The following text is copyright 2006 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Yet again protecting the guilty
By Scott Bradner
No one who knows is saying how long it's been going on, but you better have been keeping a close eye on your bank account balance if you have a debit card and actually use it. For at least the last month, maybe much longer, thieves have been cleaning out bank accounts from as far away as Russia using stolen debit card numbers and PINs. And no one is willing to say who is to blame.
Customers at a number of US banks have been hit, with Citibank being the most prominent. Citibank is not saying much of any use if you would like to protect your assets. All they have said is that there was a breach at a US company that exposed PINs and that Citibank is blocking transfers from the UK, Russia and Canada -- woe be to you if you happen to be traveling in one of those countries, your card will stop working with no notice.
Citibank refuses to name the US company, in spite of claiming in a press release that "Protecting our customers’ accounts and personal information is one of our highest priorities." But, I guess, not so high if that means giving customers the information they need to protect themselves.
California law requires that anyone exposing this type of information about a California resident must fess up to it in a timely manner. In the past some companies in this situation have said the law enforcement, in their infinite semi-wisdom, have told them not to tell anyone. A company that actually cared about the impact that its screwup had on its customers would insist on informing the public so I guess you can rule out a caring company (sadly that does not narrow the field all that much).
The most likely explanation is that some hacker broke into a server at some company that processes debit cards and ran off with a file of debit card numbers and PINs. But, under the payment card industry (PCI) rules (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf) that sort of thing is not supposed to be possible. First, no computer that stores card information is supposed to be directly reachable from the Internet and second, storing PINS is explicitly prohibited.
By the way, if your company deals with credit or debit cards someone there should be paying attention to the PCI rules, in theory failure can be very expensive -- Visa says failure to follow the rules makes a company subject to a fine of $500K per incident. (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html)
At some point we will find out what company was not following the rules and thus facilitated the current rash of thefts. When the news does come out I cannot imagine that the company will be better off having tried to keep its identity secret or that Visa will be better off having told a congressman, in effect, that Visa thinks that coming clean so that their customers know what is going on is not a priority.
The open question is what the actual liability the company will have in regards to the time, trouble and impact on credit rating that hundreds of thousands of debit card holders have experienced. Sooner or later some court will realize that real damages deserve real compensation. Maybe when that happens some of these companies that are sloppy with security will learn, maybe the hard way, that good security pays.
disclaimer: Companies learning, or at least company executives learning, is an aim of the B School but I did not ask them about this lesson so the above is all mine.