It seems that the problem of Debit
and Credit Card theft that began to rear its ugly head in the latter part of
the Recession originating from the United States of America in 2009 is now
becoming a permanent crime problem that has connections to the criminal
underworld.
This is in much the same way that
Digital Music and Video Piracy also finances the criminal underworld, as
suggested in the article “BE
WARNED! If you buy a pirated DVD, CD you can be arrested”, published
Wednesday, August 26, 2009 by KARYL WALKER, Crime/Court co-ordinator, The Jamaica Observer
The article “Thieves clone
Debit Cards”, published Thursday March 11, 2010, The Thursday Star, gave prominence to the problem and the
article “Held
up with an ABM card - Is plastic panacea
or pestilence”, published Saturday 20th March 2010 by Mario
James, Gleaner Writer, The Jamaica Gleaner, made
readers more aware.
The method outlined by the source
used in the article is a bit much, as you only just need to copy the card using
either a “skimmer” placed over the card slot on the ABM machine or on the
magnetic swipe to unlock the ABM door and a hidden wireless pinhole camera
captures and transmits the PIN number entered.
The person then takes any other
card with a magnetic stripe and using a generic Card Reader erase the target
card and copy the information obtained from the victim or “mark”. Protecting
you PIN is the simple deterrent, often found plastered on the walls inside most
ABM, making it your responsibility to protect your pin. But who is responsible
if your Credit Card or Debit Card account is hacked when it is in a Database
hosted on Servers owned by the Bank?
Credit Cards are easy marks and
popular targets for online hackers as well as unscrupulous merchants who
utilize skimmers to steal Debit and Credit Card information, as Credit Cards often
have no PIN numbers.
Thus it would seem the security
features being implemented by the Bank of Nova Scotia involving JPS customers
who exercise the option to use the internet to pay their bills (voluntarily?) keying
in their the credit card numbers on SSL (Secure Script Layer) websites as
stated in the article “As
fraud grows, privacy erodes” , published Sunday March 21st 2010 by Avia
Collinder, Business Reporter, The Jamaica Gleaner, and
storing them in the Bank’s database will not work.
This I because if their database
server is not a Oracle DB Database housed on a Sun Solaris Server running a
Linux Distribution Operating System with access terminals also running a Linux
Distribution with Open Source Firewalls and Biometric Security protocols for
all Laptops for Database Administrators, Computer Terminals and Servers and
having the Servers and Computer Terminals connected over a private network,
they are very vulnerable to outside intrusions.
This is both in terms of hackers
remotely accessing their Servers, Laptops for Database Administrators and Computer
Terminals or accessing the computer being used by the Credit Card holder over
the internet via scam websites, key logging software and other “phishing”
techniques, especially if the Bank of Nova Scotia is using Microsoft software,
which is notoriously hacker friendly – which of course one assumes to be
information that the Network and Database Administrators at BNS are well aware.
NCB supposedly foolproof “hybrid”
method is however on the right track, as mixing the data entry process with an
age old “who goes there!” password request from a Customer Care Representative
in the Bank makes it difficult for the hacker to steal your credit card,
especially if the Credit Card customer had already set up the online access
facility from within the Bank and NOT over the internet.
This article does not determine who is liable in the case
of a data intrusion or theft from the Banks Server and procedures for public
disclosure of these intrusions as most Banks have only policy guidelines. The
Electronics Transactions Act of 2007 and the recently minted Cyber crime Act of
2010 as mentioned in the article “Move to
Tackle CyberCrime - Hacker got Golding”, published Sunday
February 14, 2010 by Philip
Hamilton, Gleaner Writer, The
Jamaica Gleaner, do not make such provisions
for liability and public disclosure of hacking intrusions so as to alert
persons of the potential danger.
Additionally there
are other “reputable companies” that have embarked on a similar move to Bank of
Nova Scotia such as LIME in its new Self Top Up service as stated in the
article “Text
to top Up - A Caribbean First from LIME”, published Wednesday, 03 March 2010 by TechJamaica.com that will potentially
put more Credit Card holders in jeopardy.
This is especially in light of the decryption of the A5/1
codebook by German security expert Karsten Nohl which he achieved with help
from the Open Source Community as stated in the article “Q&A: Researchers
Karsten Nohl on Mobile eavesdropping”, author Elinor Mills, InSecurity
Complex – CNET, January 1, 2010 4:00 AM
PST, CNET News.
This implies that wireless POS (Point of Sale) device
transactions and phone conversations are interceptable on Telecoms Provider’s Networks
in Jamaica
still using the weaker A5/1 codebook. So who would be liable in such cases?
John Public demands answers.
No comments:
Post a Comment
Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.