Feeds

Debit-card fraud underscores legal loopholes

Notification issues

Beginner's guide to SSL certificates

Law enforcement authorities and financial firms have launched a broad investigation to track down the sources of the current crop of fraud. A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. The company did not respond to requests for comments, but in its annual report published last week, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

In the past month, law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation, said Edward DeFazio, the prosecutor for Hudson County, New Jersey. Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South East Asia, had shopped at OfficeMax.

"Certainly, a disproportionate number of victims have dealt with OfficeMax," DeFazio said.

Some security experts theorized that OfficeMax's payment processor could be to blame for the breach, but OfficeMax could not be reached for comment on the possibility. In any event, the breach associated with the retailer is the smallest of three data leaks affecting credit and debit cards in the last six months.

Last December, Sam's Club acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. A representative of Sam's Club, a subsidiary of retail giant Wal-Mart, would not comment on the issue but pointed to a recent public statement released by bulk retailer. "I want to assure our members that these reports of fraud did not involve transactions inside Sam's Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no personal identification numbers (PINs) were used in any of the fraudulent transactions," Mark Goodman, executive vice president for Sam's Club, said in a statement released on 3 March. "If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system."

While the retailer has only acknowledged that some 600 cases of fraud are linked to the data leak, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives.

"It was every institution in America," said Steve Swofford, president of the Alabama Credit Union. "And I would say there were millions of people affected."

While the ACU only replaced 500 cards, and had no incidence of fraud, other banks had to deal with far greater numbers. Regions Financial replaced 100,000 credit and debit cards on 23 January, but a representative stated that the majority of the cards were reissued in response to, and seven months after, the CardSystems Solutions incident.

Such replacements are not inexpensive. Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure of companies to abide by data-security standards.

Two weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach of an ATM network, according to financial industry insiders. The incident has led to warnings on a similar number of accounts as the Sam's Club incident, said ACU's Swofford, suggesting that the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International refused to comment on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

In the most recent incident, Visa has said that payment software manufactured by Fujitsu Transaction Solutions has flaws that could put customers information at risk, according to a Friday article in the Wall Street Journal.

Protecting users from Firesheep and other Sidejacking attacks with SSL

Next page: Correction

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.