March 16, 2006 4:00 AM PST

Your secret PIN may not be so secret

By Greg Sandoval
Staff Writer, CNET News

Related Stories

FBI widens probe of debit-card theft

 February 22, 2006

Congressman wants retailer ID'd in data breach

 February 15, 2006
An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards.

The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.

The problem, according to security experts, is the storage of PINs attached to debit cards. The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards.

"The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are."

The recent debit card crime spree stretched from Seattle to North Carolina. And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office-supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case).

Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.

But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again.

Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said.

Litan pointed out that most retailers use the same technology and follow many of the same procedures.

At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption.

Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule. But it is possible to acquire and save customer data by mistake.

"(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software."

Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys.

Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions.

"I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."

See more CNET content tagged:
debit card, theft, controller, retailer, security

Add a Comment (Log in or register) 38 comments (Showing first 20 comments)
People and Pins
by SqlserverCode March 16, 2006 5:20 AM PST
People do some stupid stuff
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card

He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that

http://otherthingsnow.blogspot.com/
Reply to this comment
People and Pins
by SqlserverCode March 16, 2006 5:20 AM PST
People do some stupid stuff
about 10 years ago while I was working as a waiter a man handed me a visa/debit card and he had his pin number written on the back of the card

He was in his eighties (probably couldn't remember his pin) and criminals prey on people like that

http://otherthingsnow.blogspot.com/
Reply to this comment
Close to home
by nmcphers March 16, 2006 8:43 AM PST
This story hits close to home for me. Just last week--march 9th--two charges appeared on my checking account that I did not make. I was able to get a refund and changed my debit card number. I use it a lot online but I'm going to be more careful about that in the future.
Reply to this comment
Close to home
by nmcphers March 16, 2006 8:43 AM PST
This story hits close to home for me. Just last week--march 9th--two charges appeared on my checking account that I did not make. I was able to get a refund and changed my debit card number. I use it a lot online but I'm going to be more careful about that in the future.
Reply to this comment
Someone is not telling all!
by heystoopid March 16, 2006 10:45 AM PST
Someone is not telling all, and being honest with their custoners at the same time, shades of the English Bank scandal, when all the leading banks in the UK, at one time sent out all cards with a choice of 4 basic pin numbers only to every customer!

This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?

Trust is a two edge sword!
Reply to this comment View reply
Someone is not telling all!
by heystoopid March 16, 2006 10:45 AM PST
Someone is not telling all, and being honest with their custoners at the same time, shades of the English Bank scandal, when all the leading banks in the UK, at one time sent out all cards with a choice of 4 basic pin numbers only to every customer!

This gives rise, to the question what else are they hiding? Is there a basic and inherent security flaw in the product?

Trust is a two edge sword!
Reply to this comment View reply
The real problem is ...
by hadaso March 16, 2006 11:32 AM PST
The real problem is of course not that this info is stored and can be breached, but that basic business mosel that requires that a merchant be given info that can be reused to make charges other than the one charge to pay for the purchase made by the customer (and then has to spend lots of money in a setup that would "securely" store this data etc.)

The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
Reply to this comment
The real problem is ...
by hadaso March 16, 2006 11:32 AM PST
The real problem is of course not that this info is stored and can be breached, but that basic business mosel that requires that a merchant be given info that can be reused to make charges other than the one charge to pay for the purchase made by the customer (and then has to spend lots of money in a setup that would "securely" store this data etc.)

