We are in the midst of a massive hack of credit card & debit card accounts. The hack is the result of the theft of PINs, although no one seems to know exactly where the PINs were stolen from. A couple of stories can be found at:
- ComputerWorld, “Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches’ – It put a transaction block on some MasterCard debit and credit cards in Canada, Russia and the U.K.”, by Jaikumar Vijayan, dated March 7, 2006, http://www.computerworld.com/databasetopics/data/story/0,10801,109308,00.html
- TechWeb, “Pin Scandal “Worst Hack Ever”: Citibank only the Start”, by Gregg Keizer, dated March 9, 2006, http://techweb.com/article/showArticle.jhtml;jsessionid=ZQOHMXF0BIMHGQSNDBCSKH0CJUMEKJVN?articleId=181502468&pgno=1
As one of the articles pointed out, PINs were supposed to be secure, so they are generally trusted and debit cards are supposed to be much less likely to be hacked. All to no avail, as thieves somehow got possession of a whole mess of PINs and associated card numbers, and have been cleaning out bank and credit card accounts. Rumors are flying around about who was hacked, whether it was skimmers, or if someone’s central database was broken into, or both, or neither. It is looking (somewhat) like it may have been a middleman processor, in which case the processing company will probably be hit by a raft of lawsuits and will probably go bankrupt.
Summary of stories:
- Check your credit card and debit card statements for suspicious or fraudulent activity.
- Don’t use a debit card & PIN at a point-of-sale terminal. Ever.
As a side note: the original post I saw about this was on Slashdot. (And no, I don’t remember what the link was, they have a search function in case you want to track it down.) There was also a Chicago Tribune article linked in the Slashdot post. But I did not read the Chicago Tribune article, nor am I going to post it here, nor am I even going to link to the Chicago Tribune site, on account of the fact that the Chicago Tribune required me to enter my e-mail, name, gender, and full address (!!) just to register with them, before I was allowed to read the article.