The Bankwatch

 This article makes it more clear why everything was kept quite quiet on this investigation, as arrests are now being made.  In fact the breadth of the problem is more than we knew earlier, with other merchants involved.

"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers,"

 What is intriguiing, is that the investigation began on something else, and landed on the "Citi" thing as part of that broader investigation.

Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.

Here is the detail, thanks to SecurityFocus. 

Relevance to Bankwatch:

 Stated quite eloquently in the article: "Moreover, the companies that are the source of the breaches should acknowledge the incidents and take responsibility". 

 _________________________________________________

Robert Lemos, SecurityFocus 2006-03-31

The U.S. Secret Service arrested seven people across the nation this week as part of an ongoing investigation that has turned up links to the massive debit-card breaches that have worried banks and consumers.

The investigation, dubbed Operation Rolling Stone, has resulted in 21 arrests in the last three months and involves local, state and international law enforcement. The online uncover operation targets Internet criminal groups that "threaten our financial infrastructure," Jonathan Cherry, spokesman for the U.S. Secret Service, told SecurityFocus.

Read the rest of this entry »

A Visa card that accesses your bank account over the Visa network, at a merchant, or an ATM. (courtesy of Payment news). In Australia, apparently this is the first offer of debit cards, and they are implementing it with Visa.
ANZ Everyday Visa Debit

• Worldwide acceptance of Visa while accessing your own savings. You can make purchases online, over the phone and at more than 24 million outlets around the world.
• No credit application necessary.
• Your choice of card design. Your ANZ Everyday Visa Debit comes in three unique designs you can choose from. Unlimited ANZ transactions for $6 a month.
• This includes ANZ ATMs, EFTPOS, ANZ Phone and Internet Banking and ANZ branches.
• ANZ's Online Guarantee for greater protection on Internet purchases plus ANZ Falcon™ monitoring for suspicious transactions.

Read the rest of this entry »

Great questions asked here at Payments News on this topic. While we have some clues, and directional research, the real impacts can only be estimated.

Payments News: More About NACHA's "Credit Push" Initiative – March 24, 2006

if the pilot can prove the service to be an net enabler of additional eCommerce growth. …."The real key", according to Samantha, "is what impact credit push will have on the payments mix"."

There are several things going on at the same time here:

1. introduction of "debit" activity to the ecommerce space
2. introduction of chip cards (debit and credit)
3. introduction of PIN verification for credit cards

Read the rest of this entry »

ATM’s are expensive. A mid sized bank has to spend $ 50MM every 8 – 10 years to maintain just the hardware in a 1,000 ATM network. Customers demand ATM’s for access to their money, yet, customers are using ATM’s less as debit takes hold.

An insider’s look … from Palm Desert, Calif. | ATM Marketplace News

One program to which PDNB pays special attention is debit. Often a behind-the-scenes player, PDNB is taking a lead role in spear-heading the prepaid debit-card effort.

Read the rest of this entry »

Courtesy of Finextra, Visa takes action, following the March 6th, 2006 pin fraud.  It was earlier reputed to be OfficeMax, however we note the recent news references are to an “unspecified merchant”.  Only two weeks later – I suppose that’s fast enough?

Anyhow, I presume this is the last on the Citi ATM fraud.  However its not the last time we will hear of this issue, and I would rather see Visa (is MasterCard there ??) make a statement about the other software applications used be merchants.

Finextra: Visa warns of PoS software bug

Visa USA is warning that two versions of Fujitsu’s point-of-sale software may inadvertantly store customer data, including PIN numbers, during debit card transactions.
……
The issue came to a head recently following a security breach at an unspecified merchant that forced a number of US banks to re-issue debit cards to customers after it transpired that decrypted PIN codes were being used on cloned ATM cards.

Relevance to Bankwatch:
The connections between Banks and payment networks are a critical component of todays financial processes.  How many more Fujitsu’s are there out there, that are retaining confidential and critical customer information that is intended to be encrypted or not stored?

This story indicates that Fujitsu software may be part of the problem with the Citibank ATM fraud last month.

Visa warns software may store customer data | CNET News.com

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

Relevance to Bankwatch:
Banks have to worry about information as much (more) than they do about money. Banks need Chief Information Officers, and corporate principles to govern storage, and use of information.  This includes specific rules surrounding authentication, and authorisation of services. These principles must be applied to third parties including service providers, and payments services.

The blame is being placed firmly on the merchant here, (originally indicated to be OfficeMax, but now unspecified?). This explanation seems all too simple, but perhaps it is that simple.

Lessons to Learn From Citi Data Breach

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.

In order for this to be the case, the merchant would have to be storing:
a) PIN
b) complete replica of the mag strip data

I still suspect there is more to it, in what is clearly an inside job.

However, if that is all there is to it, then ….

