Security Blog Log: The sobering scope of data fraud

---------------------------------------------------------------------------------------------------------

It has since become clear that Citibank's misfortune may be part of something bigger: a global surge in debit card fraud that suggests the bad guys have cracked more banking networks than first thought.

The affair has left some bloggers to wonder if financial institutions are being reckless in how they store customer data, turning payments by debit card into a game of Russian roulette.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: A DRM threat to lives and infrastructure? Hacking for grades causes a stir Hey, Mac. Is that a worm in your Apple?

"I still wonder why any merchant would be keeping magnetic stripe information from a debit card along with the PIN, even if they are encrypted," he said. "I foresee either new industry compliance regulations" or several new state laws "coming out of this event."

He said he hopes other businesses are examining their data retention policies regarding debit card information and weighing the pros and cons of holding onto that information. "I hope they realize that there's no positive benefit to keeping the information in the first place."

Chris Jay Hoofnagle, senior counsel for the Electronic Privacy Information Center (EPIC), offered several examples of lax security in the banking industry in his EPIC West blog.

"We're always hearing that financial institutions take security seriously," he said. "I've always believed it because banks are ultimately liable to the consumer if money is stolen. But there is mounting evidence that security isn't taken as seriously as the banks say."

He offered these examples:

• A man tears up a credit card application into little pieces, reassembles it, fills it out (and changes the address), and sends it in. The card arrives less than one month later (to the different address).
• Another man scribbles his signature on credit card receipts until they become unreadable. He even writes "I stole this card" on one receipt. In every instance, the signature is accepted.
• That same prankster calls Visa and gets through security by mumbling his mother's maiden name.
• A man receives a credit card application in his dog's name, so he completes it, noting that the applicant works at the "Pupperoni Factory." The card arrives in the mail.
• An entire series of cases document situations where someone puts incorrect personal information on the credit application, but still gets the account.
• Finally, identity theft continues to be the top consumer complaint to the Federal Trade Commission.

Perhaps, Hoofnagle said, "it's accurate to say that security is taken seriously, but profit is taken more seriously."