merchant wanted to defraud its customers, it could not. Even if their magnetic stripe reader was making exact duplicates of mag stripes, they can't get the pin number from the pin pad electronically. If they didn't have that secret key material on the pin pad, they wouldn't be able to derive a pin number from the data passed between the pin pad and debit network. So they would either need to break security on the pin pad (I know nothing about how secure this is); break security on a pin pad 'injection' station at a payment processor (good luck 007!); or break security at the issuing bank or debit network (inside job possibly?).
Second type: the pin pad is loaded with a 'generic' encryption type, like DUKPT or DES or 3DES. All I know about this is someone can come from another payment processor with their own DUKPT-encrypted pin pad and it'll work right away with our service. Unlike the other type, their pin pad doesn't have to be shipped here to be 'injected' or 'encrypted'. I know most of our retail stores use the first pin pad type (above) while most of our fuel merchants and convenience stores use this type. I don't know how well-protected the secret key material is here.
Third type: something different I can't predict. Maybe the store has implemented their own pin handling system, and got it certified as PED-compliant, which can't be cheap. Or perhaps the store is breaking regulations and risking stiff fines by doing something they're not supposed to do. I don't know.
Also consider that this might be FUD. Both issuing banks and payment processors (I work for a payment processor) make more money on each transaction when you run more sales as Visa/Mastercard and less sales as pin-based debit. I know the system rather well, and I won't stop doing pin-based debit just because of this article. There's no good reason to design a system which stores pin numbers, because you can't USE them. If you did, issuers would get customer complaints that said "I know I never lost my card, I know they're claiming I was there and swiped / entered pin, but that wasn't me!" Risk Management would notice a certain business was involved frequently, there'd be a security audit, massive fines would be handed out, etc.
So I call BS. This whole "badly-behaved point of sale systems are keeping your pin number! Insecure!" idea doesn't make sense. I'm thinking it was a leak, something internal to an issuing bank, a debit network, or a consultant or subcontractor of one of those.
Normally posters have the right to privacy. If anyone actually ends up caring, I waive my right to source-IP privacy. A Digg admin is free to look at this post's originating IP, look at the ARIN record for that IP, and post a reply saying which network I'm posting from. Maybe not the actual IP, though. - Solarusdude, on 10/12/2007, -1/+6I don't think the PINS are being hacked brute-force. Correct me if I'm wrong but I think you're only allowed three tries until the system locks you out from the account. The PINS mentioned in this article are being obtained from retail databases and then used in conjunction with fake ATM cards with the corresponding account numbers.
- mgorbsky, on 10/12/2007, -1/+6According to TFA, it doesn't matter if you use the PIN or not.
"Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines."
They have your account information and are making their own ATM cards. This means that just HAVING an account linked to an debit card puts you at risk. - knuckifyouchuck, on 10/12/2007, -0/+4Making the databases delete the pin after verification wouldn't be all that hard, i'm surprised the software devs didnt implement it to begin with.
- lokai, on 10/12/2007, -2/+6Only today, a friend of mine informed me that he had been contacted by PNC bank regarding this very issue. I will not be using my PIN number to make purchases for quite a while; according to the article, signing is slightly safer. I found this article highly informative, and I recommend that anyone with a debit card read it.
If you're with Commerce bank, however, you might be OK; it does not seem to have been affected as of yet. - veritech, on 10/12/2007, -0/+4Surprise surprise, in an age where we can crack 128bit wep keys in a couple of seconds, and run dictionary attacks in a couple of seconds, yet banks think a 4 digit purely numeric number will save your money. Be glad you folks don't live in the UK, we "have" to use our pin's to make purchases, never mind withdrawals.
- Busterx2000, on 10/12/2007, -1/+4Hello 600.00 in ATM withdrawals in Chicago I of course live in San Francisco and have never even been there.. But I have to say the bank did credit me back.
- gsmithEIDW, on 10/12/2007, -0/+3Do not under any circumstances tamper with the device!
Firstly you could be accused of being involved, secondly these people are ruthless and you could be putting yourself at great personal risk if they see you destroying their device. You can bet the device cost them a lot of money and hassle to get hold of so they won't likely stand idle whilst you destroy it.
My advice is call the police and call the bank and stay well away. - ccanni1028, on 10/12/2007, -0/+3RTFA. There are procedures, many places don't know they're breaking them or have no control over it.
