My Thoughts on Technology and Jamaica: Who is responsible if your Credit Card or Debit Card account is hacked?

Tuesday, March 23, 2010

Who is responsible if your Credit Card or Debit Card account is hacked?

It seems that the problem of Debit and Credit Card theft that began to rear its ugly head in the latter part of the Recession originating from the United States of America in 2009 is now becoming a permanent crime problem that has connections to the criminal underworld. 

This is in much the same way that Digital Music and Video Piracy also finances the criminal underworld, as suggested in the article “BE WARNED! If you buy a pirated DVD, CD you can be arrested”, published Wednesday, August 26, 2009 by KARYL WALKER, Crime/Court co-ordinator, The Jamaica Observer  

The article “Thieves clone Debit Cards”, published Thursday March 11, 2010, The Thursday Star,  gave prominence to the problem and the article “Held up with an ABM card  - Is plastic panacea or pestilence”, published Saturday 20th March 2010 by Mario James, Gleaner Writer, The Jamaica Gleaner, made readers more aware. 

The method outlined by the source used in the article is a bit much, as you only just need to copy the card using either a “skimmer” placed over the card slot on the ABM machine or on the magnetic swipe to unlock the ABM door and a hidden wireless pinhole camera captures and transmits the PIN number entered.

The person then takes any other card with a magnetic stripe and using a generic Card Reader erase the target card and copy the information obtained from the victim or “mark”. Protecting you PIN is the simple deterrent, often found plastered on the walls inside most ABM, making it your responsibility to protect your pin. But who is responsible if your Credit Card or Debit Card account is hacked when it is in a Database hosted on Servers owned by the Bank?

Credit Cards are easy marks and popular targets for online hackers as well as unscrupulous merchants who utilize skimmers to steal Debit and Credit Card information, as Credit Cards often have no PIN numbers.

Thus it would seem the security features being implemented by the Bank of Nova Scotia involving JPS customers who exercise the option to use the internet to pay their bills (voluntarily?) keying in their the credit card numbers on SSL (Secure Script Layer) websites as stated in the article “As fraud grows, privacy erodes” , published Sunday March 21st 2010 by Avia Collinder, Business Reporter, The Jamaica Gleaner, and storing them in the Bank’s database will not work.

This I because if their database server is not a Oracle DB Database housed on a Sun Solaris Server running a Linux Distribution Operating System with access terminals also running a Linux Distribution with Open Source Firewalls and Biometric Security protocols for all Laptops for Database Administrators, Computer Terminals and Servers and having the Servers and Computer Terminals connected over a private network, they are very vulnerable to outside intrusions.

This is both in terms of hackers remotely accessing their Servers, Laptops for Database Administrators and Computer Terminals or accessing the computer being used by the Credit Card holder over the internet via scam websites, key logging software and other “phishing” techniques, especially if the Bank of Nova Scotia is using Microsoft software, which is notoriously hacker friendly – which of course one assumes to be information that the Network and Database Administrators at BNS are well aware.

NCB supposedly foolproof “hybrid” method is however on the right track, as mixing the data entry process with an age old “who goes there!” password request from a Customer Care Representative in the Bank makes it difficult for the hacker to steal your credit card, especially if the Credit Card customer had already set up the online access facility from within the Bank and NOT over the internet.

This article does not determine who is liable in the case of a data intrusion or theft from the Banks Server and procedures for public disclosure of these intrusions as most Banks have only policy guidelines. The Electronics Transactions Act of 2007 and the recently minted Cyber crime Act of 2010 as mentioned in the article “Move to Tackle CyberCrime - Hacker got Golding”, published Sunday  February 14, 2010 by Philip Hamilton, Gleaner Writer, The Jamaica Gleaner,  do not make such provisions for liability and public disclosure of hacking intrusions so as to alert persons of the potential danger.

Additionally there are other “reputable companies” that have embarked on a similar move to Bank of Nova Scotia such as LIME in its new Self Top Up service as stated in the article “Text to top Up - A Caribbean First from LIME”, published Wednesday, 03 March 2010 by that will potentially put more Credit Card holders in jeopardy.

This is especially in light of the decryption of the A5/1 codebook by German security expert Karsten Nohl which he achieved with help from the Open Source Community as stated in the article “Q&A: Researchers Karsten Nohl on Mobile eavesdropping”, author Elinor Mills, InSecurity Complex – CNET,  January 1, 2010 4:00 AM PST, CNET News.

This implies that wireless POS (Point of Sale) device transactions and phone conversations are interceptable on Telecoms Provider’s Networks in Jamaica still using the weaker A5/1 codebook. So who would be liable in such cases? John Public demands answers.

No comments: