Latest debit card fraud schemes: Industry initiatives, technology, and global legislation (Part Two)

In the last year, fraudsters have stolen data from thousands of debit cardholders through merchants' and service providers' faulty data security systems and then cleaned out victims' bank accounts. In part 2, we discuss industry initiatives, latest preventive technology, proposed legislation, and recommendations. 

Sam was in a hurry. In two hours, he was hopping a jet to see a client in Los Angeles and he needed to run some errands. He slipped into an office supply store and bought a couple of notebooks, pens, batteries, and a bunch of headaches. Sam had used his debit card and PIN at the store counter, which some able hackers promptly stole to make fake cards. By the end of the day, Sam was in L.A. and his bank account totaled zero.*

Cardholders, banks, merchants, and service providers (card processors) are hurt financially and are frustrated with the recent debit card fraud and related identity theft that has occurred throughout the world because of breaches in data security systems of merchants and service providers.

Cardholders become victims of debit card fraud and identity theft when they find out that fraudsters have stolen their card data, including the PINs, and subsequently produce counterfeit debit cards, which the crooks use to wipe out their bank accounts. Because debit cards are normally tied to a checking account, a cardholder often will have to pay fees to merchants and banks for checks that bounced after a fraudster wiped out his account. According to the Public Interest Research Group (PIRG), the cardholder might incur late fees or have a black mark on his credit report because of overdrafts due to a fraudulent debit.¹  

Fortunately, the U.S. Federal Deposit Insurance Corporation says that most banks won't hold a consumer responsible for unauthorized transactions if he notifies the institution in a timely manner.² Banks cover most if not all of the cardholder losses due to fraud. But investigating suspicious activity relating to their cardholders and uncovering the fraudulent use of customer debit cards is a costly and time-consuming problem.

ONLINE - OFFLINE
A debit card can be used with or without the PIN. When it's used with the PIN, it's an "online" transaction. When it's used without the PIN, it's an "offline" transaction, which is similar to using a credit card because a signature is required to complete the transaction in both cases. According to the Public Interest Research Group, banks make more money and face lower risks when a consumer uses an offline debit card. Also, banks make more money when a consumer uses a debit (or credit) card instead of a check. The bank gets a fee, or merchant discount, from the merchant who accepts the card, the bank saves money on check-clearing costs, and there's less float time (the time it takes for a check to clear). The bank receives a percentage fee of up to 2 percent of every offline transaction amount compared to a flat fee of 7 1/2 to 10 cents for each online transaction with a PIN."³ Fees that banks charge to cardholders to extract cash at ATM are also a major source of revenue.

If a significant number of consumers cut up their debit cards because of the recent massive debit card fraud and switch to writing checks or using cash to conduct business, then banks will incur additional costs associated with more bounced checks. And they'll lose some of their lucrative revenues charged to merchants for the use of their cards and from consumers who formerly used their cards to extract cash from ATMs.

Merchants also prefer that consumers use debit cards rather than write checks for their purchases because they make more money and face lower risks and don't need to worry about bounced check risks or fees.⁴ But they also prefer that consumers use debit cards online (with PIN numbers) to purchase goods and services because of the lower transaction fees. If a significant amount of debit cardholders switch to credit cards or use their debit cards offline to avoid the loss of their PINs, then the merchants' profits will be relatively smaller.

Service providers are also frustrated with the magnitude of debit card fraud and related identity theft. Because they process all debit card transactions, they hold all cardholder data, which hackers can steal.

All parties connected to use of debit cards have a lot to gain if the data security systems of merchants and service providers are improved. But a number of questions remain. For example, what is the Payment Card Industry (PCI) doing to encourage more merchants and service providers to validate their compliance with their cardholder data security guidelines that were originally mandated in 2001? Are there any innovative technologies being used or are on the horizon? What are legislators at various levels of government doing to ensure that all data leaks are publicly disclosed?