- mattyG, on 10/12/2007, -3/+6all you have to do is hit credit instead of debit and you dont have to enter the pin number
- barnaclebarnes, on 10/12/2007, -1/+3That is why the UK has introduced 'Chip and PIN' this is a _far_ more secure system than simple magstrip based systems like in the US. Chip and Pin systems replace the magnetic strip with a microchip which is harder to crack. Simply having the PIN number will not work. In NZ we have used eftpos since 1984 (http://www.westpac.co.nz/olcontent/olcontent.nsf/Content/Our+history) and have found it way more secure than a credit card with a signature. We will be moving to a Chip and Pin system in the next couple of years however.
- inactive, on 10/12/2007, -3/+5How is signing safer?
Thats just nonsense! - hordak, on 10/12/2007, -1/+3> How is signing safer?
> Thats just nonsense!
Signing is safer on two major fronts:
* You don't risk having your pin number stored by the merchant
* You get additional protection on your purchase. You don't get this additional protection if you use your pin because it goes through a different network.
Here's what Visa says about their check cards:
* "Visa check card transactions can be completed in a number of ways: by signing a receipt; making a purchase on the Internet, by mail, or over the phone (receiving protection from Visa’s Zero Liability policy*)"
http://usa.visa.com/personal/cards/debit/visa_check_cards_faq.html#anchor_2
* "With Visa’s Zero Liability policy*, your liability for unauthorized transactions is $0—you pay nothing."
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html?it=il|/personal/cards/debit/visa_check_cards_faq.html|Zero%20Liability
Hope that helps! - Teilo, on 10/12/2007, -1/+3Uh, try again. TFA clearly says that the PINs were stolen as well. They just do not know how. You cannot create a duplicate card and use it at an ATM machine without also having the PIN.
- Solarusdude, on 10/12/2007, -0/+2I wouldn't worry too much if you're using a debit card. It seems from the article that consumers are getting their money back from the banks. Just be sure to check your account statements every now and then. If you're really paranoid though, just change your PIN right now and you'll be safe until this thing blows over.
- Nation, on 10/12/2007, -0/+2no, just use it as a "credit card" ... you have more protection that way anyway + you are less likely to have any extra fees.
- tetfsu, on 10/12/2007, -0/+2@zybch
Using the card as Credit is safer in a number of ways...
1. With the PIN number, the person using the card can just go to an ATM and use the card to take out cash and not have to buy any products.
2. Without having to interact with a person this is easier for the person doing it... Less chance of getting busted. Having only the card number means that the person has to either purchase something online or has to interact with a merchant. (Now the self checkout at Walmart or groceries is a little different, but they still have to sign the pad, and you can always make a claim to your bank that it's not your signature.)
3. I was told by an officer at my local bank that the debit card transactions at the grocery and so forth aren't protected under the same rules as credit card swipes. Therefore your "verified by visa" doesn't apply to Deibit/PIN transactions.
I am sure there are other reasons why, but those are the main reasons that in the comparison between using your card as Credit or Debit, Credit is better.
Credit is worse for merchants because they have to pay the fee from the Credit Card companies (Visa, MC, Disc., AMEX...etc) that's why they always push you toward debit not credit. - WiseWeasel, on 10/12/2007, -0/+2That's fine if yours supports it. My debit card doesn't work as a credit card, as it's not a check card. I'll just stick with a credit card when I'm not at a bank ATM. I'm not gonna trust those random gas station ATM machines either...
- s-m-a-c-k, on 10/12/2007, -0/+2i guess its time for a "revelations"-style "mark of the beast"...
:) - veritech, on 10/12/2007, -0/+2Yes it's true, the systems do lock you out after 3 attempts, however i'm reasonable sure this can be gotten round, as there would be a reset period, after which the counter is returned to zero.
And although signatures were a kinda dumb idea to begin with, i think pin numbers are no different, and only serve to further confuse certain members of the public. - andreo, on 10/12/2007, -0/+2I think that they really need to name some of the companies that this information is being stolen from. In the video of the article they just say "third party" delibrately skipping names. But in the written article they do mention Office Max. Sure it's very bad PR for the companies, but they will survive a slump in sales. Someone could have money for their: rent, groceries, day care, car payment, etc. wiped out.
People need to know if they are at risk because they shopped at one of the stores that have been effected. Or a store that they shopped at lets a billing company that has been breached handle their billing.
Somehow I have a feeling that perhaps one or several companies that have had records stolen may be an advertiser of NBC... - jayd31603, on 10/12/2007, -0/+2I aggree. This should be required by law.
