Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Debit card fraud outbreak raises questions about data breach
Computer World ^ | March 9, 2006 | Jaikumar Vijayan

Posted on 03/10/2006 6:35:48 AM PST by APRPEH

(subtitle-Major credit card associations and financial institutions are saying little )

MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.

It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.

The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).

In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.

Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.

The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.

According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.

In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."

Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.

The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.

In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.

In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.

However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.

MasterCard did not respond to requests for comment.

According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.

“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.

OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.

According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.

Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.

In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.

"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.

The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.

Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.

“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.

Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.


TOPICS: Business/Economy; Canada; Crime/Corruption; Culture/Society; Government; News/Current Events; Russia; US: California; United Kingdom
KEYWORDS: california; canada; citibank; databreach; debitcardtheft; england; idtheft; mastercard; officemax; pins; romania; russia; samsclub; spain; uk; visa; walmart; washingtonmutual; wellsfargo
Navigation: use the links below to view more comments.
first 1-2021-38 next last

1 posted on 03/10/2006 6:35:54 AM PST by APRPEH
[ Post Reply | Private Reply | View Replies]

To: APRPEH

BIO-METRICS ARE COMING

2 posted on 03/10/2006 6:42:01 AM PST by APRPEH (You and I have a rendezvous with destiny.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: APRPEH

Naming the retailers responsible for the breach is absolutely essential, as far as I'm concerned.
I certainly would profit from knowing...


3 posted on 03/10/2006 6:46:29 AM PST by Publius6961 (Multiculturalism is the white flag of a dying country)
[ Post Reply | Private Reply | To 2 | View Replies]

To: APRPEH

They are already here. Around here if you want to cash a check at the bank it is drawn from and you don't already have an account then you must place your thumbprint right on the check you seek to cash.

I support technology that stiffens actual identification of individuals. I know alot of folks cry wolf about privacy but I argue that bio's help keep your privacy private.....and this article is a good example of how it can help do that.


4 posted on 03/10/2006 6:46:59 AM PST by BlueStateDepression
[ Post Reply | Private Reply | To 2 | View Replies]

To: APRPEH

The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.

"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.

It didn't happen but if it did happen, this is where........


5 posted on 03/10/2006 6:48:02 AM PST by PeterPrinciple (Seeking the truth here folks.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: APRPEH

Amazing, PIN number stored w/ every transaction. What a feeding frenzy for crooks ... just given to them on a silver platter too!

What do financial institution always say, "TRUST US"!


6 posted on 03/10/2006 6:50:00 AM PST by SIRTRIS
[ Post Reply | Private Reply | To 2 | View Replies]

To: SIRTRIS

Like so many other things folks sell us and tell us. It's always "safe and secure", well, until it's not anyway.


7 posted on 03/10/2006 7:02:46 AM PST by Emmett McCarthy
[ Post Reply | Private Reply | To 6 | View Replies]

To: APRPEH
The immediate furor was ignited earlier this week by Citibank

I get emails, supposedly from City Bank and Chase, asking me for personal info concerning my accounts with them. I don't have accounts with either of them and wouldn't answer their emailed questions even if I did. However there are a lot of people out there who would and do.

Lot's of people are falling for these "phishing" expeditions and are making fraud easy.

8 posted on 03/10/2006 7:10:50 AM PST by Graybeard58 (Remember and pray for Sgt. Matt Maupin - MIA/POW- Iraq since 04/09/04)
[ Post Reply | Private Reply | To 1 | View Replies]

To: APRPEH; Publius6961; PeterPrinciple
My brother was the marketing director for a major west coast bank in the 1990's. He told me way back then that bank security had been compromised by the Los Angeles mob. This back when commercial real estate was starting to rise very quickly after the crash in the 1980's. He told me the mob had infiltrated the bank and he suspected key people above him had been bribed. The executive vice president was a big gambler and was dropping major bucks at Santa Anita. There were reports about crazed parties on the corporate jet. Typical corporate corruption back then. (It is even worse today.)

Later he told me that a key person was caught with all kinds of fake identification cards (Drivers licenses, fake social security cards, etc.). It turned out that the woman was a former prostitute working at the bank under a false name. She had become very computer savvy. Also found in her possession at the time was confidential data on thousands of wealthy bank customers. And this was way back in 1994!

These stories the mainstream media report about some guy had his lap top stolen with thousands of file is most likely bogus reporting. The cops take a theft report, do not even dust the car for prints and drive off to their next call. What really happened is a total mystery.

The mob is very active on the west coast. The best solution is to cut up all your credit cards. Keep one fully paid off card somewhere very safe. Use it for vacations. Open up a debit account with a small balance to use for 'credit purchases.' Master Card, Visa, and yada yada are not trustworthy.

9 posted on 03/10/2006 7:12:20 AM PST by ex-Texan (Matthew 7:1 through 6)
[ Post Reply | Private Reply | To 2 | View Replies]

To: PeterPrinciple
it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.

Ah, no; one of our cards is involved with this and we NEVER buy gas at Sam's.