The way it SHOULD be done is that the credentials supplied by the customer to the merchant be usable for only one particular transaction, The consumer would have a device. A PIN would only be used to allow the device owner to use it. When making a purchase the the consumer's device would input the amount to be paid and the merchant's id, and would produce a code based on that and the consumer's id that the merchant would keep, and that would apply only to that particular transaction, at that particular time and date. There would be no need to keep the information secure because it could only be used to cause the correct amount to be transfered one time from the particular customer's bank account to the particular merchant's account. No one else could benefit from that info. The process itself can be automatic: the merchant's device would "talk" to the customer's device in a standard protocol. Each would display the info and each human would confirm the transaction on her own device, so that would prevent one party from using a device that "cheats".
Reply to this comment
Frankly...
by Heebee Jeebies March 16, 2006 11:41 AM PST
None of the stores or other businesses have any need or right to store any of that information. The banking industry needs to fix it so that that vital information is only scanned when the person uses their card, once that is done other information that isn't linked to the customers personal data, things like card number, pin, etc. should not have to be used after it is entered by the customer. Random information for the transaction through the rest of the pipline is generated and use from their on in. Leaving the user's personal and private information out of it. Should a problem come up the bank can use the information from the store and what they have on the customer in question to do their investigation.

Robert
Reply to this comment
Frankly...
by Heebee Jeebies March 16, 2006 11:41 AM PST
None of the stores or other businesses have any need or right to store any of that information. The banking industry needs to fix it so that that vital information is only scanned when the person uses their card, once that is done other information that isn't linked to the customers personal data, things like card number, pin, etc. should not have to be used after it is entered by the customer. Random information for the transaction through the rest of the pipline is generated and use from their on in. Leaving the user's personal and private information out of it. Should a problem come up the bank can use the information from the store and what they have on the customer in question to do their investigation.

Robert
Reply to this comment
Stampeding Giants Running Off The IT Cliff
by Iohagh March 16, 2006 12:20 PM PST
I imagine in paleolithic times the herd were driven by the predators to kill themselves since the predators knew where the traps were and the herd animals, in this case, dynosaurs, with seeming invincibility to the small predators just obliged their era's cyber crooks by walking or running right off the cliff.

Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.

Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.

An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.

Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.

The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.

In addition to that, the predators are thankful for their prediliction.

That's all I got to say. Ciao now.
Reply to this comment View reply
Stampeding Giants Running Off The IT Cliff
by Iohagh March 16, 2006 12:20 PM PST
I imagine in paleolithic times the herd were driven by the predators to kill themselves since the predators knew where the traps were and the herd animals, in this case, dynosaurs, with seeming invincibility to the small predators just obliged their era's cyber crooks by walking or running right off the cliff.

Like the Western American Mustang, wild herds can thrive if they learn to fight back and grow small and fiesty. Bears, lions and man weren't easilly able to do what cold blooded lizards did millions of years ago to the dynosaurs.

Four factor authentication using an offline device like what is patented in the US is that new smaller platform and those giants who don't get it will most likely have their bones viewed in museums like we do now.

An important thing to note is with the dynasaurs died their predators who could not adapt to the more fiesty, smart and impossibly quick next generation of hot blooded herds.

Although, I am sure, if they had survived, they would have made a quick meal of mankind. Thank goodness they didn't.

The fact is the big IT companies dominated by MSN on one side and IBM on the other have become, oh my gosh, Luddites opposing smaller platforms. The duo-opoly cannot control the new ideas and patents since their muscles, cannot call it thought, like stheir fat big boned massess with multiple opportunities for predation.

In addition to that, the predators are thankful for their prediliction.

That's all I got to say. Ciao now.
Reply to this comment View reply
Chip and Pin?
by dargon19888 March 16, 2006 1:59 PM PST
It seems that there are a lot of people who don't have all the facts, making statements about how to fix this...

First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)

But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.

So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.

To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.

Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.

There is no simple answer.
Reply to this comment
Chip and Pin?
by dargon19888 March 16, 2006 1:59 PM PST
It seems that there are a lot of people who don't have all the facts, making statements about how to fix this...

First, when I said, chip and pin, it should read magstripe and pin. (Chip and pin has a bit more security...)

But the problem is that the information is being stored because that information is required to be authenticated by the credit card company.

So if the store cache's the transactions to be submitted in bulk, during after hours, to save money, they will need to store this information, at least until the transaction is recorded and authenticated. (Then they should delete the necessary info to be in compliance.) Now that second step doesn't always happen.

