PIN Scandal "Worst Hack Ever;" Citibank Only The Start

["Richard M. Smith" <rms () bsf-llc com>]

http://techweb.com/wire/security/181502468

PIN Scandal "Worst Hack Ever;" Citibank Only The Start
By Gregg Keizer, TechWeb News 

The unfolding debit card scam that rocked Citibank this week is far from
over, an analyst said Thursday as she called this first-time-ever mass theft
of PINs "the worst consumer scam to date." 
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue
debit cards and block PIN-based transactions for users in Canada, Russia,
and the U.K. 

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner
research vice president. The scam -- and scandal -- has hit national banks
like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller
banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have
re-issued debit cards in recent weeks. 

"This is the worst hack ever," Litan maintained. "It's significant because
not only is it a really wide-spread breach, but it affects debit cards,
which everyone thought were immune to these kinds of things." 

Unlike credit cards, debit cards offer an additional level of security: the
password-like Personal Identification Number, or PIN. 

"That's the irony, the PIN was supposed to make debit cards secure," Litan
said. "Up until this breach, everyone thought ATMS and PINs could never be
compromised." 

Litan's sources in the financial industry have told her that thieves hacked
into a as-yet-unknown system, and made off with data stored on debit cards'
magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and
the key for that encrypted data. 

...


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.