Feeds

Debit-card fraud underscores legal loopholes

Notification issues

SANS - Survey on application security programs

Law enforcement authorities and financial firms have launched a broad investigation to track down the sources of the current crop of fraud. A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. The company did not respond to requests for comments, but in its annual report published last week, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

In the past month, law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation, said Edward DeFazio, the prosecutor for Hudson County, New Jersey. Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South East Asia, had shopped at OfficeMax.

"Certainly, a disproportionate number of victims have dealt with OfficeMax," DeFazio said.

Some security experts theorized that OfficeMax's payment processor could be to blame for the breach, but OfficeMax could not be reached for comment on the possibility. In any event, the breach associated with the retailer is the smallest of three data leaks affecting credit and debit cards in the last six months.

Last December, Sam's Club acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. A representative of Sam's Club, a subsidiary of retail giant Wal-Mart, would not comment on the issue but pointed to a recent public statement released by bulk retailer. "I want to assure our members that these reports of fraud did not involve transactions inside Sam's Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no personal identification numbers (PINs) were used in any of the fraudulent transactions," Mark Goodman, executive vice president for Sam's Club, said in a statement released on 3 March. "If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system."

While the retailer has only acknowledged that some 600 cases of fraud are linked to the data leak, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives.

"It was every institution in America," said Steve Swofford, president of the Alabama Credit Union. "And I would say there were millions of people affected."

While the ACU only replaced 500 cards, and had no incidence of fraud, other banks had to deal with far greater numbers. Regions Financial replaced 100,000 credit and debit cards on 23 January, but a representative stated that the majority of the cards were reissued in response to, and seven months after, the CardSystems Solutions incident.

Such replacements are not inexpensive. Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure of companies to abide by data-security standards.

Two weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach of an ATM network, according to financial industry insiders. The incident has led to warnings on a similar number of accounts as the Sam's Club incident, said ACU's Swofford, suggesting that the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International refused to comment on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

In the most recent incident, Visa has said that payment software manufactured by Fujitsu Transaction Solutions has flaws that could put customers information at risk, according to a Friday article in the Wall Street Journal.

High performance access to file storage

Next page: Correction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.