GS Logo
The Green Sheet, Inc

Please Log in

A Thing
Links Related
to this Story:

System leak compromises debit cards

By Tracy Kitten, ATMmarketplace.com

ATMMarketplace.com LogoThis story was originally published on ATMmarketplace.com, March. 14, 2006; reprinted with permission. © 2006 NetWorld Alliance LLC. All rights reserved.

From blogs to mainstream headlines, news of the debit-card security breach suspected of compromising more than a half-million U.S. Visa and MasterCard cardholders has spread across all media.

Reports of suspicious account activity at Citibank, National City, PNC, Washington Mutual, Wells Fargo and Bank of America started trickling out in early March. Debit card information linked with those accounts has reportedly been used to withdraw cash in Canada, Russia and the United Kingdom. The information is suspected stolen from at least one large U.S. retailer.

And experts like Fair Isaacs' Mike Urban and Gartner Group's Avivah Litan say those suspected compromises are just the tip of the iceberg.

At this point, there's no way to know how much has been lost. The financial institutions are staying closed lipped, as are suspect retailers OfficeMax, Wal-Mart and Sam's Club, and there's no way to know how much deeper the compromise will dig.

"[The effects of] this will be going on for a long time," Urban said. "This is a big deal, and it offers a lot to think about."

Urban, who is Operations Director of Fair Isaacs' Card Alert Fraud Manager transaction-monitoring program, said compromises associated with the breach continue to evolve.

Signs of debit-card compromise were on the rise before this announcement, which is now said to have affected an estimated 600,000 cardholders.

"Criminals are moving from the credit market to the debit market, and there's a lot of it going on," Urban said.

From 2001 to 2003, the number of compromised U.S. debit cards tracked by Fair Isaac for its financial-institution clients doubled. By 2005, that number exceeded 60,000.

As more consumers migrate toward debit from credit and cash, the fraud concern grows.

According to a consumer survey conducted by the American Bankers Association and Dove Consulting, a division of Hitachi Consulting, debit use is on the rise for a number of reasons, including the perception that debit transactions are more secure.

The almighty PIN

In this most recent compromise, most agree that fraudsters copied card data, cardholder verification value (CVV) and card value code (CVC), from magnetic stripes at POS terminals. Criminals then hacked and stole PIN information wrongfully held by the retailer or retailers. Litan also suggested that if not skimmed and copied, CVV and CVC data also may have been stored and hacked.

PIN-based debit transactions were at first thought immune from compromise. From the POS perspective, they were relatively secure, said Kathryn Cameron of ATM software company Paragon Application Systems.

"Signature debit cards are by their nature a security problem," she said. "No one compares the signatures. And because getting a list of PINs is a lot harder than just getting card numbers and conducting Internet transactions [the industry thought it was safe]." But accessing PIN information isn't as difficult as once thought.

Litan suspects PINs in this compromise were intercepted one of two ways.

"They were either stored and broken into, or they were broken into on the wire [when transactions were processing]," she said. "In both cases, they had to get a hold of the encryption key. ... And they either got the master key at the server through a hack or an inside job. That has to be what happened, because of the sheer amount of numbers they got."

But in looking at other cases of debit fraud, Urban points to online phishing attacks, through which hackers get unsuspecting users to provide PINs and in some cases account information.

At the ATM Industry Association's (ATMIA) Conference West in September, Urban said multichannel transaction monitoring was one of the best, if not only, ways financial institutions could track and address the growing problem of debit-card fraud in the United States.

Shortly after ATMIA West, perhaps seeing the handwriting on the wall, Urban said, "I think that we're going to see more hacks that are going to affect the PIN processing industry. That fraud will show up at the ATM, where criminals get the money."

Now, Urban said, some issuing FIs are blocking access to ATMs in certain countries like Russia, where the "white" or fake card use is a problem. And though Visa and MasterCard prohibit FIs from blocking access in certain countries, Urban said they won't push that issue, given the high level of fraud.

Visa representatives wouldn't elaborate on Visa's policy related to country blocking, but Visa U.S.A. Inc. Vice President of Corporate Risk and Compliance Eduardo Perez said that Visa is continuing to educate all of its processors, merchants and banks on the need to validate everything.

"Visa-member acquirers are responsible for ensuring that our merchants comply with our high standards," Perez said. "And we take a number of issues to make sure that our membership meets PCI [Payment Card Industry] compliance appropriately."

A word from the credit side ...

Visa compliance specialist Jennifer Fischer points to PCI compliance as the backbone of Visa's security initiative.

"Everyone in the system is focusing on PCI standards," she said. But focusing on the standards requires an understanding of the system, Perez said, and some retailers don't understand the system. (For more information about Visa's Cardholder Information Security Program, visit www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html)

For instance, even though PCI prohibits the storage of mag-stripe and PIN data, some retailers and processors have been busted with the information.

"Don't store it if you don't need it," Perez said. "You are restricted from holding CVV and CVV2, and what we've been finding is that some of these merchants don't realize that they're storing this data."

Why EMV won't go in the United States ...

Like Urban, Litan said thwarting fraud requires earlier detection. Litan said the ease with which criminals sometimes copy mag-stripe data is a concern. And though chip and PIN technology, which meets the EMV standard, can't be copied, it's not practical for the United States.

"Chip and PIN could have prevented this, but I don't think the U.S. will move forward with chip and PIN because of the enormous amount of money it would cost," she said. "We've been successful already with the backend. In the U.K. and Europe, the telecommunications infrastructure was too expensive, so they never had a good backend, which is why their fraud rates were high."

Paragon's Cameron said the size of the U.S. market makes EMV migration unlikely.

"The problem in the U.S. is that you've got six to 10 million POS terminals, unlike U.K., where you have something like 65,000 POS terminals," Cameron said. "Upgrading all of those terminals is the problem. ... I think the EMV side is interesting, but it's going to be hard to get EMV going here. In the U.S., when you find fraud, you can shut everything down very quickly because everything is connected. You're not crossing borders like you are overseas."

Original article: www.atmmarketplace.com/news_story_25310.htm

Article published in issue number 060401

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2006, The Green Sheet, Inc.