Latest Card Fraud Target: Where The Money Is

  The RMS Titanic and PIN-debit cards have something in common. The Titanic was billed as an unsinkable ship, but it sank. And some in the card industry did not believe PIN debit cards could face a significant breach because of their inherent two-factor authentication. That, too, has been proven wrong.
  In March, some of the nation's largest banks closed customers' debit card accounts and reissued new cards after the banks discovered massive PIN-debit fraud, which is believed to have cost the financial institutions millions.
  The payments industry has had to address security breaches over the years, but the recent PIN-debit breach is unusual. Because of it, payments executives are being forced to do things they may not have done in the past. These include communicating directly with competitors, launching education campaigns to ensure compliance with industry data-encryption rules, filing or threatening to file lawsuits against merchants that improperly store card data, and weighing whether to add another factor to the current two-factor authentication system.
  The industry is getting tough because debit cards, which are tied to consumers' checking and savings accounts, are where the money is. And thieves have made the accounts a priority target.
  "Theft with a debit card cuts to the chase," says Lt. Thomas Cooney of the Hudson County, N.J., Prosecutor's Office. "With a stolen credit card, a thief has to buy something and then sell it to get the money. With a stolen debit card, the thief goes to an ATM and withdraws the money from the cardholder's account."
  The PIN-debit breach is unusual and scary, says Andrew Rolfe, vice president of research and development at Authentify Inc., a Chicago-based company that provides cardholder authentication for online markets. "It's the first major breach involving two-factor authentication," Rolfe says. The two factors now used to authenticate a PIN-debit transaction are the information on the card's magnetic stripe and the cardholder's PIN.
  Because of this development, the crime may challenge the public's faith in debit cards, which represent the card industry's fastest-growing segment. Avivah Litan, vice president and research director for Gartner Inc., says the theft proves that PIN debit is less secure than previously believed.
  The thefts also have shaken the nation's financial community, says Dan Clements, CEO of CardCops, a Malibu, Calif.-based company that protects consumers from identity theft by monitoring Internet chat rooms. Clements says the debit card breach is "rocking" the financial community because banks have to repay cardholders for funds stolen from their accounts.
  The affected banks thus far have said little. Bank of America, which has had to reissue debit cards, said in a one-sentence statement that its security system works. Clements says the financial system is "under siege" and that the banks "have done a good job keeping it quiet."
  The breach also is unusual because it affected a large number of banks and credit unions in different parts of the country, and the fraud that occurred included transactions made outside the United States.
  In March, Citigroup Inc. says it canceled thousands of MasterCard-branded debit cards after detecting fraudulent withdrawals in Britain, Russia and Canada in February. First Market Bank of Richmond, Va., reissued 150 Visa check cards after thieves in Malaysia, Japan, and South Korea used the cards and legitimate PINs to access customers' checking accounts, says Katie Gilstrap, First Market vice president.
  Other large banks that reported reissuing cards included JPMorgan Chase, Washington Mutual, PNC Bank, National City Corp., Wachovia Corp., Wells Fargo & Co. and Citizens Bank.
  Before this latest scheme, crooks stole PINs using a variety of methods, such as looking over cardholders' shoulders as they entered PINs at payment terminals or ATMs. Crooks also have used "phishing," where cardholders unknowingly type their PINs into a fake Web site set up by thieves to look like issuers' actual Web sites.
  These methods, however, usually result in small numbers of PINs being stolen. In the latest fraud scheme, Gartner's Litan believes thieves stole 200,000 PINs and card numbers. She also believes tens of millions of dollars may have been stolen from cardholder accounts.
  Some of the thieves who participated in this crime have been caught. The Hudson County Prosecutor's Office arrested 14 -individuals and charged them with being members of a fraudulent debit card ring. The office, working with U.S. Postal Inspectors, made the arrests Dec. 8. Since then three of the accused have pled guilty to violations of state card-fraud laws.
  The U.S. Secret Service's Operation Rolling Stone also resulted in the arrests of eight other individuals, some of whom have been linked to the PIN-debit fraud. Law-enforcement officials involved in the online undercover operation arrested the alleged culprits in Florida, New York, Illinois, Pennsylvania, California, Canada, the United Kingdom and Washington, D.C., says a Secret Service spokesperson. The eight were charged with variety of state and federal crimes.
  SMALL PLAYERS
  Litan, however, believes that the ones now in jail are small players in the fraud scheme and that the masterminds have disappeared in the anonymity the Internet affords.
  The Internet is where thieves are selling card numbers and the card verification value codes also on cards that are used to help identify genuine cards, says Clements of CardCops. "The PINs are sold in chat rooms," he says. "Some sellers even hold Red Tag sales."
  Credit card numbers cost buyers $1 and up, and credit card numbers with CVV codes range from $3 to $5, Clements says. A debit card number with a PIN can cost from $10 to $100, depending on how much money the thief ascertains is in the cardholder's checking account, Clements says. Track 2 information on the mag-stripe goes for up to $10.
  Track 2 includes the primary card account number, which can be up to 19 digits, the expiration date, which is four digits, and the three-character service code. This is a proprietary number that the bank puts on the credit card to identify the issuer.
