Latest debit card fraud schemes: Security breaches allow data theft, part one

In the last year, fraudsters have stolen data from thousands of debit card holders through merchants' and service providers' faulty cardholder data security systems and then cleaned out victims' bank accounts. In part one, we examine the latest schemes. 

In early 2006, Frank Condon, a retired University of Washington history professor, inserted his Wells Fargo Bank-issued Visa debit card and Personal Identification Number into an Automated Teller Machine in London and it was rejected. He had used it successfully six weeks earlier in Thailand and India. During a discussion with individuals at his branch and bank headquarters in California, Condon was told that the bank had put a hold on all ATM transactions in the UK. However, they had declined to inform their cardholders of the block because they did not want to "compromise [its] investigation."¹ 

Although security policies prevented a bank spokesman from discussing all the details of the problem in London, one individual did tell Condon that "periodically we do block transactions [but] most of the time [your card] is going to work, but there are times when we take extra steps to protect our customers." News reports that circulated shortly thereafter indicated that Wells Fargo's problem was a result of a widespread security breach (among several retailers) that affected a number of banks. The banks had to reissue debit cards to cardholders whose accounts were compromised and block access to ATM cards in countries where they were fraudulently used to withdrawal cash.² The security breaches allowed hackers to break into computer networks and gain access to encrypted PIN data and other cardholder information, which were utilized to make counterfeit debit cards that were used to fraudulently extract cash from ATM machines.

A similar problem occurred in February of 2006 when Citibank reported several hundred fraudulent ATM withdrawals in PIN-based transactions with the use of a number of its MasterCard debit cards. ATM networks in the UK, Russia, and Canada were compromised. The bank took action and blocked PIN-based transactions in those countries, which prevented U.S. cardholders from purchasing items or withdrawing cash when PIN numbers were required. Citibank issued new cards to the consumers whose accounts were compromised after it was found out that the fraudulent ATM withdrawals were caused by data leaks by third-party retailers in the United States.³  

According to Robert Lemos, a writer for Security Focus, the breach at Citibank "has been connected to office supply retailer OfficeMax ... but the company stated in a (recent) filing to the Securities and Exchange Commission ... 'While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises [occurred] involving OfficeMax customer data, including breaches that occur at third party processors.''⁴  

The good news is that "law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation," said Edward DeFazio, the prosecutor for Hudson County, N.J. "Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South Asia, had shopped at OfficeMax. Certainly, a disproportionate number of the (Citibank cardholders) victims have dealt with OfficeMax."⁵  

The magnitude of the problem is described by a number of journalists. Richard Burnett, a writer for the Orlando Sentinel, wrote, "From Citibank to Sun Trust, credit unions to community banks, America's financial institutions are scrambling to deal with the biggest cyber-heist of customer debit card numbers to date."⁶ According to Jonathan Stempel, a Reuters journalist, "Dozens of companies including Citigroup, Bank of America Corp., Wachovia Corp., Washington Mutual Inc., and credit card giants Visa and MasterCard, have in ... [the previous six to eight] months been victims of data theft or loss. Personal information of tens of millions of customers has been compromised, though not necessarily used."⁷ In addition, the North Carolina State Credit Union reissued 27,500 debit cards in March 2006 when Visa disclosed a security breach with a large U.S. retailer.⁸ According to Bob Sullivan, a technology correspondent for MSNBC, "Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps."⁹  

Sullivan went on to write that the problem began to surface as "complaints from consumers who say thousands of dollars had gone from their accounts continue to multiply. Police in Erie, Pa., say they've taken reports from dozens of residents. There are more than 100 reports of fraud in Las Cruces, N.M. In western Massachusetts, after mounting complaints, including 147 compromised accounts at the Fitchburg Municipal Employees Federal Credit Union, the state consumer Affairs Office issued a warning about debit card fraud."¹⁰ 

Sullivan wrote that "the tales are consistent and disturbing." For example, one victim, Dana Clark of Naples, Fla. wrote to MSNBC and said "Last week, I was online paying some bills and noticed several [unauthorized] ATM transactions ... [and] by the time I called my bank and reported the problem, [the fraudsters] had gotten $1,300 of my money. I told my husband to check his business account, which has an ATM card tied to it, and he found over $1,500 of unauthorized charges from ... Bulgaria [and other places]."¹¹  

