This story appeared on Network World at

http://www.networkworld.com/columnists/2006/032006bradner.html

'Net Insider

Debit-card snafu: Protecting the guilty yet again

By Scott Bradner, Network World, 03/20/06

No one who knows is saying how long it's been going on, but you'd better keep a close eye on your bank account balance if you use a debit card. For at least the last month, maybe much longer, thieves from as far away as Russia have been cleaning out bank accounts using stolen debit card numbers and PINs. No one is willing to say who is to blame.

Customers at a number of U.S. banks - Citibank being the most prominent - have been hit. Citibank is not saying much that's of any use if you would like to protect your assets. All it's saying is there was a breach at a U.S. company that exposed PINs, and Citibank is blocking transfers from Canada, Russia and the U.K. Woe to you if you happen to be traveling in one of those countries, as your card will stop working with no notice.

Citibank refuses to name the U.S. company, in spite of claiming in a press release, "Protecting our customers' accounts and personal information is one of our highest priorities." But not so high, if it means giving customers the information they need to protect themselves. California law requires that anyone exposing this type of information about a California resident must fess up in a timely manner. Some companies in this situation have said law enforcement, in its infinite semi-wisdom, has told them not to tell anyone. A company that actually cared about the impact of its screw-up on customers would insist on informing the public.

In this latest case, the most likely explanation is that some hacker broke into a server at some company that processes debit cards and ran off with a file of card numbers and PINs. Under the payment card industry (PCI) rules, that sort of thing is not supposed to be possible. First, no computer that stores card information is supposed to be directly reachable from the Internet, and second, storing PINs is explicitly prohibited. By the way, if your company deals with credit or debit cards, someone should be paying attention to the PCI rules. Visa says failure to follow the rules makes a company subject to a fine of $500,000 per incident.

At some point we will find out what company was not following the rules and thus facilitated the current rash of thefts. I cannot imagine the company will be better off having tried to keep its identity secret or Visa will be better off having told a congressman, in effect, that it thinks coming clean so its customers know what is going on is not a priority.

The open question is what actual liability the company will have in regard to the time, trouble and credit rating impact that hundreds of thousands of debit card holders have experienced. Sooner or later some court will realize that real damages deserve real compensation. Maybe when that happens some companies that are sloppy with security will learn that good security pays.

Disclaimer: Company learning - or at least company executives learning - is an aim of the Harvard B-school. But I did not ask it about this lesson, so the above is all mine.