Relevance to Bankwatch:

• Banks have to be accountable for the data that is shared with
  private networks, and merchants; its unacceptable to blame all the links in the chain, because there are so many.
• Customers will (rightly) look to the issuing bank to protect their information
• Technology allows for sufficient data sharing to complete a transaction, without sharing all the customers authentication
  credentials (e.g. public key encryption). Anything short of that is technological laziness

Read the rest of this entry »

Avivah Litan, an analyst at Gartner is beig very pro-active in breaking the news and risks emanating from the recent Citi, Wells, BofA debit card fraud situation. While information remains sketchy, it seems clear the bad guys were able to re-create a series of debti cards and their PIN’s and spend the money in the associated accounts.

USATODAY.com – Security breaks could curtail debit card use

PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases

The assumption has been that PIN will eliminate ‘card present’ fraud.  The combination of a chip card that can’t be replicated and a PIN is the panacea.  However the Citi ATM situation just validates what your internal security guys will always tell you.  The best you can do is manage fraud;  you cannot eliminate it because the bad guys are always one step ahead of you, and have already factored your new security into their plans.
Some things are clear, and this varies a little between Europe and North America, but not much:

Relevance to Bankwatch:

1. Simple introduction of PIN and shift of liability to the consumer could be an unmitigated disaster, without consumer support from the banks – consumers look to banks to provide security, not excuses
2. The management of concurrent mag stripe/ chip, and signature/ PIN could result in the worst of both worlds.  Increased operating costs, and increased fraud.
   

Read the rest of this entry »

Latest updates on what certainly seems to be the largest PIN/ATM fraud ever. Card networks are only as secure as the weakest links. Somehow the electronic message has to get from a merchant/ ATM to the issuing bank. Along the way are a series of third party payment networks, and this underlies the inherent risk here.

Relevance to Bankwatch:

Banks have to get used to bad guys doing bad things, and get their minds around guarantees to customers.  Its like the Rolls Royce story – they never break down, and banks should be the same.

Guarantee your customers that their money is safe.  Eliminate the subtext and condition that bankers always leave as an out, just in case customers try to defraud them.  But how many actually try to do that?  Its time to manage to the majority that are honest customers who simply want to rely on their bank.

From Techweb:

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

Here is what Citibank said:

Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.

And finally, here is how the US banks are co-operating to try and stem risk from reliance on third parties.

These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can’t be easily fixed.

Read the rest of this entry »

I am the last person to over hype a hack/ phish, but seems to me this one is huge.  I am particularly interested in Gartners view that Banks have nailed pishing, and ATM’s/ PIN fraud is next.  It makes sense actually.   Banks have beaten phishing down to a small pulp. 

The bad guys continue to send out the emails, and about 13% of customers receiving those emails respond (Forrester), but the Banks catch them mid stream too.  As much as the bad guys are smart, the Banks fraud pattern recognition systems are getting pretty good too.  Its hard to believe a customer can make a debit transaction in Edinburgh and a ATM transaction in New York at the same time, so its pretty easy to build models to watch for that pattern.

This pattern recognition, will drive the bad guys to go deep on the weak links, such as PIN/ debit card before we go to chip card.

InformationWeek | E-Fraud | PIN Scandal ‘Worst Hack Ever’; Citibank Only The Start | March 9, 2006

The scam has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, all of which have re-issued debit cards in recent weeks, says a Gartner research vice president.

By Gregg Keizer
TechWeb News

Mar 9, 2006 04:35 PM

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.”

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

“This is the worst hack ever,” Litan maintained. “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things.”

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

“That’s the irony, the PIN was supposed to make debit cards secure,” Litan said. “Up until this breach, everyone thought ATMS and PINs could never be compromised.”

Litan’s sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards’ magnetic stripes, the associated “PIN blocks,” or encrypted PIN data, and the key for that encrypted data.

he problem, she continued, is that retailers improperly store PIN
numbers after they’ve been entered, rather than erase them at the
PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often
stored on the same network as the PINs themselves, making a single
successful hack a potential goldmine for criminals: they get the PIN
data and the key to read it.

In this case, Litan said, the thieves used the information to
crank out counterfeit debit cards, then emptied accounts at ATMs. She
estimated that they absconded with “at least a couple of thousand
records, maybe more” and have cashed out to the tune of “millions
already.”

The victim of the hack attack isn’t yet known, although some
banks have pointed fingers at OfficeMax, which has denied that its
system was penetrated.

Litan believes it much more likely that a third-party processor
or terminal supplier was involved; the silence about the victim could
point to a processor, she said, because they have the most to lose by
the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive
breach that involved millions of accounts; CardSystems essentially sank
under the publicity, and was later bought by Pay By Touch. In February
2006, the FTC reached a settlement with CardSystems that require it to
adopt more stringent security measures, but the company remains open to
consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway
through cleaning up the breach, said Litan. And more of the same is on
the way.

“This will become a trend with criminals,” she bet. “Hackers
will do this as much as they can” because it’s far easier to empty
checking accounts at ATMs than to buy goods with purloined credit
cards, then sell the goods to generate cash.

So what’s a consumer to do?

“Security is tight at the ATM, but point-of-sale is a whole
other story,” said Litan. “Look at your [debit card] account on a
regular basis, and don’t use a PIN-based debit card at point-of-sale,”
she recommended. “I never do.”