http://blog.wired.com/27bstroke6/2009/04/pins.html

The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

That can't be good.

There is an easy work around to this:

**Warning!This goes against the grain of modern American Culture!**

Step 1: Sit down. Make a budget. Be sure it has some room for incedentals. Commit to one bank visit per week or pay period.

Step 2: Go to the bank. Get in line. Speak with the sentient organic being called a "Teller" once its your turn. Withdraw the funds from your bank account, being sure that it has sufficient funds available, to cover your budget for the week/pay period. If you didn't have enough in the bank, return to "Step 1". This is where the ones and zeros of your balance become the tangiable currency known as "Cash".

Step 3: Meter out funds as required, spending only on items covered in the budget. Once the cash is gone, thats it. You are broke.

Step 4: If there was money left, take any surplus money and put it back in the bank, spend it on a nice dinner,entertainment etc. Reward yourself or save it. Remember, once its spent, thats it. Next cash refresh is next pay period.

Step 5: If you went broke, well, dumbass, budget better next time and practice some restraint. Ponder it while you enjoy those Ramen noodles you bought with the change lodged in your couch cushions.

You do this right, you can shred your debit cards and revert back to those days when they didn't exist, and people had to rob you the old fashion way by holding you at gun point, kicking your ass or taking it at the poker table. Considering how lazy we are as a culture, you stand a very slim chance of that.

I knew this was only a matter of time when they started moving towards off-the-shelf computing systems. You have to be totally closed, or totally open, trying to hide things on a common and known insecure platform (a depressing amount of this stuff runs on Windows or really old versions of AIX) leads here every time. The PIN security model has been realistically untenable for over a decade, but it's probably only going to start getting changed now that the cracks have become too obvious to ignore.



You do this right, you can shred your debit cards and revert back to those days when they didn't exist, and people had to rob you the old fashion way by holding you at gun point, kicking your ass or taking it at the poker table. Considering how lazy we are as a culture, you stand a very slim chance of that.

Even if you don't have a debit card, the banking infrastructure uses the same basic transmission mechanisms for wire transfers, the newer electronic transfers, and inter-bank check processing. They don't even implicitly need your PIN, just the access tokens for your account along with the identity tokens. That attack vector is more difficult since you're outside the PCI (which is largely default-accept since consumers don't like deny) and has fewer peering points, but once you're in ...

True, but it helps to reduce the number of times you have to swim in those shark infested waters. Its one thing to hit the ATM daily and write/cash checks for 20 bucks often and its another to have one bulk transaction per week or pay period. Plus, the real professionals rely on mass subtle withdrawls, which was probably mentioned as "skimming", which is huge here in China. To the point that you just plain don't want to use an ATM/Debit/Credit card ANYWHERE since that is where they harvest the data. The machines themselves end up compromised without a need for a camera etc. ATM machines that are "stand alones" such as the ones in convenience stores, bars etc were highly suspect. Even the bank owned ones that are enclosed in kiosks where you use your card to open a door are just as bad. For all I know a few digital pennies here and there have been siphoned off my till by clever criminals and I would not be that much the wiser for knowing it. If they whiped me out, then I would certainly notice and the best crime is the one that goes on in plain view, unnoticed.

This is while collar crime, perpetrated by skilled professionals and only a skill professional would really know what to do with PINs enmass to make it a lasting enterprise. The amatures will in time get caught. The pros won't do enough true individual damage to be noticed.

All of my funds go directly to an ING Direct savings account which is linked to my other bank checking account. I keep all my money in savings and just transfer it out (for free whenever I want) to my checking, which is accessed by my check card or otherwise. If someone somehow steals all the money in my checking, they really don't get that much. The interest rate on savings is usually pretty nice too.

Oddly enough, this makes me MORE likely to use my credit card on the internet....because no pin numbers are used....

I never use my debit card for anything except at ATMs. Your credit card offers legal protection from liability that no bank will match.

I endorse the the Lumm model. i got jacked a few years ago ended up over 900$ inthe negative on the account. all in 3 days. add in the roughly 350$ in overdraft fees that the bank was happy to apply and yea was fucked. day 4 direct deposit hits putting me in the black a litlle. day 5 rent check hits +35$ od fee, power check hits +35$ od fee etc.
you see dumb me had given my creditors an all access pass to my money pool. bank didnt care wether it was there or not as long as they could add thier fee's.

see the funny thing is when i opened the account i had a 20$ od limit. over the years they had "increased" my od limit. youda thunk i'd gotten a letter or something!

I always keep a certain amount of cash on hand, and when that dwindles I stop by the bank and cash a check for more. I never use ATMs nor have I ever registered PIN numbers on any of the credit cards I now have. I have one card only for internet purchases/subscriptions.

I think I am relatively safe, or as safe as one might hope to be in this day and age.