News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: The sobering scope of data fraud

This week bloggers worried about banks losing their grip on data, and the many ways criminals can take advantage of credit card insecurity.


Security Blog Log
Last week, I mentioned how Citibank was forced to put a freeze on PIN-based transactions after discovering a wave of fraudulent debit card use in at least three countries.

It has since become clear that Citibank's misfortune may be part of something bigger: a global surge in debit card fraud that suggests the bad guys have cracked more banking networks than first thought.

The affair has left some bloggers to wonder if financial institutions are being reckless in how they store customer data, turning payments by debit card into a game of Russian roulette.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns:
A DRM threat to lives and infrastructure?

Hacking for grades causes a stir

Hey, Mac. Is that a worm in your Apple?

Noting the recent bust of an alleged debit fraud ring in New Jersey, network security professional Martin McKeay wrote in his Network Security blog that merchants are playing with fire by hanging on to debit card data, which more times than not becomes too tempting a target for the digital underground to pass up.

"I still wonder why any merchant would be keeping magnetic stripe information from a debit card along with the PIN, even if they are encrypted," he said. "I foresee either new industry compliance regulations" or several new state laws "coming out of this event."

He said he hopes other businesses are examining their data retention policies regarding debit card information and weighing the pros and cons of holding onto that information. "I hope they realize that there's no positive benefit to keeping the information in the first place."

Chris Jay Hoofnagle, senior counsel for the Electronic Privacy Information Center (EPIC), offered several examples of lax security in the banking industry in his EPIC West blog.

"We're always hearing that financial institutions take security seriously," he said. "I've always believed it because banks are ultimately liable to the consumer if money is stolen. But there is mounting evidence that security isn't taken as seriously as the banks say."

He offered these examples:

  • A man tears up a credit card application into little pieces, reassembles it, fills it out (and changes the address), and sends it in. The card arrives less than one month later (to the different address).
  • Another man scribbles his signature on credit card receipts until they become unreadable. He even writes "I stole this card" on one receipt. In every instance, the signature is accepted.
  • That same prankster calls Visa and gets through security by mumbling his mother's maiden name.
  • A man receives a credit card application in his dog's name, so he completes it, noting that the applicant works at the "Pupperoni Factory." The card arrives in the mail.
  • An entire series of cases document situations where someone puts incorrect personal information on the credit application, but still gets the account.
  • Finally, identity theft continues to be the top consumer complaint to the Federal Trade Commission.

Perhaps, Hoofnagle said, "it's accurate to say that security is taken seriously, but profit is taken more seriously."

Dig Deeper on Endpoint protection and client security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.