10 posted on 03/10/2006 7:14:20 AM PST by Howlin ("Quick, he's bleeding! Is there a <strike>doctor</strike> reporter in the house?")
[ Post Reply | Private Reply | To 5 | View Replies]

To: Publius6961

Published reports say Visa USA customer account numbers and personal identification numbers were stolen from a major retailer, possibly OfficeMax.

This week, Visa USA notified banks across the nation about the security lapse. The FBI and Secret Service are investigating the case.

http://www.wral.com/news/7859809/detail.html

It hit us, too; Friday night. Husband went to get Chinese food and was refused; need I even say he called me and raised Holy Hell, wanting to know WHY the checking account was empty, even though there was several thousand dollars in there? After he calmed down, he went to the bank to get cash; it kept his card!

I want to know WHO this happened to. It's not fair to cause this much trouble without naming the company.


11 posted on 03/10/2006 7:20:22 AM PST by Howlin ("Quick, he's bleeding! Is there a <strike>doctor</strike> reporter in the house?")
[ Post Reply | Private Reply | To 3 | View Replies]

To: APRPEH
This article is certainly a sobering reminder to be especially vigilant with debit card and credit card accounts. I learned the hard way about lapses in credit card security in 1997 when an account I had used for 18 years without a problem was compromised by a thief (through an Internet data source) and used to make fraudulent purchases. Fortunately, the breach was discovered quickly and the account closed.

Since that time, I've reduced the total number of debit card and credit card accounts I hold to one each. Both accounts are checked online at least once daily for unexpected charges. More rigorous authentication methods are welcome, but constant monitoring greatly reduces damages when the best of systems fail.

12 posted on 03/10/2006 7:25:14 AM PST by Unmarked Package
[ Post Reply | Private Reply | To 1 | View Replies]

To: APRPEH

Well, well...this might just 'splain why my bank (listed in the article as one of the affected banks) just sent me a letter yesterday stating the "Great News" that they will be re-issuing new ATM/Debit cards soon.

hmm...

I will no longer use PIN transactions
I will no longer use PIN transactions
I will no longer use PIN transactions
I will no longer use PIN transactions
I will no longer use PIN transactions
I will no longer use PIN transactions


13 posted on 03/10/2006 7:28:05 AM PST by woollyone (...a closed mouth gathers no feet...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ex-Texan
These stories the mainstream media report about some guy had his lap top stolen with thousands of file is most likely bogus reporting. The cops take a theft report, do not even dust the car for prints and drive off to their next call. What really happened is a total mystery.

i am in this business (PI not fraud) unfortunately this is all to real

14 posted on 03/10/2006 7:36:37 AM PST by APRPEH (You and I have a rendezvous with destiny.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: APRPEH

Could anyone please tell me what kind of software I need in order to protect my bank account when shopping online?

Thank you very much!


15 posted on 03/10/2006 7:41:49 AM PST by whadido
[ Post Reply | Private Reply | To 1 | View Replies]

To: whadido
You need very Spyware protection. I use PC-Cillin (updates frequently) to protect against trojans and viruses and two others to detect and remove sypware. Pick One Here. In addition, I run my antivirus and anti-spyware every day. Also, do not download email message directly onto your computer. Use a third party email service or web mail provided by your ISP.
16 posted on 03/10/2006 7:59:05 AM PST by ex-Texan (Matthew 7:1 through 6)
[ Post Reply | Private Reply | To 15 | View Replies]

To: APRPEH

Wonder how many digits we'll be losing to gang members?


17 posted on 03/10/2006 8:09:40 AM PST by CaptRon (Pedecaris alive or Raisuli dead)
[ Post Reply | Private Reply | To 2 | View Replies]

To: APRPEH

I do not quite understand your post. My point was about organized crime making a concerted effort to penetrate banks and credit card companies. I was suggesting some computer thefts may be a clever cover story for what really happened. Your point was that 'this type of stuff' happens. We are in agreement, correct?


18 posted on 03/10/2006 8:23:58 AM PST by ex-Texan (Matthew 7:1 through 6)
[ Post Reply | Private Reply | To 14 | View Replies]

To: ex-Texan

your info was amazing. yes, of course it could be a cover to claim theft and actually be the perpetrator. for the folks whose ID info is on the computer, its the same either way. that inside the bank stuff is horrifying.


19 posted on 03/10/2006 8:30:16 AM PST by APRPEH (You and I have a rendezvous with destiny.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: ex-Texan

Thanks for the info. I heard that I need an "IP scrambler", whatever that is.

I'm interested in purchasing products through online places such as Amazon.com, but I'm worried that hackers will steal my personal info either through my computer or the bank account itself. The lady I talked to @ the bank told me that their end is VERY safe & secure, so if I ever have any prob's it must be coming from my end.

I heard that people can get my personal info by putting software into my computer that is able to read everything that I type...therefore, when I try to purchase anything online, they are able to get my credit card # & password information this way....so I'm scared to make any online purchases, check my bank account online, or use online bill pay because of this. Is there anything else I can do or are there other kinds of software protection out there I should get?

Thank you.


20 posted on 03/10/2006 8:31:27 AM PST by whadido
[ Post Reply | Private Reply | To 16 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-38 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson