Wednesday, May 10, 2006
High-tech thieves hacked the computer systems at Citibank in March and made off with countless ATM cards’ PIN numbers, four-digit consumer security codes previously considered impervious to attacks. No system of security is foolproof. Any tendency to believe so breeds complacency, the key ingredient online identity thieves and others need in order to operate under the radar.
We need to lose the Titanic mentality when it comes to high-tech crime. How many times do we need to hit an iceberg before we alter our course? Anything can happen and will. No computer system is immune. Even the tried-and-true PIN number method of security can sink.
According to a March 9 report in InformationWeek, the PIN number scam that Citibank experienced affected additional institutions: Bank of America, Wells Fargo, Washington Mutual, and smaller banks. Thieves apparently hacked into an “as yet unknown system” to pilfer all the information they’d need to make use of victims’ ATM cards, which the article described as the “data stored on debit cards' magnetic stripes, the associated 'PIN blocks,' or encrypted PIN data, and the key for that encrypted data.”
A Gartner Research analyst remarked that the industry had always thought PIN numbers would be safe from hacking attacks, but the InformationWeek article went on to explain how retailers’ infrastructure can undermine PIN security. Stores’ computer data storing systems can play fast and loose with the PIN numbers consumers leave at the point of sale. ATM machines are largely secure, but checkout line PIN use can be risky.
One of the problems with identity theft and related fraud is the sprawling transactional system we use for retail. Point-of-sale transactions occur every second across a nation bursting at the seams with retailers ranging from large chains to mom and pop shops. This yields a large quantity of personal financial data, and no standard seems to be guiding retailers in the safekeeping of this information. Without standardization of security, the quality of security is bound to vary wildly and collapse in failure.
Commonsense indicts organized crime rings such as Webmobs in sophisticated breaches such as the PIN-related thefts at Citibank. And recent reports have indicated that identity fraud–related organized crime continues to flourish. A March 6 Denver Business Journal article documented the shenanigans of a Mexico-based crime family whose alleged fake ID operations reach into 33 states. According to law enforcement officials quoted, the group’s infrastructure is robust.
As many have noted, identity theft, fraud, and related online theft all threaten not only our finances, but our national security. Lax policies may cut costs in the short term, but in the long run consumers lose money, and we all lose our security.