Feeds

Debit-card fraud underscores legal loopholes

Notification issues

The Essential Guide to IT Transformation

Law enforcement authorities and financial firms have launched a broad investigation to track down the sources of the current crop of fraud. A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. The company did not respond to requests for comments, but in its annual report published last week, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

In the past month, law enforcement authorities in New Jersey and New York arrested more than a dozen people in connection with an organized identity theft operation, said Edward DeFazio, the prosecutor for Hudson County, New Jersey. Many of the victims of the ring, which allegedly had connections to other identity thieves in Europe and South East Asia, had shopped at OfficeMax.

"Certainly, a disproportionate number of victims have dealt with OfficeMax," DeFazio said.

Some security experts theorized that OfficeMax's payment processor could be to blame for the breach, but OfficeMax could not be reached for comment on the possibility. In any event, the breach associated with the retailer is the smallest of three data leaks affecting credit and debit cards in the last six months.

Last December, Sam's Club acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. A representative of Sam's Club, a subsidiary of retail giant Wal-Mart, would not comment on the issue but pointed to a recent public statement released by bulk retailer. "I want to assure our members that these reports of fraud did not involve transactions inside Sam's Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no personal identification numbers (PINs) were used in any of the fraudulent transactions," Mark Goodman, executive vice president for Sam's Club, said in a statement released on 3 March. "If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system."

While the retailer has only acknowledged that some 600 cases of fraud are linked to the data leak, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives.

"It was every institution in America," said Steve Swofford, president of the Alabama Credit Union. "And I would say there were millions of people affected."

While the ACU only replaced 500 cards, and had no incidence of fraud, other banks had to deal with far greater numbers. Regions Financial replaced 100,000 credit and debit cards on 23 January, but a representative stated that the majority of the cards were reissued in response to, and seven months after, the CardSystems Solutions incident.

Such replacements are not inexpensive. Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure of companies to abide by data-security standards.

Two weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach of an ATM network, according to financial industry insiders. The incident has led to warnings on a similar number of accounts as the Sam's Club incident, said ACU's Swofford, suggesting that the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International refused to comment on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

In the most recent incident, Visa has said that payment software manufactured by Fujitsu Transaction Solutions has flaws that could put customers information at risk, according to a Friday article in the Wall Street Journal.

Build a business case: developing custom apps

Next page: Correction

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.