In article <m...@d...localdomain>, k...@p...waw.pl says...
> Jacek Popławski <j...@i...pl> writes:
>
> > Podobno problem dotyczy USA, UK i Rosji, czy ma to jakiekolwiek
> > przełożenie na
> > polskie realia? Z którym bankiem w Polsce ma coś wspólnego Citibank?
> >
> > http://www.computerworld.com/databasetopics/data/sto
ry/0,10801,109308,00.html
>
> To jakis nonsens, skimming i PINy? Wyglada na to, ze dane o kartach
> (i PINach) po prostu wyciekly z banku. Moze z niezadowolonym
> pracownikiem? Raczej sie tego nie dowiemy, ale pokazuje to zagrozenie
> w podpisywaniu transakcji PINem lub innym np. kodem jednorazowym.
>

Nie dotyczy sie to tylko Citi ale kilku innych wiekszych bankow w
stanach. Firma przetwarzajaca tranzakcje z urzyciem PIN w
"niweyjasniony" sposob w historii tranzakcji przechowywala takze
informacje o pinach.


More banks in the US are reissuing debit cards following the security
breach at an undisclosed retailer that forced Citibank to block PIN-
based ATM transactions on card accounts in Canada, Russia and the UK
earlier this week.

Regional US banks including PNC Financial, National City and First
National Bank of Pennsylvania, have scrambled to close accounts and
reissue debit cards following the breach. The banking industry has yet
to issue a definitive statement on the incident, but it appears
increasingly likley that the nation's banks have fallen victim to an
industrial-scale hacking and card-skimming fraud.

Earlier this week Citibank imposed transaction blocks on an unspecified
number of US card accounts after a series of fraudulent cash withdrawals
at ATMs in the UK, Russia and Canada. The bank indicated that security
problems stem from a breach at a US retailer, although no company name
was disclosed.

National US banks including Bank of America, Wells Fargo and Washington
Mutual have also blocked and reissued debit cards in recent weeks.

Previously PIN-based debit cards were thought to be safe from hackers,
but Gartner analyst Avivah Litan says the banks' actions show that this
incident is one of "the largest PIN thefts to date", in which the
fraudsters not only collected card numbers, but also encrypted PIN data
and terminal keys for unscrambling the codes.

"Armed with the PIN block and terminal encryption key, the thieves can
determine a cardholder's PIN, then create counterfeit cards that enable
them to withdraw cash at ATM machines," says Litan.

Analysts believe the incident may lead the US banking to reconsider its
resistance to chip-based payment cards and force a nationwide flight
from the less-secure mag-stripe standard.

Although the name of the retailer that suffered the breach hasn't been
disclosed, speculation is mounting that the debit card data was obtained
during an incident at office-supply firm OfficeMax although the company
has denied any involvement in the incident.

The Payment Card Industry Data Security Standard (PCI), which defines
how card and cardholder data should be managed and processed to keep it
secure, expressly forbids retailers from storing PINs online, although
compliance with the standard is believed to be under 20% in the US.

Congressman Barney Frank, the senior Democrat on the house financial
services committee recently called on credit card companies to name and
shame retailers who suffer security breaches.

Frank said he was considering introducing legislation that would force
companies that have suffered security breaches to notify customers of
the incident, or be identified publicly as the party responsible.