- Califax, on 10/12/2007, -0/+1This just happened to my parents - So definitely a digg. Even after being issued a new debit card and canceling the old one they could still get money out of the account. We didn't notice until the bank called asking about $1,500 charges in Canada.
This can really effect people who do not see it happening and the increase in fraud may cause banks to raise their prices to offset what they lose in fraud. Hope this can be corrected - AxisSilverhand, on 10/12/2007, -1/+2My credit union allows me to change my PIN for free, although I have to go into the branch so they can re-swipe my card through their encoding/programming device. That feels like a stop-gap, however. I hope they close the loop on this one soon.
- joshduck, on 10/12/2007, -0/+1For my account the lockout period is a day. You can't override it because it's controlled by the bank's central computer.
There are 10,000 possible PIN combinations. If you try three a day for year you sill still only have a 1/9 chance of accessing the account. I'm sure by that time the bank would have noticed what's happening.
Also, if you have more than three failed attempts in a single ATM in a day it will keep your card. - inactive, on 10/12/2007, -0/+1Where are the exploit details.
- Matteos, on 10/12/2007, -0/+1Wonderful!
- Quarks, on 10/12/2007, -0/+1Tell me, what kind of debit-machines are they using in America and how secure are they?
Do the machines store the PIN?
In the Netherlands the PIN-transactions all go via a secure telephone connection through the company Interpay that handles all debit transactions. - edis0n, on 10/12/2007, -0/+1In civilized countries there are clearly defined protocols between the 'card terminal' and the point-of-sale system. The POS never sees the pin, just whether the transaction was authorized or not. There are strict rules for treating the PIN and the crypto electronically/digitally within the card terminals. I find it hard to believe that the US in general uses a system whereby if you hack the POS you can store the PINs. That would be _ridiculously_ easy to hack. Expect more of this, then.
- andreo, on 10/12/2007, -0/+1I found a story that gets a bit deeper into the story here:
http://www.consumeraffairs.com/news04/2006/02/debit_cards.html
Although it still doesn't say exactly how they got the information. - mspencer712, on 10/12/2007, -0/+1(I'm the same person who wrote that long pin-pad post, above. Same disclaimers apply here too.)
The technology shift you're talking about has been underway for a while. The payment transfer associations (Visa and Mastercard for example) want to avoid implementing things which have a "chilling effect" on accepting their cards. The more sales run using their networks, the more profit they make. If they create a "technology divide", where some merchants have fancy new smartcard or contactless hardware and some merchants don't, and the system favors merchants who have that new tech, then that hurts the "without" merchants. Either customers perceive less security from these merchants, and some customers stop using their cards at these businesses; or these merchants only qualify for more expensive interchange programs and their cost for transactions goes up.
So on one hand, you're right about security. More tech is coming. But it's difficult to deploy. Merchants won't spend extra money for the hardware unless you give them a reason -- but if you try to motivate them too much, they might just say "to heck with this" and stop taking cards.
The "tighter corporate control" and "tracking" stuff is paranoid and delusional. Issuing banks have a good reason for knowing that the person presenting a card to a merchant is the same as the person who owns that card's account. This point-of-sale technology protects against fraud, and doesn't enable or disable any privacy-invasion stuff. - spadin, on 10/12/2007, -0/+1This article is misinforming people. They mention that Office Max is one of the culprits which could be true. However, what they don't mention is the company that designed the software for Office Max. The same company that designed that software could have designed the software for Best Buy, Wal-Mart, Costco, who knows... That company should be made public so retailers will demand an update or not do future business with them.
- FunkifyYourLife, on 10/12/2007, -0/+1In the UK we're told not to destroy the fake front of the ATM, but to notify the police to remove it, probably to take fingerprints from the underside.
- billyliberty, on 10/12/2007, -0/+1i specifically avoid using debit cards at all.
though there are those protections that visa/mastercard provides (mentioned previously), it's still ultimately your money on the line until the situation is resolved.
by using credit cards, the relevant financial institution's money is involved so right away they're concerned with protecting their own assets if a fraudulent transaction occurs.
they then have a vested interest in the outcome and are not motivated on merely maintaining respectable public relations.
throw your debit card in your sock drawer. it's unnecessary! - acruxksa, on 10/12/2007, -0/+1Just goes to show you that electronic money and transactions have a LONG way to go before they can truly replace hard cash.
