Posted on 03/10/2006 6:35:48 AM PST by APRPEH
(subtitle-Major credit card associations and financial institutions are saying little )
MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.
It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).
In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.
Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.
In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.
In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.
MasterCard did not respond to requests for comment.
According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.
“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.
"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.
Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.
“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.
Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.
Get them all. Use them (it's all free). Only use MS Internet Explorer when absolutely unavoidable.
Debt transactions have no benefit to consumers. I prefer credit transactions for these reasons:
1) You don't need a PIN so it goes faster.
2) The cost of the transaction (to the consumer) is unchanged.
3) The credit card company floats the funds so you pay later rather than sooner.
4) If fraud occurs, the credit card company loses money vs. money being withdrawn from your account (and requiring you to correct the problem)
i agree. and the fraud process timetable is in your favor along with the VISA and Mastercard liability programs in which the possible $50 liability for the consumer is declined.
Thank you for your help.
Would any of these help REMOVE any malicious software that might have already been added to my computer, or am I being a little too paranoid?
Firefox is a browser. You should be using it instead of Microsoft Internet Explorer.
The other three will search for and identify spyware, and give you the opportunity to remove it.
It is real. The banks do not want to talk about it. If they openly discussed what is really going on in today's scary world, customers would cancel their credit cards by the hundreds of thousands.
My bank just called 2 weeks ago to tell mes that my business credit card security was breached. I had just used it 2 days prior at WalMart. I hadn't used it as a debit, or credit card for 3 months prior. I told the bank where I used it and she said they can't report/or deny that it was an inside WalMart job.
Something's not right here considering that the retailer MUST disclose things like this under PCI and VISA-CISP regulations.
I heard that people can get my personal info by putting software into my computer that is able to read everything that I type...therefore, when I try to purchase anything online, they are able to get my credit card # & password information this way....so I'm scared to make any online purchases, check my bank account online, or use online bill pay because of this. Is there anything else I can do or are there other kinds of software protection out there I should get?
One, don't use Internet Explorer. Two, this program seems to be awesome at pulling out spyware/malware. www.webroot.com : Spysweeper. I recommend this one to all my friends for home computers. Finally, get a network firewall device for your home PC. Linksys router/firewall is perfect for a home network.
You know what that means, don't you? If that is adopted nationwide there will be a lot of people losing their thumbs. Muggers will no longer demand a wallet but instead will say put out your hands. I will be gruesome.
Probably planned to moonlight in her old profession.
Another aspect of online security is to assess how vulnerable your PC is on the Internet. A free, online audit tool that I found most revealing is available from Gibson Research Corp. at ShieldsUP! This will give you a good snapshot of how well your Internet Service Provider (ISP) is currently masking your PC on the Internet and how vulnerable it is to malicious attacks.
To Visa/MasterCard: Maybe it's time to implement EMV in the US? Card Authentication (DDA plese) by chip and Cardholder Verification Methods (CVM=offline PIN), where have I heard those....that would eliminate lost/duplicate/stolen to 0. been done already...
an important note about keyloggers. many of these programs are advertising that they can be sent to a computer over email without the recipient knowing the application is there. while an attachment is involved, the installation is hidden.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.