Feeds

Debit-card fraud underscores legal loopholes

Notification issues

The essential guide to IT transformation

Law enforcement authorities and financial firms have launched a broad investigation to track down the sources of the current crop of fraud. A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. The company did not respond to requests for comments, but in its annual report published last week, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

In the past month, law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation, said Edward DeFazio, the prosecutor for Hudson County, New Jersey. Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South East Asia, had shopped at OfficeMax.

"Certainly, a disproportionate number of victims have dealt with OfficeMax," DeFazio said.

Some security experts theorized that OfficeMax's payment processor could be to blame for the breach, but OfficeMax could not be reached for comment on the possibility. In any event, the breach associated with the retailer is the smallest of three data leaks affecting credit and debit cards in the last six months.

Last December, Sam's Club acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. A representative of Sam's Club, a subsidiary of retail giant Wal-Mart, would not comment on the issue but pointed to a recent public statement released by bulk retailer. "I want to assure our members that these reports of fraud did not involve transactions inside Sam's Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no personal identification numbers (PINs) were used in any of the fraudulent transactions," Mark Goodman, executive vice president for Sam's Club, said in a statement released on 3 March. "If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system."

While the retailer has only acknowledged that some 600 cases of fraud are linked to the data leak, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives.

"It was every institution in America," said Steve Swofford, president of the Alabama Credit Union. "And I would say there were millions of people affected."

While the ACU only replaced 500 cards, and had no incidence of fraud, other banks had to deal with far greater numbers. Regions Financial replaced 100,000 credit and debit cards on 23 January, but a representative stated that the majority of the cards were reissued in response to, and seven months after, the CardSystems Solutions incident.

Such replacements are not inexpensive. Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure of companies to abide by data-security standards.

Two weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach of an ATM network, according to financial industry insiders. The incident has led to warnings on a similar number of accounts as the Sam's Club incident, said ACU's Swofford, suggesting that the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International refused to comment on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

In the most recent incident, Visa has said that payment software manufactured by Fujitsu Transaction Solutions has flaws that could put customers information at risk, according to a Friday article in the Wall Street Journal.

Next gen security for virtualised datacentres

Next page: Correction

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.