There would seem to be no end to the ingenuity of hackers. Although I'm a little concerned at the theft, it is still kind of intriguing to see system after system, network after network go down in flames as people (aka hackers or in this case thieves) shoot holes in things that are supposed to be "bullet proof" - jayd31603, on 10/12/2007, -0/+1This is the older and more obvious way, but not what this article is referring to.
- mercatfat, on 10/12/2007, -0/+1No, but it certainly is inconvenient.
It's also more dangerous. If your wallet gets stolen, you can't call your bank and tell them to give you back $300. - jabelar, on 10/12/2007, -0/+1There are also retailers in on some of these scams, including double-swiping or even just videoing.
- jayd31603, on 10/12/2007, -0/+1The software creator is due their fair share of public humiliation and lawsuits.
- Dhalgren, on 10/12/2007, -0/+1Don't worry? What are you talking about? The money comes from somewhere. Just because a person gets their money back from the bank doesn't mean the story is over. Do you think the banks are willing to take a loss on this? No. This will always come back to us in the form of higher fees, interest rates, etc. The crooks are taking from all of us, don't pretend like it isn't your problem...
- disord3r, on 10/12/2007, -0/+0The Secret Service investigates crimes associated with financial institutions. Today, this jurisdiction includes bank fraud, access device fraud involving credit and debit cards, telecommunications and computer crimes, fraudulent identification, fraudulent government and commercial securities, and electronic funds transfer fraud.
- Izzie, on 10/12/2007, -0/+0reminds me of french engineer Serge Humpich story back in the late 90's. On his own he managed to reverse engineer how an ATM and bank card works. Then he manage to remove the protection and build a card which always says "yes" when the ATM asks the card if the PIN is correct, hence is born the yescard.
The guy told the european banks group about his discovery and offered his services and ideas to build a secure system to replace the actual one. the banks asked for proof, which he gave, he bought 10 booklets of 10 metro tickets with 10 differents cards and send the whole to them.
The banks used this as proof to put him in court where he was sentenced to jail. So much for being ethical and wanting to preserve the banks.
He never went public about the technical details of his results, but once the news was rendered public many others people did the same work and even improved his works, the infamous geZeroLee Box software is one example among others.
more about this here:
http://www.everything2.com/index.pl?node_id=1495040
http://www.parodie.com/english/smartcard.htm
Somewhile after the YesCard trick being overused in France and Europe, european banks refused to acknoledge the importance of the phenomenon and the amount of money involved in card fraud. In France the workaround with the help of government was making very difficult not to say imposible to find the fresh cards and software to build a yes card in combination with blacklisting card numbers and upgrading a few ATM. Then frauders turned to whitecards which are still in use as of last week:
(warning link in french, but check the pics)
http://zataz.org/news/10623/distributeurs_d_essences_pieges_par_des_pirates_amateurs_de_cartes_bancaires.html
It is to be noted that the magnetic part of the card is not used anymore in France since early 90's in favor of PIN code, but the magnetic info of a french card can be cloned and reused in another country.
the method is very similar to the one described here: http://www.utexas.edu/police/alerts/atm_scam/
Serge Humpich wrote a book about the whole story: "le cerveau bleu" ISBN : 2845630395 - davidjunit, on 10/12/2007, -0/+0I bank with SunTrust and just a few weekends ago I found that my card was disabled, I found this out when I was eating out (eat, then pay); thankfully I was with friends that had cash on them. The bank sent me a new card, I didn't ask questions, there were no suspiscious transactions. The next week I spoke with a classmate that had the same problem with her SunTrust bank card but she had a strange ATM transaction pending.
This seems more than someone just placing a camera and card reader at an ATM; someone must've really yanked a lot of data. Of course, when they saw my balance they just passed right over my account. - popsumer, on 10/12/2007, -0/+0The Consumerist has been tracking this issue fairly extensively for some time now (certainly before MSNBC did an article on it):
http://www.consumerist.com/consumer/the-russian-connection/index.php - realchris, on 10/12/2007, -0/+0I just got a new card in the mail today because my card number is "at risk for unauthorized transactions". This must be pretty bad, that's never happened to me before.
- signal15, on 10/12/2007, -0/+0Read my article here on this issue, I used to work in the industry, and I have a pretty good idea of what happened.
http://www.signal15.com/articles/2006/03/09/atm-card-fraud-and-bank-negligence -
Show 51 - 72 of 72 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is