COMPLIANCE WITH THE CARDHOLDER INFORMATION SECURITY PROGRAM
VISA USA started the Cardholder Information Security Program (CISP) in 2001. The purpose of the program was "to protect VISA cardholder data - wherever it resides - ensuring that members, merchants, and service providers maintain the highest information standard." In 2004, the CISP requirements were incorporated into an industry standard known as PCI Data Security Standard, which resulted from collaboration between VISA and MasterCard to create common industry security requirements. CISP compliance is required of all merchants and service providers that store, process, or transmit VISA cardholder data. Other card companies operating in the United States have also endorsed the PCI Data Security Standard within their respective programs. There are 12 basic requirements and corresponding sub-requirements for the PCI Data Security Standard.⁵  

It's been reported that only about 17 percent of the 231 largest merchants have validated their compliance with the PCI requirements.⁶ It's not known how many service providers have completed their validation. Under CISP, If a member, merchant, or service provider doesn't comply with the security requirements or fails to rectify a security issue, then the card industry may fine the responsible member and/or impose restrictions on the merchant or its agent."⁷ It's also not known if any fines or restrictions have been imposed. If the card industry isn't imposing fines and restrictions, then this could help to explain why many merchants and service providers haven't validated their compliance with the PCI security requirements. If this is the case, then it raises the probability that future security breaches will continue and debit card fraud and related identity theft will be driven to greater heights. The only solution could be for legislators around the world to enact legislation that will set a deadline for all merchants and service providers to validate their compliance with the PCI security requirements or face stiff fines and restrictions.

TECHNOLOGICAL INNOVATIONS
Are there new technological devises currently in place or on the horizon that have the potential to significantly reduce debit card fraud and related identity theft? Anita Ramasastry, a writer for the Find Law - Legal News and Commentary column seems to think so. She says "one answer to the (debit card) fraud issue may be better technology. And there is a more secure debit card technology - chip and PIN [smart] cards. These cards feature an embedded chip that stores information such as a PIN. It is currently not possible to duplicate such a chip."⁸ Rita Trichur, a writer for the Canadian Press, says that instead of a magnetic stripe card that's swiped, new chip-based cards will be dipped into a reader and shoppers will be asked to enter a PIN instead of a signature to verify payment.⁹ One purported advantage of the chip and PIN card is that the PIN can't be hijacked by a hacker. James Daw, a writer for the Toronto Star, says that "entering a PIN instead of signing a receipt will generally assure the card issuer that you are who you say you are, without requiring you or the merchant to call while you are standing at the cash register."¹⁰ Mei Ankrett, a spokesperson for VISA Canada, said "chip cards cannot be skimmed and the chip communicates directly with the card reader to authenticate your PIN in a 'secure environment.' The reader does not transmit the PIN to a central computer."¹¹  

According to the CTV.ca news staff, the computer chip "uses encryption to protect the information. Most of these smart cards are designed in such a way that if you did try to reverse engineer them, try to open them up, break them open and find the magic key that makes them work, they will zero out their contents."¹² The built-in chip or computer microprocessor allows verification to be completely computerized. According to a staff writer for the Computer Business Review, "The magnetic stripe will be replaced by an 'intelligent' chip, on which ATMs and card devices at the POS [point-of-sale] will perform security checks. To process ... cards with the new EMV chip (EuroPay, MasterCard, and VISA), EMV-compliant POS terminals must be equipped with new functionally."¹³  

According to Chalpat Sonti, a writer for The Dominion Post, a computer security expert said smart cards cost about $10 each - compared with less than $1 for a magnetic strip card - and didn't last as long.¹⁴  

The reaction to the highly touted smart card throughout the world has been mixed. Countries in Europe and Asia are using or considering using the card. According to Sandra Quinn of APACS, the trade association for payments in the UK, "Europe is a mixed bag at the moment. Some countries have chip and PIN, and some have only partially introduced the technology so far. But, as a rule of thumb, most of Europe will be using chip and PIN by the end of the year [2006]."¹⁵ In Barrie, Ontario, the Bank of Nova Scotia is experimenting with a multi-purpose smart card. American Express and CIBC are investigating the marketability of the card.¹⁶ The UK introduced the chip and PIN system in 2005 and made it compulsory in February of 2006. Card fraud was dramatically reduced.¹⁷  

Latin American banks are committed to invest more than US$200 million in card technologies in 2006 with the shift to the EMV card, which "is a smart card that enables the global standard for payment systems ... [and] defines protocols for interactions between the terminal and the cards' computer chip, as well as software installed on the card. Fraud prevention was the most important impetus for its development."¹⁸  

An obvious question here is why hasn't the United States considered the use of the chip and PIN card? It might be because the cost of that fraud is still lower than the cost they have to do to migrate to the chip and PIN technology.¹⁹ All existing terminals will have to be replaced with ones that function with the new chip and pin technology. According to Daw of the Toronto Star, "The slowness of certain countries including the United States, Mongolia, and most parts of Africa, will require international payment cards to continue using raised lettering for carbon imprints and magnetic strips for old-generation card readers for years to come."²⁰ Moving to a new technology would be quite expensive but the benefits to all parties could be huge.