According to Avivah Litan, a banking analyst and fraud expert for the Gartner research group, "the combined bank actions are reflective of the largest PIN theft to date"¹² and "in terms of financial damage, this is definitely the biggest documented case of debit card fraud we know of."¹³ Her comments were echoed by Anita Ramasastry, a writer for FindLaw-Legal News and Commentary, when she wrote, "Over the past month (March 2006), as many as 600,000 debit cards may have been compromised in a wave of large scale security breaches. Debit card security problems had been growing: From 2001 to 2003, the number of compromised U.S. debit cards tracked by Fair Isaac for its financial-institution clients doubled; by 2005, that number exceeded 60,000. But this month's (March) developments represented a new level of massive fraud."¹⁴  

Burnett, the writer for the Orlando Sentinel, reported that "exact figures are unknown - some banks have reported numbers; others have not. It is thought that at least 350,000 accounts across the country were defrauded, involving more than $10 million in losses, according to some experts."¹⁵  

Because banks normally don't publicly disclose losses from security system breaches, the above numbers regarding debit card fraud, related identity theft, and compromised cards are probably grossly understated. Banks fear that the disclosure of negative publicity would have an unfavorable severe effect on the highly profitable debit card segment of their businesses.

Before one can fully comprehend the internal mechanisms underlying the breaches in the cardholder data security systems employed by merchants, it's important to see what the card industry has been doing to help prevent debit card fraud and related identity theft and understand how debit card transactions are processed.

Payment CARD INDUSTRY data security standard
In 2001, VISA USA instituted the Cardholder Information Security Program (CISP) and mandated that all its merchants and service providers (cardholder data processors) adopt a set of requirements to safeguard cardholder information. In 2004, VISA and MasterCard worked together to create common requirements and incorporated the CISP requirements into an industry standard known as the Payment Card Industry (PCI) Data Security Standard. The security requirements for each business were driven by the volume of transactions incurred in a year. The purpose of these requirements was to cut down on fraudulent behavior and reduce hacker activity with computer networks.¹⁶ (Go to www.visa.com to view the complete set of data security requirements.)

According to Visa, as of April 2006, only 17 percent of the 231 large merchants have met these guidelines. (But, on the positive side, 75 percent of the same merchants have reported to the card associations that they're working toward fulfilling the security measures.¹⁷) The merchants' overall lack of adherence in adopting the PCI requirements helps explain why the cardholder data security systems were vulnerable to breaches. As a result, it created an opportunity for hackers to break into databases to extract cardholder information including PINs.

DEBIT CARDS: IMPACT ON GLOBAL ECONOMIES
There is good and bad news on the ways debit/credit cards impact global economies. The good news is that the prolific use of debit/credit cards has evolved into a plastic explosion that has helped drive economies throughout the world. The Nilson Report stated that, in the United States alone, credit- and debit-card purchases with the use of the Visa and MasterCard in 2005 totaled more than $1,374 billion and $827 billion, respectfully. Compared to 2004, this represented an 8.2 percent increase for credit cards and a 19.2 percent increase for debit cards. In addition, 13.55 billion credit card and 16.66 billion debit card transactions were reported in the same period, which represented gains of 7.7 percent and 17.8 percent, respectfully. Obviously, in the United States, the growth rate of debit cards in both numbers of transactions and dollar volume of purchases surpasses that of credit cards.¹⁸ Canadians have the world's highest per capita rate of debit card use. In 2002, there were 2.4 billion transactions collectively worth $104.9 billion.¹⁹  

The bad news is that the recent epidemic in the fraudulent use of debit cards and related identity theft has created nightmares for cardholders and the card industry, including the banks that issue the cards. It has also had a significant negative financial impact on consumers and businesses throughout the world. In the United States alone, debit card fraud cost banks on average $2.75 billion, and it affects three million individuals a year.²⁰ Debit card crime in Canada is estimated to cost $150 million a year. ATM fraud in the United Kingdom totaled £29.1 million in 2002, which was a staggering 37 percent jump from 2001. Similar losses in the United Arab Emirates, as reported in the Arab Times in May of 2003, produced losses of US$13.7 million.²¹  

