TELECOM Digest OnLine - Sorted: Re: Don't Let Data Theft Happen to You


Re: Don't Let Data Theft Happen to You


B.M. Wright (bmwright@xmission.com)
Sun, 17 Jul 2005 05:20:49 UTC

Dan Lanciani <ddl@danlan.com> wrote:

>> By M.P. DUNLEAVEY

>> That said, Mr. Mierzwinski endorsed the preventive measures offered by
>> Privacy Rights Clearinghouse (www.privacyrights.org), a nonprofit
>> consumer advocacy group, and by the Identity Theft Resource Center
>> (www.idtheftcenter.org), also a nonprofit. Besides the standard advice
>> to shred personal documents, following are some tips I found useful:

>> -- Curtail electronic access to your bank accounts.

> How exactly is one supposed to achieve this? Every bank that I have
> contacted flat-out refuses to block EFT debits on consumer accounts.
> They will transfer my money to anyone with my account and routing
> numbers who has access to the ACH network, even though there is no
> evidence that I authorized the transaction. (In fact, the banks have
> strong evidence that I did not approve any such transactions since I
> told them that I have not authorized any third party to electronically
> debit my accounts.) Even brokerage houses are doing this, and even on
> accounts with no check writing feature.

Yes, the US system is ridiculous, why should anyone be allowed to pull
$ from your account with only a routing code, account number, and
possibly some other easily obtained information? I don't know what
requirements the bank has before qualifying someone to do these "ACH"
payments, but it is likely easy enough to get approved. The UK has a
much better system where, you as the account holder either have to
initiate the transaction, or you have previously filled out and signed
a physical authorization paper that the person receiving the money has
to file with the bank. At any time, you can, as the account holder
withdraw permission for that debit (if it is monthly recurring),
without needing consent from the receiving party.

>> Pay bills through snail mail.

> If you use a normal check this still provides the recipient with your
> account and routing numbers which they can then use to electronically
> debit your account.

With the system in the UK mentioned above, people freely exchange
their routing (aka "sort code") and account number information. It is
quite a common way for two people to pay each other because most banks
don't charge for UK to UK transfers in the same currency.

Someone also mentioned the credit card terminal PIN system used in
France. This is similar to what you need in the US to use most debit
cards and the UK is also starting to use this with credit cards that
have embedded smart chips. However, apparently, it is optional for
the merchant on whether or not they accept payments without the PIN on
chip/PIN enabled cards. One merchant kept having a faily low value
transaction declined when using the mag-stripe, once they used the
chip reader and I entered my PIN it went through. Since implementing
this system however, it seems all the banks no longer allow you to
change the PIN over the phone, you have to go to an ATM and not just
any, it has to be specific banks withink the UK.

This tells me that, it's likely they store the PIN in the chip, with
some type of encryption, which will be broken some day no doubt and
become useless. Further evidence that makes me believe they store the
PIN inside the chip is the fact that I was told merchants can do "chip
& PIN" transactions while offline. If this is the case, they are
either 1) When offline hoping you entered the right PIN and
authorizing the transaction regardless 2) Decrypting the PIN, stored
locally on the card, with a certificate stored in the POS terminal
(and once that certificate is compromised you have the keys to the
city).

If they are not storing the PIN in the card, I see absolutely no
reason why they won't update the PIN for you over the phone, unless
they have some type of PIN database encrypted with a certificate which
is only available within the CHIP on the card. If anyone familiar
with the system cares to comment?

Just as a side note, some companies within the US tried to implement
smart chip systems in their cards, Providian Smart Visa and the Fleet
Fusion card are two that come to mind. They failed to get anyone to
actually use it and gave up, converting back to non-chip cards. I'm
not too sure what their system really had to offer, not much, they
tried to tout it as a way to make more secure online transactions,
have the online web store form automagically filled out with your
details, etc.. At the time, they were sending out free smart card
readers to try to get people using these, probably one of the reasons
they decided it cost too much and scrapped it.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Steve Sobol: "Re: 866 383 0986"
Go to Previous message: LH: "Re: Prepaid GSM With Roaming Allowed Available in the US?"
May be in reply to: Lisa Minter: "Don't Let Data Theft Happen to You"
Next in thread: Phil Earnhardt: "Re: Don't Let Data Theft Happen to You"
TELECOM Digest: Home Page