The good news is that chip and PIN cards have had a big impact on fraud, with "industry figures showing that total card fraud fell by 13 percent to 439.4 million [pounds] during 2005 [in the UK], with counterfeit and lost and stolen card fraud dropping by 24 percent to l58.4 million."²¹ In Malaysia, counterfeit card fraud has dropped by more than 80 percent. Also, lost and stolen and counterfeit card fraud in the UK fell almost 30 percent in the six months following the nationwide introduction of chip and PIN cards at point-of-sale, according to figures from APACS. A similar domestic PIN-based system in France for debit cards has resulted in an 80 percent reduction in fraud since it was introduced.²²  

FLAW IN CHIP AND PIN
But the bad news is that the new chip and PIN cards aren't as fraud-proof as expected. In early May 2006, it was reported that UK Shell petrol stations across the country had suspended chip and PIN payments after fraudsters stole more than one million pounds from customers by implanting skimming devices into PIN pads in Portsmouth and Guildford. It's the first time chip and PIN has been shown to be flawed. Hundreds of customers at up to three Shell stations have had their credit and debit card details copied and then money withdrawn from their accounts using cloned cards.²³ The counterfeit cards were then used without PINs to withdraw more than one million pounds in cash from machines in the UK, Paris, Sri Lanka, India and Hong Kong.²⁴  

According to Peter Kenny, a writer for Credit Cards GB, "In theory a cloned card should not be able to work. ... It seems that fraudsters had managed to hide a device in the chip and PIN terminal, which then managed to capture unsuspecting cardholder's details."²⁵  

It appears that the details held in the magnetic strips of credit and debit cards can be copied using skimming devices attached to terminals in shops. Mike Bond, security director for Cryptomathic Inc., claims the components for these devices can be bought online for about £50 and they can be purchased fully assembled from America for less than £300. Bond says that while it's difficult to create a counterfeit chip and PIN card to buy goods in shops, criminals were able to use the information from the magnetic strip to create a non-chip and PIN version. They could then use this to withdraw money from cash points or to buy things in countries in which the new system hadn't been introduced.²⁶  

It's difficult to comprehend why these new chip and PIN cards were issued with magnetic strips when the purpose of the chip was to replace the magnetic strip. According to Kenny, "many ATMs are programmed to only read the ... card chip, which cannot be cloned. However, there are cash machines in the UK, which still read the old magnetic strip on the back of the ... card to gain the card information."²⁷  

It was reported that the problem at Shell had spread to other garage chains and hole-in-the wall ATM machines which has led Tesco, the UK-based international supermarket chain, to reveal that it's chaining the castings of its ATMs to stop criminals from attaching cloning devices.²⁸  

It would appear that the chip and PIN problems could be solved by (1) replacing all point-of-sale terminals and ATMs that read magnetic strips with newer machines that only read the chip, or retrofitting ATM terminals with devices that prevent fraudsters from installing card readers, which they use to extract cardholder information; and (2) issuing chip and PIN cards without the magnetic strip. The latter suggestion is reinforced by a writer for the UK News who said, "Analysts ... recommended that the magnetic strips be removed from the cards altogether as the simplest means of removing this threat."²⁹ If this works, then the chip and PIN technology should continue to significantly reduce debit card fraud.
Assuming that the UK solves the problems with the introduction of the chip and PIN technology, it seems appropriate the card industry in the United States should consider the use of the same technology. If not, perhaps Congress should enact a law that sets forth a deadline for the card industry to consider adopting the technology.