Why is debit card fraud becoming such a problem? According to Mike Urban, who operates Fair Isaac Inc.'s ATM fraud detection program, CardAlert, "there is a shift on in fraud. ... [Criminals] are moving to where the cash is, and moving away from credit."²² When a fraudster uses a victim's real or counterfeit debit card to purchase merchandise, he inherits the risk of selling the purchased item to turn it into cash. This involves dealing with a person, which creates a greater risk of being caught. But using a victim's debit card avoids this risk because the fraudster is dealing with an ATM machine to directly extract cash.

HOW DEBIT CARDS ARE USED AND PROCESSED
Debit cards, which are connected to a cardholder's bank account, can be used to purchase merchandise and services at various places, but it's mostly at ATMs to withdraw cash.²³ According to the Global ATM Security Alliance, there are more than one million ATMs installed worldwide, and a new ATM is installed every five minutes.²⁴ (When paying for a purchase, a cardholder may also use the debit card as a credit card. After the cardholder swipes his card and provides his signature, the merchant processes the transaction as if a PIN were entered. A potential fraudster would need to steal the actual debit card and forge the cardholder's signature to begin a fraudulent shopping spree because no PIN number was exchanged. Unlike credit cards, the debit cardholder's account balance is reduced automatically when a transaction is completed.)

Debit cards have a machine-readable magnetic strip indicating cardholder information that might include the account number, bank number, expiration date, name and address, type of account, etc. According to Andrew Kantor, a technology writer who has a column in USA TODAY, "When you make a purchase with a debit card, you or the cashier swipes it through a reader that gets your account information from the card's magnetic stripe. You then enter your PIN on a keypad, and that information is encrypted by the register and sent to a transaction processor [service provider] - a company whose job it is to be a go-between for the merchant and your bank. That processor takes your account number and encrypted PIN (it's called a PIN block), decrypts the latter using a decryption key, and verifies with your bank that you have enough money to cover the purchase. Assuming you do, it sends an approval code to the store. Here's the sticking point: the transaction processor should discard the card information, including the PIN block, after the purchase. But not all do. They might keep it for hours, days, or longer. If someone were able to get hold of that database as well as the decryption key (which could, foolishly, be stored on the same system), he could crack the key's encryption and create working counterfeit cards. Someone was doing just that."²⁵  

According to Litan, "PIN information is available from merchants that incorrectly store PIN information, entered on keypads in stores, which should be destroyed after the transaction is completed. Although the information is encrypted, the encryption key is often stored on the same network. ... But, in defense of (the retailer) it's just using payment software and probably doesn't even know what's in there. The software is storing PINs just because it can. No one is paying attention to this stuff; it's deep in the software."²⁶  

A writer for the Digital Transactions News (DTN) column said "In the spin-the-bottle game of assessing blame for the massive debit card breach ... point-of-sale developer Fujitsu Transaction Solutions Inc. suddenly found itself the recipient of unwelcome publicity when its name came up in a Visa USA alert about card security. This week, Fujitsu executives are engaged in damage control by disputing the Visa memo, which they say unfairly cast dispersions on their point-of-sale software." A spokesman for the company said that "both (their) RAFT and GlobalStore (software) are upgraded continually and are compliant with the Payment Card Industry security standards."²⁷ 

The author of the DTN article went on to write that "even if Fujitsu's software isn't at fault, the flap is providing some possible clues about the breach by bringing to light the role of obscure but important pieces of software called 'tracer' utilities that can store account numbers and PINs. While RAFT and GlobalStore don't store such data, tracer utilities available to test those programs and others when they are installed can, technology experts say. The purpose of the tracer is literally to trace test transactions to make sure the system is working properly. Fujitsu offers its own tracer utility called TRACEMON to retailers who ask for it, but tracers can be obtained from third party vendors or downloaded from the Web. Because these utilities are capable of storing cardholder data, Fujitsu urges its customers to delete their tracers as soon as testing is done."²⁸ Bill Pittman, president of Redmond, Wash.-based payment software provider TPI Software LLC, says "tracers are problem-identification tools that programmers developed to see all transaction communications in raw form. The intention was debugging, but if it falls into the wrong hands, you got problems."²⁹ Based on the recent massive level of debit card fraud and related identity theft, it's obvious that hackers were successful in obtaining debit cardholder information.

