With the help of an Internet service provider, First Bank System Inc. said it has thwarted a credit card scam that is seen as indicative of a new wave of electronic security threats.
First Bank disclosed the incident last week, saying it learned in mid- March that valid account numbers had appeared on an Internet server. They were likely created with software that generates random numbers.
After being notified by the unidentified Internet company, the Minneapolis-based bank advised 5,000 Visa Gold cardholders to close their accounts and reopen them with new numbers.
The incident, affecting numbers assigned to First Bank's WorldPerks affinity program with Northwest Airlines, spoke well for current bank card industry security. First Bank, working with Visa U.S.A. and law-enforcement authorities, said it suffered no losses.
But it may only be a hint of electronic attacks to come. The combination of credit cards - long a favorite target of the criminal element - with the burgeoning Internet has some security experts gravely concerned.
Business use of the global Net creates "far more potential for fraud," said Steve Hronek, managing director of communications security for Comsec Inc., a Burbank, Calif., computer technology and security firm. "Increasingly, users and Internet providers have to be cognizant of that."
MasterCard and Visa have demonstrated awareness and concern by supporting a data security standard that facilitates card payments over the Internet. But that standard would not have prevented the potential harm to First Bank.
Though Internet access played an accessory part, the crime was theft of credit card numbers.
Card technology consultant Jerome Svigals said the incident has earmarks of an inside job and a breakdown in a Visa procedure, Card Verification Value, that has been credited with reducing fraud in recent years.
At the same time, card security experts expressed concern about computer hackers' access to tools of the trade. Susan Race-Sylstra, executive director of the International Association of Credit Card Investigators, Novato, Calif., said Internet users can download software that generates credit card numbers according to standard mathematical formulas, which is apparently what happened with First Bank.
A source with the U.S. Secret Service in Minneapolis said the violation is being investigated by the U.S. Attorney in San Jose, Calif. A lawyer in that office, which has a reputation for high-tech prosecutions, refused to comment.
First Bank stressed its rapid response and limited exposure.
The top-25 card issuer, with about $4 billion of outstandings, was alerted after the Internet service provider had conducted an audit that uncovered the illicit card data.
While the Northwest-WorldPerks program has 500,000 members, the bank said relatively few accounts opened in 1994 could have been affected. They are being monitored for unusual spending.
"There was no compromise to our system," said First Bank spokeswoman Wendy Raway. "This was someone who had a file with an unaffiliated Internet server."
Said Mr. Svigals, head of Jerome Svigals Inc. in Redwood City, Calif.: "It's worse than what they've alluded to. Someone at the bank doesn't know what they are doing. What happened to the CVV? (Card Verification Value)"
The Card Verification Value, or Card Verification Code in MasterCard's version, "is supposed to prevent these things from happening," he said. It relies on a data encryption algorithm to assure that a card and the account data in its magnetic stripe have not been tampered with.
Mr. Svigals and Mr. Hronek of Comsec suggested there was some ineptness on the part of the perpetrator.
The Telecommunications Act of 1996 requires Internet service providers "to be more circumspect about what's on their network," Mr. Hronek said. He suspected the offender hacked into an Internet server to store the account numbers, where they were vulnerable to an audit.
"If a server has been used to commit fraud, (the service provider) should know what's going on," Mr. Hronek said. "There's the potential for civil action."
"This is a kind of nightmare hit for a credit card issuer," said Barry Schreiber, professor of criminal justice at St. Cloud (Minn.) State University and editor of a newsletter on ATM crime and security.
He called credit card fraud "the jackpot" for Internet thieves.
"This is where significant amounts of money can be lost in the blink of an eye," Mr. Schreiber said. "You could have 5,000 unhappy customers, and you have to make right with all of them."
While not commenting directly on the First Bank case, Visa U.S.A. spokeswoman Gail Murayama, said the company has a number of risk management programs in place. Besides CVV for magnetic stripe cards, the association uses neural networks to detect fraudulent spending patterns, and uses an electronic bulletin board to send alerts about suspicious or criminal activity.