LEGISLATIVE ACTION TO FORCE DISCLOSURE OF SECURITY DATA LEAKS
The general public still believes that not all data leaks are disclosed or aren't disclosed immediately. The U.S. Congress is well aware of this problem and has reacted with proposed legislation. But will it help to solve the problem? Robert Lemos, a writer for Security Focus, doesn't think so. He says that despite the recent epidemic of debit and credit fraud and last year's titanic breach at CardSystems Solutions, Congress is considering a bill that will let more companies escape taking responsibility for fraud, consumer advocates charge. The bill, as reported in the House, is known as H.R. 3997, or the Financial Data Protection Act of 2006. It would let companies decide when a data breach is significant enough to merit warning its customers. The House Financial Services Committee approved the legislation in March of 2006.³⁰ Susanna Montezemolo, policy analyst with Consumers Union, the non-profit publisher of Consumer Reports magazine said following the vote, "It is ironic that after a year in which 55 [million] American's identities were put to risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft. ... The federal legislation would supersede the laws passed by states with significantly weaker protection against identity theft." Industry lobbyists and the U.S. Chamber of Commerce are backing the bill.³¹  

Consumer advocates prefer an alternate bill (HR4127) passed in March 2006 by the Energy and Commerce Committee that "puts the onus on companies to show why they shouldn't have to warn consumers about most data breaches, while the financial services proposal gives businesses much more leeway to decide to withhold that information; advocates say ... HR4127 is much better," according to TMCnet, a communication Web site. "It requires companies to notify consumers when their personal information has been stolen ... Most important, this bill leaves strong state provisions intact."³²  

Cardholders need to know immediately when data security systems are breached so they can protect their identities and their wealth.

SOME RECOMMENDATIONS
Cardholders, bankers, merchants, and service providers need to be confident that cardholder data is safeguarded. The recent breaches in cardholder security data systems indicate the data isn't safe and has driven debit card fraud and related identity theft to new heights. To greatly diminish or eliminate debit card fraud, a number of suggestions must be considered and taken into account. First, the card industry must put pressure on merchants and service providers to validate their compliance with the PCI guidelines that were mandated long ago. (Perhaps world legislatures should intervene to ensure the validation process is completed in a timely fashion.) Secondly, even with its minor problems, it seems that the chip and PIN technology that's being introduced and made compulsory in many countries has had a positive effect in reducing debit card fraud. The card industry in the United States should follow the lead and introduce the technology as soon as possible. And thirdly, the U.S. Congress should pass a bill that mandates that companies disclose data leaks from all sources including those from breaches in cardholder data security systems.

PREVENTIONS FOR INTERNATIONAL TRAVELERS
Here are suggestions for international travelers who plan to use debit cards to purchase goods or services or at ATMS:

• If you're leaving the country, tell your bank where you're going and when (even if it's just across the border to Canada) by calling the number of the back of your card. The bank will alert its fraud department that you'll be using your card while traveling. Also, bring the phone number of your bank with you.
• Don't rely on just one payment method. Take backup cards (two different cards, and if possible, two ATM cards tied to different banks or credit unions), extra cash and/or travelers' checks. Memorize PIN numbers and keep backup cards in a secure place.
• Bring an extra picture ID in addition to your passport. You could be asked for two forms when completing bank transactions.
• Don't respond to e-mails saying that your credit or debit card might have been compromised.
  Source: "You Could be Out of the Country and Out of Luck with Your ATM
  Card," by Carol Pucci, Seattle Times, March 19, 2006 at www.seattletimes.com.

PROTECTING YOUR DEBIT CARD
The U.S. Federal Trade Commission offers the following suggestions for protecting your debit card account:

• Be cautious about disclosing your account number over the phone unless you know you're dealing with a reputable company.
• Never put your account number on the outside of an envelope or on a post card.
• Draw a line through blank spaces on charge or debit slips above the total so the amount can't be changed.
• Don't sign a blank charge or debit slip.
• Tear up carbons and save your receipts to check against your monthly statements.
• Cut up old cards through the account number before throwing them away.
• Compare monthly statement immediately with your receipts. Report discrepancies as soon as possible to the special address on your statement. The card issuer must investigate errors reported to them within 60 days of the date of the statement.
• Keep a record in a safe place (separate from your cards) of your account numbers, expiration dates, and the telephone numbers of each card issuer.
• Never write your PIN on the outside of a deposit slip, an envelope, or other papers that could be easily seen or lost.
• Carefully check ATM or debit card transactions before you enter the PIN or before you sign the receipt; the funds will be quickly transferred out of your account.
• Periodically check your account activity particularly if you bank online.

Source: Federal Trade Commission, "Credit Card, ATM and Debit Cards: What to do if They're Lost or Stolen," March 16, 2006 at www.ftc.gov.