"Apparently the thieves have been stealing the PINs from merchants who are storing the PINs, contrary to network regulations," says Martin McKeay, a network security professional and certified Information Systems Professional in an online column. "When you enter your PIN into the system, it's supposed to be immediately deleted ... [E]ven if some merchants are keeping PIN information, this couldn't be happening with a merchant here and a merchant there. For this to work for any form of organized crime, it would indicate that there are entire chains of business that have been silently storing PINs and keeping them in a database somewhere. ... [I]t would mean that database has also been compromised."³⁰ 

McKeay questions how PINs are used and asks "Why is the PIN information ever on the network in a way it can be captured by the merchant's network? ... There's no reason the PIN can't be encrypted as it's entered, before it leaves the box. The use of a public key encryption algorithm or a hash function could be used to safeguard your PIN while in transit from the first moment you enter it into the system. There's really no reason the merchant should ever need to know what your PIN actually is; they just need verification that the PIN you entered matches the PIN of your account. Our network system is close to 25 years old. It's surprising that this is really the first major system break we've seen. But this is just an indication that the entire system needs to be reexamined."³¹  

This latest financial services industry's breach comes on the heels of a series of incidents in 2005 in which more than 50 million account numbers were stolen or misplaced and exposed to potential fraud.³² This happened when Card-Systems Solutions Inc., a service provider company that processed debit card transactions for merchants, created one of the largest reported security breaches and subjected 40 million cardholders to potential fraud. The company admitted it compromised card-industry rules regarding the storage of consumer data.³³ Soon after the breach was uncovered, Card-Systems Solutions "floundered and was eventually bought out by payment processor Pay By Touch."³⁴ 

QUESTIONS REMAIN
Debit card fraud and related identity theft have been major criminal problems throughout the world, but they're being driven to even greater heights by recent breaches in the security systems utilized by merchants and service providers. Some believe that the technology to safeguard cardholder information is outdated and that businesses don't always disclose breaches to cardholder security systems. We do know that the cost of debit card fraud and related identity theft is very expensive to all parties involved.

Many questions remain. For example, what's being done to force all merchants to comply with the security systems guidelines provided by the card industry? Are there any innovations on the immediate horizon that can replace the current technology used to protect cardholder information? What are legislators at the state, federal and international levels proposing to ensure the public that all data leaks are publicly disclosed? What resources, preventative measures. and precautions can be employed by cardholders to minimize the potential of being a victim of debit card fraud and related identity theft victim? We'll attempt to answer these questions in the September/October issue.

[Some source links referenced in this article are no longer available. — Ed.]

Robert E. Holtfreter, Ph.D., CPA, Educator Associate, is distinguished professor of accounting and research at Central Washington University. He's a member of the Fraud Magazine Editorial Review Board. 

U.S. CREDIT/DEBIT CARD FRAUD DEFINED 

1. fraudulently obtains, takes, signs, uses, sells, buys, or forges someone else's credit or debit card or card information or
    
2. uses his or her own card with the knowledge that it is revoked or expired or that the account lacks enough money to pay for the items charged or
    
3. sells goods or services to someone else with knowledge that the credit or debit card being used was illegally obtained or is being used without authorization.

Source: www.criminal.findlaw.com/crimes/a-z/credit_card_fraud.html

CRAFTY INGENUITY OF DEBIT CARD SCHEMERS  

Debit card fraud can include such schemes as card skimming, shoulder surfing, and ram driving. Card skimming is the most common; it occurs when fraudsters acquire card numbers and PINs with stealthy high-tech devices. A tiny pinhole camera can be installed to record PINs entered on an ATM keyboard or an electronic reader could be attached to an ATM so that it captures the data from the magnetic stripe on the back of a debit card as it enters the machine's actual card readers. Fraudsters also use closed-circuit cameras or binoculars to obtain PINs.³⁵ Hackers break into internal security systems, the major driver for most of the debit card fraud in 2006.

