Feeds

Debit-card fraud underscores legal loopholes

Notification issues

Next gen security for virtualised datacentres

Law enforcement authorities and financial firms have launched a broad investigation to track down the sources of the current crop of fraud. A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. The company did not respond to requests for comments, but in its annual report published last week, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

In the past month, law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation, said Edward DeFazio, the prosecutor for Hudson County, New Jersey. Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South East Asia, had shopped at OfficeMax.

"Certainly, a disproportionate number of victims have dealt with OfficeMax," DeFazio said.

Some security experts theorized that OfficeMax's payment processor could be to blame for the breach, but OfficeMax could not be reached for comment on the possibility. In any event, the breach associated with the retailer is the smallest of three data leaks affecting credit and debit cards in the last six months.

Last December, Sam's Club acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. A representative of Sam's Club, a subsidiary of retail giant Wal-Mart, would not comment on the issue but pointed to a recent public statement released by bulk retailer. "I want to assure our members that these reports of fraud did not involve transactions inside Sam's Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no personal identification numbers (PINs) were used in any of the fraudulent transactions," Mark Goodman, executive vice president for Sam's Club, said in a statement released on 3 March. "If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system."

While the retailer has only acknowledged that some 600 cases of fraud are linked to the data leak, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives.

"It was every institution in America," said Steve Swofford, president of the Alabama Credit Union. "And I would say there were millions of people affected."

While the ACU only replaced 500 cards, and had no incidence of fraud, other banks had to deal with far greater numbers. Regions Financial replaced 100,000 credit and debit cards on 23 January, but a representative stated that the majority of the cards were reissued in response to, and seven months after, the CardSystems Solutions incident.

Such replacements are not inexpensive. Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure of companies to abide by data-security standards.

Two weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach of an ATM network, according to financial industry insiders. The incident has led to warnings on a similar number of accounts as the Sam's Club incident, said ACU's Swofford, suggesting that the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International refused to comment on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

In the most recent incident, Visa has said that payment software manufactured by Fujitsu Transaction Solutions has flaws that could put customers information at risk, according to a Friday article in the Wall Street Journal.

The essential guide to IT transformation

Next page: Correction

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
ISIS terror fanatics invade Diaspora after Twitter blockade
Nothing we can do to stop them, says decentralized network
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.