MSNBC is reporting today that thieves have stolen a batch of PINs from a retailer—PINs the retailer shouldn't have stored in the first place:
Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.
The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.
In recent weeks, Bank of America, Wells Fargo, Washington Mutual and Citibank have all reissued debit cards after detecting fraudulent activity. Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps.
Bruce Schneier reported on this Monday, but now the scope of the crime is becoming more apparent.
So how did the thieves get the customers' PINs? It appears that a retailer stored them along with other credit-card data in its database, and the thieves stole the database:
[Gartner analyst Avivah Litan] says many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen.
The thing is, the retailers have no need to store the PINs:
While storing PINs is against network rules, many retailers inadvertently store the information, said Mike Urban, who runs Fair Isaac Inc.'s ATM fraud detection program called CardAlert. It ends up accidentally saved in temporary files and other software nooks and crannies.
ZDNet has this story too.
The solution to this problem, long known to concientious software developers, is never to keep secrets unless they're absolutely necessary. I tell my clients all the time that neither I nor anyone else should ever know their passwords, for for example.
It will be interesting, and important to every consumer, to see how liability for this event is apportioned. Sadly, most courts and legislators are woefully ignorant of the technology, which should lead to some fascinating legal work in coming months.
Until this issue gets resolved, which could take weeks, I urge people to be very careful using point-of-sale debit card readers. And if you suspect unauthorized activity on your bank account, call your bank immediately.