Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Debit card thieves find ‘pot of gold’

Julie Tripp Newhouse News Service

Debit card fraud took a serious turn for the worse this month after crooks stole hundreds of thousands of Personal Identification Numbers (PINs), giving them access to ATM accounts across the nation.

Authorities say the crime spree was caused by security breaches at, among others, the OfficeMax retail chain and the North Carolina State Employees’ Credit Union, which put account numbers and PINs into criminal hands. Companies including Bank of America, Wells Fargo, Washington Mutual and Citibank were forced to replace debit cards for many of their customers.

Police in New Jersey arrested 14 suspects last week and accused them of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from debit card accounts. Police say the suspects are tied to overseas criminal gangs.

Debit card fraud is already costing banks $2.75 billion and affecting 3 million people a year. So far, cardholders haven’t been stuck with much of the losses because banks replace stolen funds 90 percent of the time. But the latest escalation opens the padlocks that banks — and the public — thought kept their money safe from thieves.

“This is the worst hack to date,” says Avivah Litan, a security and privacy analyst and vice president at Gartner Research in Potomac, Md.

Armed with debit card PINs and account numbers, for the first time thieves have a direct route to cash. When crooks use stolen credit cards, they have to buy goods, then fence them to get cash.

“For the criminal, this is the pot of gold,” Litan said of the latest breach. She wonders whether the massive theft will deter the public from using the cards that banks, credit unions and retailers have increasingly urged them to employ. Banks make money on ATM fees and retailers avoid paying the fees charged by credit card companies.

Litan plans to survey debit card customers this year to see whether the attacks have undermined confidence in the cards’ security. Last year, she found that the growing use of “phishing” attacks to gain financial information through phony e-mails is eroding consumer confidence. She predicted the growing lack of faith will reduce e-commerce transactions by 1 percent to 3 percent through 2008 or “until the security of online and electronic information is more heavily safeguarded.”

Meanwhile, this widespread debit card attack is only half over, she thinks. The largest PIN theft to date will continue to affect large numbers of cardholders as more banks realize their cards have been compromised. Litan says technology is available to stop thieves, but it’s not being used at key points along the electronic payments chain.

Card issuers and retailers, for example, should not store encrypted PIN data or magnetic stripe card data. Some bank ATMs don’t validate magnetic stripe card data as they should, either, which could prevent use of counterfeit cards.

Payment vendors should modify their software to make it impossible to store codes and account numbers — an oversight that resulted in a huge security breach at CardSystems Solutions last June that exposed account numbers and verification codes of 40 million credit card holders.