CONTINUE TO SITE »
or wait 15 seconds

Article

System leak compromises debit cards

A system is only as strong as its weakest link - an adage proven true last month when news of the most widespread debit-security breach ever hit the Internet waves. And experts agree the industry can learn a lot from this compromise, suspected of affecting some 600,000 cardholders.

March 16, 2006 by Tracy Kitten — Editor, AMC

From blogs to mainstream headlines, news of the debit-card security breach suspected of compromising more than a half-million U.S. Visa and MasterCard cardholders has spread across all media.

Keep up-to-date on the latest ATM news.
Sign up forfree, twice-weekly e-mail alerts

Reports of suspicious account activity at Citibank, National City, PNC, Washington Mutual, Wells Fargo and Bank of America started trickling out in early March. Debit card information linked with those accounts has reportedly been used to withdraw cash in Canada, Russia and the United Kingdom. (Read also, B of A cancels debit cards after security breach, Plot of debit-card compromise thickens, Congress wants names of sources in debit card leak and Sam's Club says cards not compromised inside stores.) The information is suspected stolen from at least one large U.S. retailer.

And experts like Fair Isaacs' Mike Urban and Gartner Group's Avivah Litan say those suspected compromises are just the tip of the iceberg.

At this point, there's no way to know how much has been lost - the financial institutions are staying closed lipped, as are suspect retailers OfficeMax, Wal-Mart and Sam's Club - and there's no way to know how much deeper the compromise will dig.

"(The effects of) this will be going on for a long time," Urban said. "This is a big deal, and it offers a lot to think about."

Urban, who is operations director of Fair Isaacs' CardAlert Fraud Manager transaction-monitoring program, said compromises associated with the breach continue to evolve.

Signs of debit-card compromise were on the rise before this announcement, which is now said to have affected an estimated 600,000 cardholders.

"Criminals are moving from the credit market to the debit market, and there's a lot of it going on," Urban said.

From 2001 to 2003, the number of compromised U.S. debit cards tracked by Fair Isaac for its financial-institution clients doubled. By 2005, that number exceeded 60,000. (Read also, Study: ATM/debit card fraud in U.S. costs $2.75 billion in losses.)

As more consumers migrate toward debit from credit and cash, the fraud concern grows.

According to a consumer survey conducted by the American Bankers Association and Dove Consulting, a division of Hitachi Consulting, debit use is on the rise for a number of reasons, including the perception that debit transactions are more secure.

The almighty PIN

In this most recent compromise, most agree that fraudsters copied card data, CVV and CVC, from magnetic stripes at POS terminals. Criminals then hacked and stole PIN information wrongfully held by the retailer or retailers. Litan also suggested that if not skimmed and copied, CVV and CVC data also may have been stored and hacked.

PIN-based debit transactions were at first thought immune from compromise. From the POS perspective, they were relatively secure, said Kathryn Cameron of ATM software company Paragon Application Systems.

"Signature debit cards are by their nature a security problem," she said. "No one compares the signatures. And because getting a list of PINs is a lot harder than just getting card numbers and conducting Internet transactions (the industry thought it was safe)."

But accessing PIN information isn't as difficult as once thought.

Litan suspects PINs in this compromise were intercepted one of two ways.

"They were either stored and broken into or they were broken into on the wire (when transactions were processing)," she said. "In both cases, they had to get a hold of the encryption key. … And they either got the master key at the server through a hack or an inside job. That has to be what happened, because of the sheer amount of numbers they got." But in looking at other cases of debit fraud, Urban points to online phishing attacks, through which hackers get unsuspecting users to provide PINs and in some cases account information.

What's Important

More than 600,000 debit cards have reportedly been affected by the debit-card breach suspected of occurring at one or two large U.S. retail chains.

Though chip and PIN data cannot be copied and compromised like mag-stripe data, experts don't expect chip and PIN to play a role in the U.S.

Experts agree that multichannel monitoring is the best way to catch and prevent fraud in the U.S.

At the ATM Industry Association's Conference West in September, Urban said multichannel transaction monitoring was one of the best, if not only, ways financial institutions could track and address the growing problem of debit-card fraud in U.S.

Shortly after ATMIA West in November, perhaps seeing the handwriting on the wall, Urban said: "I think that we're going to see more hacks that are going to affect the PIN processing industry. That fraud will show up at the ATM, where criminals get the money."

Now, Urban said, some issuing FIs are blocking access to ATMs in certain countries like Russia, where the "white" or fake card use is a problem. And though Visa and MasterCard prohibit FIs from blocking access in certain countries, Urban said they won't push that issue, given the high level of fraud.

Visa representatives wouldn't elaborate on Visa's policy related to country blocking, but Visa USA Inc. vice president of corporate risk and compliance Eduardo Perez said Visa is continuing to educate all of its processors, merchants and banks on the need to validate everything.

"Visa-member acquirers are responsible for ensuring that our merchants comply with our high standards," Perez said. "And we take a number of issues to make sure that our membership meets PCI (Payment Card Industry) compliance appropriately."

A word from the credit side …

Visa compliance specialist Jennifer Fischer points to PCI compliance as the backbone of Visa's security initiative.

start quoteYou are restricted from holding CVV and CVV2, and what we've been finding is that some of these merchants don't realize that they're storing this data.end quote

-- Eduardo Perez, Visa

"Everyone in the system is focusing on PCI standards," she said. (For more information about Visa's Cardholder Information Security Program, click here.)

But focusing on the standards requires an understanding of the system, Perez said, and some retailers don't understand the system.

For instance, even though PCI prohibits the storage of mag-stripe and PIN data, some retailers and processors have been busted with the information. (Read also, Court orders CardSystems to retain breach data, Pay By Touch goes on buying spree and FTC puts CardSystems security breach to rest.)

"Don't store it if you don't need it," Perez said. "You are restricted from holding CVV and CVV2, and what we've been finding is that some of these merchants don't realize that they're storing this data." (For more information from Visa, click here. To review a statement from MasterCard, click here.)

Why EMV won't go in the U.S. …

Like Urban, Litan said thwarting fraud requires earlier detection.

Litan said the ease with which criminals sometimes copy mag-stripe data is a concern. And though chip and PIN technology, which meets the EMV standard, can't be copied, it's not practical for the U.S.

"Chip and PIN could have prevented this, but I don't think the U.S. will move forward with chip and PIN because of the enormous amount of money it would cost," she said. "We've been successful already with the backend. In the U.K. and Europe, the telecommunications infrastructure was too expensive, so they never had a good backend, which is why their fraud rates were high."

Paragon's Cameron said the size of the U.S. market makes EMV migration unlikely.

"The problem in the U.S. is that you've got 6 to 10 million POS terminals, unlike U.K., where you have something like 650,000 POS terminals. Upgrading all of those terminals is the problem. … I think the EMV side is interesting, but it's going to be hard to get EMV going here. In the U.S., when you find fraud, you can shut everything down very quickly because everything is connected - you're not crossing borders like you are overseas."

 

 

 

Included In This Story

ATM Industry Association (ATMIA)

The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'