To solve this issue, you're going to have to see sweeping changes in the agreements between the credit card houses, the banks and the retailers.

Looking to smart cards, you have a bit more security potential, however you'll need to see an overhaul of the infrastructure. (Read new equiptment.) So who pays for it? Answer: The retailer. So you're now forcing the retailer to spend money that they may not have. Note: We're not just talking about the large retailers, but *ALL* retailers.

There is no simple answer.
Reply to this comment
WTF???
by March 17, 2006 11:22 AM PST
I don't understand how this happened, All Pin-pads (at least ones I have examined) contain a high-security CPU. This CPU contained in the Pin-Pad itself is responsible for encrypting the PIN number before it is sent to the POS terminal. Otherwise it would be very easy to steal PIN numbers by attaching a device to the pin pad cable and "sniffing" the data. The CPU itself is tamper proof, its firmware is stored in NVRAM and backed up with a lithium battery. Should anyone attempt to tamper with the PIN-pad the CPU should goto SDI (Self Destruct Input) and cause the NVRAM to flash.

The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.

This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.

Things that make you go hmmmmmmmmmm.
Reply to this comment View reply
WTF???
by March 17, 2006 11:22 AM PST
I don't understand how this happened, All Pin-pads (at least ones I have examined) contain a high-security CPU. This CPU contained in the Pin-Pad itself is responsible for encrypting the PIN number before it is sent to the POS terminal. Otherwise it would be very easy to steal PIN numbers by attaching a device to the pin pad cable and "sniffing" the data. The CPU itself is tamper proof, its firmware is stored in NVRAM and backed up with a lithium battery. Should anyone attempt to tamper with the PIN-pad the CPU should goto SDI (Self Destruct Input) and cause the NVRAM to flash.

The encrpyed PIN and PAN (Primary Account Number) are transmitted to the bank for validation. The system is designed to resist some attacks. This is how most of those small debit machines work that are provided by the bank.

This leads me to believe that there are some PIN pads that do not encrypt the information, wow if this is the case and they are saving them then the merchant should be made to pay back the stolen cash.

Things that make you go hmmmmmmmmmm.
Reply to this comment View reply
Video to steal info?
by RavingEniac March 23, 2006 5:24 AM PST
What about the possibility that video cameras covering the cash register area could be used to read pin number entries to match with card numbers?

The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.

The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
Reply to this comment
Video to steal info?
by RavingEniac March 23, 2006 5:24 AM PST
What about the possibility that video cameras covering the cash register area could be used to read pin number entries to match with card numbers?

The story says that apparently the stolen info came from a national retailer with locations on the West Coast and the Southeast. Kroger's, Wal-Mart, Sutherland, Radio Shack, gas station and convenience store chains, quite a few firms with that description. Pick one set of victims in a community and see what businesses they shopped at in common. Then match those with other sets of victims in other locations, and you should be able to "pin" down the leak pretty fast.

The leak isn't through online shopping, it's from physically going to a business and buying something with a debit card.
Reply to this comment
Simple Solution
by thepollutedone March 27, 2006 1:00 AM PST
How about bringing back the old school credit card machines back with a new twist. These machines could be seperate unit like they used to be but add the encryption features to the machine itself. Then have the credit/debit amount associated with the transaction number. Then the only info the pos software receives from the credit card machine is the amount, credit or debit, and the transaction number (start of day is 1 and end of day is the number of transactions for that day) to associate the purchase with.
Reply to this comment
Simple Solution
by thepollutedone March 27, 2006 1:00 AM PST
How about bringing back the old school credit card machines back with a new twist. These machines could be seperate unit like they used to be but add the encryption features to the machine itself. Then have the credit/debit amount associated with the transaction number. Then the only info the pos software receives from the credit card machine is the amount, credit or debit, and the transaction number (start of day is 1 and end of day is the number of transactions for that day) to associate the purchase with.
Reply to this comment
 See all 38 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

advertisementDell Desktop Deals
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET