Shostack + Friends Blog Archive

 

Citibank card cancellations are likely due to Sam’s Club

So says Gartner analyst Avivah Levitan, as reported in Computerworld [link to http://www.computerworld.com/securitytopics/security/story/0,10801,109308,00.html?source=x3888 no longer works].
Much has been made recently about a purported “class break” of Citi’s ATMs. A class break being “an attack that breaks every instance of some feature in a security system”. The term was popularized by Bruce Schneier, in Beyond Fear, from which this definition comes. Schneier’s blog has also discussed the incident, but very few details have been forthcoming from Visa or Citibank.
As has been said here before, in an information vacuum, speculation is encouraged, and public awareness and welfare suffer.
Update: Speaking of speculation, the New York Times writes that “banking industry executives” are saying that OfficeMax is to blame, and that PIN numbers were actually stored and revealed to bad guys during a breach. That would be a rather significant no-no.