The ingenuity of the criminal hacker is endless. They have figured out how to hack debit card PINs. Debit cards are linked directly to our checking accounts, making them delicious treats for criminal hackers. At an ATM or cash register, most debit card users are blissfully unaware of what happens when they swipe their cards and enter their PIN numbers. A magical mystery takes place and we can walk away with our new purchase, simply by swiping a card and tapping a few keys. Money magically disappears from our account and we celebrate by eating the Twinkie we just bought.
Whether you swipe your debit card at an ATM or a store or restaurant, the process is similar. The user swipes their card and types the PIN number. The data is verified by an external payment processor or, in some cases, by a bank, via telephone lines or the Internet. Once the information has been validated and the payment processor confirms that the required funds exist, the money is moved from the user’s account to the merchant’s account or dispensed in cash.
The convenience of debit cards has led to a global popularity that far exceeds that of handwritten checks, even in third world countries. We’ve known for some time that the low-tech brush with ATMs and gas pumps has been a compromise point. Now, Wired reports that the transaction itself puts your PIN number at risk. Academics discovered this flaw years ago, but didn’t think it was possible to execute it in the field. Criminal hackers, however, have invented the holy grail of hackers, stealing large amounts of encrypted and unencrypted debit cards and PIN numbers. And they have discovered a way to crack the encryption codes.
The first signs of PIN tampering were recognized when investigators studied the processes of the 11 criminals who were caught after the TJX data breach. That breach involved 45 million credit and debit cards. The crime network needed PIN codes to convert that data into cash. An investigation into this breach reported that the attacks resulted in “more targeted, cutting-edge, complex and intelligent cybercrime attacks than those seen in previous years.”
This revelation leads some to say that the only cure for this type of hacking is a complete overhaul of the payment processing system. The compromise occurs in a device called a hardware security module (HSM), which is found in banking networks. PIN numbers pass through this device on their way to the card issuer. The module is tamper-proof and provides a secure environment for encryption and decryption of PINs and card numbers. Criminal hackers access HSMs and trick them into providing the decryption data. They are installing malware called “memory scrapers”, which capture the unencrypted data and use the hacked system to store it.
The PCI Security Standards Council, a self-regulatory body that oversees much of what happens with payment card transactions, said they would begin testing HSMs. Bob Russo, general manager of the global standards body, said the council’s testing of the devices “would specifically focus on security properties that are critical to the payment system.”
I don’t have a debit card and never will and never will. Simply put, if my debit card was hacked, that money would come directly from my bank account. A compromised ATM or point of sale transaction often shows no evidence of hacking. This means that I would have to go through the arduous process of convincing my bank that I was not the one who withdrew thousands of dollars from my account. Whereas if a credit card is compromised, the zero liability guarantee takes effect and heals me much faster.
Your final responsibility here is to check your statements very closely and look for unauthorized activity. Read your statements online every two weeks instead of relying solely on your monthly paper statement and dispute unauthorized charges immediately. Consider using a credit card instead of a debit card. While this type of fraud is generally out of your control, it is imperative that you invest in internet security software like McAfee and consider identity theft protection.
