% fortune -ae paul murphy

Out-sourcing and the Debit Card hack

Last Friday reports surfaced of a massive series of consumer debit card frauds affecting Citibank, Bank of America, Wells Fargo, Washington Mutual, and others in Canada, Russia, the U.K. and the U.S.

Here's how Techweb's Gregg Keizer wrote up some key comments by Gartner's Avivah Litan:

In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."

The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

When the shouting on this one stops, I suspect it'll turn out that the debit card system has a significant design flaw: probably something like the use of a small number of decryption keys to enable easy PIN verification. That will get fixed, but there's a deeper lesson here that's somewhat more likely to be ignored until more of these events have focused more executive ulcers on the issue: containment. The use of shared processors (i.e. out-sourcing) means that events like this aren't confined to one bank or one market.

This one was just theft, the last big one probably just carelessness, but what if the next big one is a deliberate attempt to weaken the overall financial system or to grow one competitor at the expense of the other guy's customers?

Without internal IT, there's no containment. Without containment responsibility gets diffused, risk realization consequences get more serious, and overall exposure rises.

So here's a quick bottom line for internal IT: the more people understand the issue, the more secure your jobs get: so grab the silver lining when things like this happen to others, and make very sure your bosses understand that part of your role is to protect the them, the business, and the industry you work in by containing this kind of risk.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.