Massive Bank Data Breaches Reveal Huge Vulnerabilities
by gsadamb
Fri Jul 10, 2009 at 03:13:09 PM PDT
When we put our money into banks, there are certain assumptions that most customers believe.
The one assumption we've probably wondered the most about lately is the notion that money we put into our bank accounts is safe, even if the bank itself fails. This is the point of the FDIC, which has recently proven its ability to carry out its promise when banks failed.
But that's not what this diary is about.
A number of banks are withholding some very crucial data about an eye-popping heist that has gone on and is allowing practically unhindered access to the cash in massive number of accounts, and it reveals huge gaps and lapses in electronic financial systems that most of us assume are secure.
Most bank users have another assumption: that if they create an account, it will be secure. To wit, if I create a new checking account and put a thousand dollars in it, I should be able to access that thousand dollars, and unless I've explicitly stated otherwise, the only one who should be able to access the contents of the account is... well, me.
There may be several ways for me to access my new checking account. The most obvious is to just withdraw cash from a bank branch. Or I could write a check perhaps, or use a debit card to pay, or go withdraw money from an ATM.
The point is, all these methods require me to authenticate myself. Some methods, like checks, require very minimal authentication. But my signature is needed on any check I write, and it ultimately provides a paper trail with my bank once it's redeemed.
Clearly, though, the principle instrument of most checking accounts nowadays is the Debit card. They offer the versatility of credit cards, but are instead tied to actual funds in the holder's checking account. To use it as a credit card, it requires the holder's signature if processed on site, otherwise other security measures like the card's CVV code and holder's zip code, sasme as with normal credit cards.
Increasingly, retailers are providing the option to purchase items with the "Debit" feature of the card, which requires you to key in your secret PIN number. You also need the PIN when trying to use an ATM to pull cash out of your account. The PIN, of course, is intended to be a very personal, private piece of information. Usually at account creation, a PIN is selected, and not even the teller can see what it is.
So the debit card should in theory be quite secure: to use it to get money from an account, it follows a dual-token authentication: you must have something and you must know something. That's why a stolen ATM card should essentially be useless. Likewise, if someone snuck a peak at the PIN I was entering at a checkout stand, that's obviously useless without the card. Only the card plus the pin allows authentication.
So this system is secure, right?
Well, a close friend was recently making a purchase using her card, and the transaction was unexpectedly declined with a message asking for her to call the bank. When she got in contact with that bank, Bank of America, they informed her that her several cards had been deactivated because of a "mass compromise with Visa" and that new ones should be on the mail. Indeed, when she checked the mail that very day, there were new cards, with new numbers.
There was also a letter included, which struck me because it was sent to "Valued Customer." suggesting perhaps that these were printed in large numbers instead of customized for a small group of users. That's just speculation.
But here's the letter, which maybe can shed some light on the situation?
And so that's the explanation we get: account information may have been compromised at a third party location. What does this mean?
In a couple instances over the last few years, a couple organizations have contacted me about a personal data breach. But without exception, these notifications have always been very straightforward over what kind of breach it was, what caused it, how it was being addressed, and a feeling that at least there was a bit of transparency and acknowledgment of making a mistake.
There's none of that here though. Just silence. So I decided to see if this problem was widespread by Googling it. Turns out, a couple articles have already been written in mainstream newspapers, but it's mostly staying under the radar.
USA Today (yes, them), has run an article about this very thing appropriately entitled "Lack of answers in debit-card fraud troubling."
It's fairly disturbing:
The U.S. is in the midst of a major debit-card fraud event that is affecting dozens of banks and thousands of people.
Somewhere in the giant interconnected system of banks, merchants, and transaction processors, someone got hold of not only debit card numbers, but the PINs used to access those accounts as well.
The problem for you and me is, either no one knows where the security breach occurred or no one is telling.
When you use your card as a debit card at a point of sale, you have to swipe the card and key in your PIN. This data is encrypted and sent to a processing company that uses this data to send an electronic request to your bank yo check whether your account has the funds necessary to approve the current transaction. It then forwards the answer back to the point of sale, and the sale is completed or failed based on the answer.
The middleman clearinghouse should immediate discard the information send by the point of sale - the information containing the card number and pin. Of course, if a system in the middle were compromised, or if there was an inside job, or if there was a horrible misconfiguration, this data could end up getting stored on the server. Let's assume that a person had access to this data and also the ever important decryption key to get the decrypted data - let's say, again, because of lax security, then that person would have access to a list of card numbers and a list of corresponding PINs.
With this data, sophisticated thieves can create counterfeit cards and walk up to the nearest ATM, which will happily let you withdraw cash from the corresponding account.
This only seems to be affecting Visa cards at the moment, confirmed by some banks' randomly "upgrading" their customers from a Visa to a Mastercard.
How widespread is this?
It's unknown at this point, and instead of informing customers about a very real threat, companies are in CYA-mode, big-time. Did Visa issue a standard "We're investigating and cooperating..." message? Nope, this is their comment:
"[A]ccusing a single source of the compromise before the investigation is complete could be inaccurate and unfair," the company said in a statement.
There is so much stonewalling on this that questions about number of affected people and likely culprits are purely matters of speculation. There's been some unscientific comparisons between people who hav ebeen affected by this, and one early tentative match MAY be OfficeMax, or more specifically, the company that does debit processing for them. OfficeMax has issued a statement saying only that their systems are secure, while saying nothing about the companies it uses to handle the transaction data.
And the silence from all the financial organizations, including that banks we put our trust in, has been deafening. Numerous banks have quietly been re-issuing cards or doing massive changeovers to MasterCard, including Bank of America, Citibank, National City Bank, PNC Bank, Washington Mutual, Wells Fargo, and several smaller banks as well. To their credit, it doesn't appear as if the banks are responsible for the vulnerability, but I believe it is their responsibility to let customers know the reality of the situation.
It's amazing how stifled this information has been until now, but maybe if it starts to get some publicity, we'll start to get real information instead of generic letters and non-denial denials.