A "shoulder surfer" observes an intended victim entering his PIN. If the fraudster is able to steal the victim's debit card, he can then make fraudulent withdrawals and/or transactions.

Thieves "ram drive" by physically removing an ATM with backhoes or other construction machinery. (This is the most blunt approach to fraud!) Also, in 2000, thieves used explosives to enter 60 ATM vaults throughout the world.³⁶  

More sophisticated fraudsters rig machines so cards will jam. After a card is stuck in the machine and the cardholder has left, the fraudster will then extract the card.³⁷ Having obtained either the card number, or the debit card itself, and corresponding PIN, skimmers can create phony cards that enable them to drain unsuspecting customers' bank accounts.
Merchants and service providers that process PIN transactions and bankers need to improve their security systems to safeguard cardholder information. If breaches continue, then debit card use might decline, which would be unfortunate because debit cards are a big force in driving global economies.

1. Pucci, Carol. "You Could Be Out Of The Country and Out of Luck With Your ATM Card." Travel/Outdoors column. Seattle Times. March 19, 2006 at www.seattletimes.com 

2. Ibid. 

3. Ibid 

4. Lemos, Robert. "Debit Card Fraud Underscores Legal Loopholes." Security Focus. March 22, 2006 at www.securityfocus.com

5. Ibid. 

6. Burnett, Richard. "Banks Scramble After Cyber-Breach - Stolen Card Numbers Mean Millions in Losses." April 21, 2006 at www.orlandosentinel.com 

7. Stempel, Jonathan. "Identity Theft Should Not Paralyze Bank Customers," March 17, 2006 at www.reuters.com

8. Search Security staff, "Security Bytes: Scope of Debit Card Fraud May be Widening," March 10, 2006, at www.searchsecurity.techtarget.com/ 

9. Sullivan, Bob, "Debit Card Thieves Get Around PIN Obstacle - Wave of ATM Fraud Indicates Criminal Have Upped the Ante," March 9, 2006 at www.msnbc.com

10. Ibid. 

11. 1Ibid. 

12. Op.cit. Pucci. 

13. Op.cit. Burnett. 

14. Ramasastry, Anita. "Debit Card Debacles: Why Consumers Need to Worry About the Recent, Massive Wave of Debit Card Fraud." March 29, 2006 at www.supreme.findlaw.com

15. Op.cit Burnett. 

16. www.visa.com.

17. Ibid. 

18. Sidel, Robin. "Visa Warns of Data-Theft Risk for Customers." The Wall Street Journal. March 17, 2006. 

19. Global ATM Security Alliance staff. "ATM Security." Feb. 4, 2004 at www.globetechnology.com/ 

20. Tripp, Julie. "Debit Card Crime Spree Latest in Costly Fraud." The Oregonian. March 19, 2006 at www.oregonlive.com/ 

21. Op. cit. Global ATM Security Alliance staff. 

22. Accounting Web staff. "Debit Card Fraud Jumps." Accounting Web. March 16, 2006 at www.accountingweb.com/  

23. www.frbsf.org/ 

24. Op. cit. Global ATM Security Alliance staff.  

25. Kantor, Andrew. "Lack of Answers in Debit Card Fraud Troubling." USA TODAY. March 16, 2006 at www.usatoday.com 

26. Op.cit. Accounting Web staff. www.accountingweb.com/  

27. Digital Transactions News staff. "Fujitsu Does Damage Control While Utility Software Gains Attention." Digital Transactions News. March 31, 2006 at www.digitaltransactions.net 

28. Ibid. 

29. Ibid. 

30. McKeay, Martin. "The Random Thoughts and Ramblings of Martin McKeay." Network Security Blog. March 17, 2006 at www.mckeay.net/secure/ 

31. Ibid. 

32. Op. cit. Accounting Web staff.  

33. Op. cit. Sidel, Robin and Clint Riley.

34. Op. cit. Accounting Web staff. 
35. Global ATM Security Alliance staff, "ATM Security" Feb. 4, 2004 at www.globetechnology.com/ 
36. Op. cit. Global ATM Security Alliance staff. 
37. Ibid.