Debit card disaster – PINs and fingerpointing

BoingBoing reported the story of Citibank’s debit card fiasco the first of the week. Many questions remain, and fingerpointing has inevitably reared it’s ugly head.

For those yet uninformed, the week brought to light that a yet unknown amount of debit card data, including card numbers, PINs, and encryption keys, where being used to empty bank accounts. Seems the accounts originate in the US, but the fraudulent transactions were being perpetrated in Canada, the U.K. and Russia.

Although Citibank is being widely discussed, a Gartner research analyst noted that a number of major banks are suffering (and have been for weeks). Nobody yet knows the hacking point, but this much is certain: the data was contained (and aggregated) on a point-of-purchase system someplace. The Gartner analyst, Avivah Litan, believes a third-party processor was involved, although some of the banks suggested OfficeMax might have been hacked (something OfficeMax denies). Each argument has merits.

The perpetrators would have known a third party processor contains a treasure trove of data, making the effort do de-encryption worth the time. On the other hand, retailers have proven good targets in the past. Once the hackers realized that the encryption keys were readily available, effort became a non-issue; if they knew in advance they were available, I suspect the retailer and/or an inside job.

We may never know exactly what happened here. The banks (and the entire debit card/PIN system) has gotten a very black eye, and with the volume of transactions expose, they are going to be doing some major damage control (as if shutting down potentially millions of cards wasn’t enough already).

I’d suggest people go for credit card only, and a single one to boot. Pay the bill in full every month, online, and use your debit card for quick cash only, and from the card-issuing bank’s ATMs (whenever possible). Get an online statement, meaning a permanent paper trail. And from a singular source who understands your spending patterns and can quickly identify suspicious transactions. Yea, they will know a lot about you, but it might just be worth it for keeping your spending trail and the source of your funds substantially separated. Of course, that is a bit of wishful thinking for those who already have ten maxed-out credit cards, so I will just shut up now.