It is also shining a spotlight on what may be growing attempts by criminal gangs to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac, a Minneapolis-based company that is helping investigate the recent incidents.
Banks reissue thousands of cards
In a brief statement, Citibank said that the fraud was the result of a "third-party business information breach" that took place last year. To protect its customers, the company said it "blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesperson for the company, however, refused to name the third-party retailer involved in the breach.
Citibank's disclosure made it the latest in a fast-growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America, Washington Mutual Bank, and Wells Fargo Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, North Carolina, which, over the past two weeks, has reissued more than 27,500 debit cards after being told by Visa U.S.A. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain, and the UK. "This is the largest [card reissue] we've had one in quite a while," Brady said.
Largest PIN theft ever
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
Lawmakers step in
In response to a request for comment on Frank's letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, "accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair," the company said. "Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa" going forward, the statement said.
MasterCard did not respond to requests for comment.
Where did it start?
"All roads are pointing in that direction," said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesperson has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials' outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam's Club, a division of Bentonville, Arkansas-based Wal-Mart Stores.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between September 21 and December 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports" tying it to the current wave of PIN debit fraud.
The company denied that any of its internal systems had
been compromised and said that a review of its gas payment systems by
its own staff and an outside party revealed no breach.