Avivah Litan, a security and privacy analyst and vice president at Gartner Research, provides these suggestions:

• When you have a choice, always use your credit card rather than a debit card. Credit cards are backed by greater regulatory protections and they don't open direct lines to your bank account.
• If you have to use your debit card, tell the clerk you don't want to enter a PIN. Instead, sign for the purchase, which will be debited to your account. Many retailers program their terminals to prompt customers for their PINs because it's cheaper for the store.
• Don't use non-bank ATMs. The machine will have fewer security protections and can be more easily tampered with. Sometimes they're owned by criminal organizations.

Source: "Debit Card Spree Latest in Costly Fraud," by Julie Tripp, at www.Oregonlive.com. 

1. PIRG staff. "PIRG: ATM Debit Cards" March 16, 2006, at www.Pirg.org.  
2. FDIC staff. "Answers to Common Questions About Debit Cards." May 17, 2006 at www.communitydispatch.com 
3. Op. cit. FDIC staff. 
4. Op.Cit. PIRG staff. 
5. VISA staff. "Cardholder Information Security Program." May 13, 2006 at www.USA.visa.com  
6. Ibid. 
7. Ibid. 
8. Anita Ramasastry. "Debit Card Debacles: Why Consumers Need to Worry About the Recent, Massive Wave of Debit Card Fraud." March 29, 2006 at www.writ.news.findlaw.com.  
9. Rita Trichur. "Chip Cards to Cost Billions: Retailers Worry Costs Could Outweigh Benefits." April 17, 2006 at www.canada.com.  
10. James Daw. "High-tech Cards Dis-credit Fraudsters." April 3, 2006 at www.thestar.com  
11. James Daw. "Chip Card Hits Glitch Abroad." April 7, 2006 at www.thestar.com.  
12. CTV news staff. "Debit Card Fraud." March 16, 2006 at www.ctv.ca.  
13. CBS Review staff writer. "TeleCash Provides EMV-compliant Card Processing Services in Germany." May 15, 2006 at www.cbronline.com.  
14. FN Chalpat Soonti. "Banks Step Up Cash Machine Security After $23,000 Fraud." March 31, 2006 at www.stuff.co.nz. 
15. Grainne Gilmore. "Bank Says Overseas Card Fraud On the Rise." May 12, 2006 at www.business.timesonline.co.uk.  
16. www. globeltechnology.com.  
17. Crime Support Financial staff. "What Do I Do IF My Bank Card is Stolen or Used Illegally?" March 16, 2006 at www.bbc.co.uk.  
18. TMC net news staff. "Latin American Banks Shift Their Attention Towards EMV Smart Cards." April 28, 2006 at www.tmcnet.com. 
19. Card Technology staff writer. "ACI Worldwide Sells Smart Card Software to Greek Bank." March 29, 2006 at www.cardtechnology.com.  
20. op.cit. James Daw. 
21. ITV staff. "Fraud-proof Cards Attract Scammers." May 12, 2006 at www.itv.news.com.  
22. fineextra staff. "Australian Police Call for Introduction of Chip and PIN." May 12, 2006 at www.fineextra.com.  
23. Portsmounthtoday staff. "Chip and Pin Probe at Petrol Station." May 12, 2006 at www.portsmouthtoday.co.uk. 
24. Lancashire Evening Telegraph staff. "Concerned MP Wants Chip and PIN Fraud Talks." May 15, 2005 at www.lancashireeveningtelegraph.co.uk 
25. Peter Kenny. "Loyds-TSB Admits Chip and Pin Problem." May 12, 2006 at www.creditcards-gb.co.uk. 
26. op.cit.itv staff.  
27. op.cit.Kenny. 
28. Lancashire Evening Telegraph staff. "Concerned MP Wants Chip and Pin Fraud Talks." May 15, 2006 at www.lancashireeveningtelegraph.co.  
29. UK News staff. "Fraud Expert Defends Chip and Pin." May 12, 2006 at www.news.monstersandcritics.com  
30. Richard Lemos. "Debit Card Fraud Underscores Legal Loopholes." March 25, 2006 at www.theregister.co.uk. 
31. Ibid. 
32. TMCnet staff. "Battling Identity-theft Bills stuck in House." April 3, 2006 at www.tmcnet.com. 

* This is a fictitious composite case. 

[Some source links referenced in this article are no longer available. — Ed.]

Robert E. Holtfreter, Ph.D., CPA, Educator Associate, is distinguished professor of accounting and research at Central Washington University.