In the last year, fraudsters have stolen data from thousands of debit card holders through merchants' and service providers' faulty cardholder data security systems and then cleaned out victims' bank accounts. In part one, we examine the latest schemes.
In early 2006, Frank Condon, a retired University of Washington history professor, inserted his Wells Fargo Bank-issued Visa debit card and Personal Identification Number into an Automated Teller Machine in London and it was rejected. He had used it successfully six weeks earlier in Thailand and India. During a discussion with individuals at his branch and bank headquarters in California, Condon was told that the bank had put a hold on all ATM transactions in the UK. However, they had declined to inform their cardholders of the block because they did not want to "compromise [its] investigation."1
Although security policies prevented a bank spokesman from discussing all the details of the problem in London, one individual did tell Condon that "periodically we do block transactions [but] most of the time [your card] is going to work, but there are times when we take extra steps to protect our customers." News reports that circulated shortly thereafter indicated that Wells Fargo's problem was a result of a widespread security breach (among several retailers) that affected a number of banks. The banks had to reissue debit cards to cardholders whose accounts were compromised and block access to ATM cards in countries where they were fraudulently used to withdrawal cash.2 The security breaches allowed hackers to break into computer networks and gain access to encrypted PIN data and other cardholder information, which were utilized to make counterfeit debit cards that were used to fraudulently extract cash from ATM machines.
A similar problem occurred in February of 2006 when Citibank reported several hundred fraudulent ATM withdrawals in PIN-based transactions with the use of a number of its MasterCard debit cards. ATM networks in the UK, Russia, and Canada were compromised. The bank took action and blocked PIN-based transactions in those countries, which prevented U.S. cardholders from purchasing items or withdrawing cash when PIN numbers were required. Citibank issued new cards to the consumers whose accounts were compromised after it was found out that the fraudulent ATM withdrawals were caused by data leaks by third-party retailers in the United States.3
According to Robert Lemos, a writer for Security Focus, the breach at Citibank "has been connected to office supply retailer OfficeMax ... but the company stated in a (recent) filing to the Securities and Exchange Commission ... 'While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises [occurred] involving OfficeMax customer data, including breaches that occur at third party processors.''4