Internet Changes Everything

Lessons to Learn From Citi Data Breach

The blame is being placed firmly on the merchant here, (originally indicated to be OfficeMax, but now unspecified?).  This explanation seems all too simple, but perhaps it is that simple.

In order for this to be the case, the merchant would have to be storing:
a) PIN
b) complete replica of the mag strip data

I still suspect there is more to it, in what is clearly an inside job.

However, if that is all there is to it, then  ....

Relevance to Bankwatch:

• Banks have to be accountable for the data that is shared with private networks, and merchants;  its unacceptable to blame all the links in the chain, because there are so many. 
  
• Customers will (rightly) look to the issuing bank to protect their information
• Technology allows for sufficient data sharing to complete a transaction, without sharing all the customers authentication credentials (e.g. public key encryption). Anything short of that is technological laziness
  

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.

"This issue isn't about the [strength] of PINs—it's about the
merchants and how they store this data," says Bruce Cundiff, an analyst
with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees.
"PIN wasn't the problem [in the Citibank case]. Having a card and
typing a PIN is perfectly adequate authentication," he says. "It was
the data that was stolen internally."

March 14, 2006 at 11:51 PM in Security | Permalink | TrackBack (113) | Top of page | Blog Home