Recently I decided to get a credit watch service to "protect me" against possible identity theft. The following two stories indicate, to me, that the money may be worth it.
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
Here is the other story that I read about:
Based on increases in Trojan technology, frequency, Roger predicts a
major bank heist is on the horizon
By Roger A. Grimes
March 10, 2006
Last week's column on SSL Trojans generated a lot of interest and some
new information. First, I must admit to feeling like I've been living
in a sheltered time warp. Although SSL Trojans are new to me, a little
Googling turned up similar Trojans going back as far as 2004.
LURHQ's description of an E-gold Trojan was an early foreshadowing of
things to come. E-gold is an e-cash operation, similar to Paypal.
Turns out they've been under constant attack from these advanced
Trojans for a few years now.
The E-gold Trojan waits for the victim to successfully authenticate to
E-gold's Web site, creates a second hidden browser session, and uses
various spoofing tricks until it drains the victim's account. Because
the stealing and spoofing is started after the authentication is
completed, no amount of fancy log-on authentication would prevent the
heist. All too telling is LURHQ's prediction that "other banking
institutions are sure to be attacked in this manner in the future."
I wonder how many of these attacks it will take before people start making the choice to go back to using snail-mail?