  Clements says serious buyers of PINs and other card data keep quiet because they know law-enforcement agencies monitor these chat rooms.
  Everyone agrees that in the latest card-data breach PINs were sold on the Internet. But they disagree as to how the thieves secured the PINs and decryption codes.
  Authentify's Rolfe believes the theft occurred when a merchant placed card data and PINs in close proximity, making the information easy prey for a hacker. Clements and others say the stolen PINs and card numbers have one thing in common-OfficeMax.
  OfficeMax, which is based Itasca, Ill., repeatedly has denied that it is the source of the breach. Visa USA and MasterCard officials say their investigation into the theft is ongoing.
  Clements says CardCops is seeing more PINs with accompanying debit card numbers for sale on the Internet, but he is not sure from where they are coming. "At one time, we would see a PIN with the mother's maiden name and other personal information, so you knew the number was phished," he says. "Now, we don't know if the PINs being sold are from the OfficeMax debacle, or they are being shoulder surfed."
  The Visa check cards and debit MasterCards that were compromised initially were used to make legitimate purchases at OfficeMax's brick-and-mortar stores before the numbers were stolen, experts believe. When PINs are entered into a payment terminal, they are supposed to be encrypted immediately before sending them to the issuer to be authenticated and the transaction authorized. The PIN data then must destroyed, according to the Payment Card Industry data-encryption standard.
  For some reason, the PIN data were not destroyed. Industry officials, however, are giving OfficeMax the benefit of the doubt. "The theft could have occurred upstream at a gateway processor or at the acquiring bank," Clements says.
  While Rolfe believes an industry insider stole the information before selling it on the Internet, Litan contends thieves likely used a laptop computer to download the PINs, card numbers, mag-stripe information and the software keys used to decrypt PINs. The downloading, she believes, occurred while the merchant was using tracer-utilities software to debug its transaction software. Tracer-utilities software enables merchants to store data, such as PINs, not allowed under the PCI standard.
  Unsecured WiFi networks are among the simpler ways to gain unauthorized access, says Toby Weir Jones, director of product management at Counterpane Internet Security. And once a thief's laptop gains access, it becomes a gift that keeps on giving.
  WIRELESS ACCESS
  "From there you are typically treated as a trusted member of the network and can look freely for vulnerabilities or simple bad architecture at your own leisure," Jones says. "Current rootkits can even operate unsupervised, blindly searching for common file formats and sending every document they find to an external server. ... If the external (receiving) server in an uncooperative foreign jurisdiction, you're mostly out of luck."
  A rootkit allows an intruder to gain access to a computer system's files or system data without the computer owner's knowledge.
  Using a wireless laptop to steal information is not unusual. The Council of Better Business Bureaus recently held a news conference to encourage small businesses to better safeguard their customer data. The council said last fall a man seated in a parked car outside a South Florida liquor store used his laptop computer to steal the store's credit card data in 27 minutes.
  Such breaches of merchant data have sparked get-tough policies against merchants that improperly store payment card data. Lydia Parnes, director of the Federal Trade Commission's Bureau of Consumer Protection, recently said that the FTC would sue small businesses that fail to protect their clients' security.
  Recently, CUNA Mutual Group, a provider of financial services for 5,500 credit unions, re-emphasized during a company sales meeting in Dallas that it would take merchants to court that do not follow card association rules concerning the storage of card data. CUNA also said it would work with the card associations to enforce their rules.
  In 2005, CUNA and 192 credit unions sued BJ's Wholesale Club and its acquirer, Fifth Third Bank, for a March 2004 breach. The computer hacking compromised 400,000 credit and debit cards. CUNA, which filed the lawsuit in Massachusetts State Court in Boston, charged BJ's with storing card data in violation of the card associations' rules and regulations. CUNA is seeking $5 million in damages, which is the amount the credit unions had spent to reissue cards.
  Madison, Wis.-based CUNA says fraud on debit and credit cards issued by credit unions reached $100 million last year. This year, claims concerning plastic card fraud are 15% to 20% higher than the same period in 2005.
  Improper storage of credit and debit card data is being blamed for many of the thefts. Card-industry officials say only 17% of the nation's 6.1 million merchants currently are in compliance with the PCI standard. The industry wants 60% compliance by year-end.
  The card associations hope to reach this goal by educating merchants. Visa recently began working with the Council of Better Business Bureaus, and last year the card association formed an alliance with the U.S. Chamber of Commerce.
  The PIN-debit attacks also have led to discussions that a third authentication factor should be considered for debit cards to prevent future breaches. Rolfe of Authentify says debit card issuers may add a biometric component as a third factor.
  The breaches have sparked an unusual period of cooperation within the payments industry. Phil Mellinger, chief information security officer at First Data Corp., says the processor is routinely sharing information with competitors concerning possible data breaches. "If we anticipate certain kinds of attacks, we call competitors and get our equivalents on the telephone," Mellinger says.
  The PIN-debit breach, which affected a large number of banks, has caused concern within the payments' industry. As a result, card-industry executives are getting tough with merchants concerning storage of card data. But they also must keep up on the latest means by which thieves are getting at their cardholders' data.
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com