Consumers have noted a large
increase in the amount of debit card fraud since the beginning of 2006, as
well as a wide recall of cards by banks and financial institutions. Three major
incidents are likely fueling the fraud, according to financial and security experts.
A
breach associated with bulk goods retailer Sam's Club last autumn likely resulted
in millions of debit cards potentially being put at risk, according to financial-industry
insiders. A second, smaller breach affecting hundreds of thousands of debit cards
has been connected to office-supply retailer OfficeMax, although that company
has denied any breach of its systems. And, the most recent data leak occurred
in an ATM network and likely affected millions of debit cards as well, banking
executives told SecurityFocus.
Despite security-breach
notification laws on the books in 23 states, credit card companies and financial
institutions have not named the sources of the breaches.
"There
are few details of these leaks because credit card companies do not want people
to lose confidence in debit cards," said Beth Givens, executive director of the
consumer advocacy group Privacy Rights Clearinghouse.
The
mystery surrounding the data breaches underscores loopholes within the state laws
which aim to mandate the disclosure of security breaches. Moreover, the silence
over responsibility for the breaches contrasts consumer advocates' warnings that
a federal law currently being considered by Congress will ironically roll back
protections even further.
There are three cases
in which a company suffering a breach can bypass current notification laws, all
of which have some basis in the legislation first drafted in California, security
and legal experts told SecurityFocus.
A company
suffering a data breach can delay notification during a criminal investigation
by law enforcement. If the stolen data includes identifiable information - such
as debit card account numbers and PINs - but not the names of consumers, then
a loophole in the law allows the company who failed to protect the data to also
forego notification. Finally, if the database holding the personal information
was encrypted but the encryption key was also stolen, then the company responsible
for the data can again withhold its warning.
In
those cases, "they have no obligation to notify," said Avivah Litan, vice president
of security and privacy research for business analysis firm Gartner. "The bottom
line is that they escaped the disclosure law - at least for now."
Moreover,
it's unlikely that credit card companies will risk harming their clients by disclosing
the identity of companies that fail to take responsibility for breaches, Litan
said. While major credit card companies and banks have warned partners and consumers
of recent breaches in general terms, business pressures leave the companies unlikely
to out partners, even if the companies are violating the spirit of disclosure
laws.
Last June, Mastercard International published
a statement warning that online attackers had
breached the network of CardSystems Solutions and collected as many as 40m
credit card accounts of various brands. Following the breach, CardSystems foundered
and was eventually bought
by biometric payment processor Pay By Touch.
"It
is a lot easier to expose a company like CardSystems Solutions, than to expose
a retailer," she said. "The credit card companies are not out there to put any
retail company out of business."
The lesson that
credit card companies have apparently taken away from the experience of CardSystems
Solutions is to withhold details of breaches, putting the onus for taking responsibility
on the shoulders of the company that suffered the breach, she added. Many firms
point out that while large numbers of accounts might be put at risk by data leaks,
only a small fraction of cardholders typically experience fraud.
However,
without disclosure, companies are still not taking security as seriously as they
should. Already, the majority of merchants do not protect customer information
in accordance with industry standards. Both Visa and Mastercard International
have security regulations in place that require merchants to abide by strict rules
about handling customer data. Only about 17 per cent of the 231 large merchants
abide by the requirements, despite the fact that consumers' No 1 fear is loss
or theft of personal and financial information, beating out terrorism, job loss
and epidemics, according to survey data from Visa.
Law
enforcement authorities and financial firms have launched a broad investigation
to track down the sources of the current crop of fraud.
A
breach at a California office supply chain last year resulted in the leak of an
estimated 200,000 ATM and debit account numbers along with the associated personal
identification numbers, or PINs. A rash of fraud that started in February was
blamed on the leak, and media reports pointed at OfficeMax as the source. The
company did not respond to requests for comments, but in its annual report published
last week, OfficeMax warned investors that the situation could hurt its results.
"There
is an ongoing federal investigation relating to ATM fraud involving legitimate
debit card use at various retailers that was later tied to fraudulent transactions
outside the US," the company stated in the filing to the Securities and Exchange
Commission. "While we have no knowledge of a security breach at OfficeMax, it
is possible that information security compromises involving OfficeMax customer
data, including breaches that occur at third party processors, may damage our
reputation."
In the past month, law enforcement
authorities in New Jersey and New York arrested more than a dozen people in connection
with an organised identity theft operation, said Edward DeFazio, the prosecutor
for Hudson County, New Jersey. Many of the victims of the ring, which allegedly
had connections to other identity thieves in Europe and South East Asia, had shopped
at OfficeMax.
"Certainly, a disproportionate number
of victims have dealt with OfficeMax," DeFazio said.
Some
security experts theorized that OfficeMax's payment processor could be to blame
for the breach, but OfficeMax could not be reached for comment on the possibility.
In any event, the breach associated with the retailer is the smallest of three
data leaks affecting credit and debit cards in the last six months.
Last
December, Sam's Club acknowledged that it was cooperating with an investigation
into 600 cases of fraudulent transactions using credit cards and debit cards at
its gas stations. A representative of Sam's Club, a subsidiary of retail giant
Wal-Mart, would not comment on the issue but pointed to a recent public statement
released by bulk retailer.
"I want to assure our
members that these reports of fraud did not involve transactions inside Sam's
Club locations, on Samsclub.com or at Wal-Mart stores or on walmart.com, and no
personal identification numbers (PINs) were used in any of the fraudulent transactions,"
Mark Goodman, executive vice president for Sam's Club, said in a statement released
on 3 March. "If any compromise occurred, it appears to be limited to the Sam's
Club fuel station point-of-sale system."
While
the retailer has only acknowledged that some 600 cases of fraud are linked to
the data leak, the incident has led to credit-card companies issuing warnings
to banks for, what is likely, millions of cards, according to banking executives.
"It
was every institution in America," said Steve Swofford, president of the Alabama
Credit Union. "And I would say there were millions of people affected."
While
the ACU only replaced 500 cards, and had no incidence of fraud, other banks had
to deal with far greater numbers. Regions Financial replaced 100,000 credit and
debit cards on 23 January, but a representative stated that the majority of the
cards were reissued in response to, and seven months after, the CardSystems Solutions
incident.
Such replacements are not inexpensive.
Each new card costs a bank anywhere from $15 to $30 - a high cost for the failure
of companies to abide by data-security standards.
Two
weeks ago, Visa and Mastercard warned banks of the most recent incident - a breach
of an ATM network, according to financial industry insiders. The incident has
led to warnings on a similar number of accounts as the Sam's Club incident, said
ACU's Swofford, suggesting that the total number of accounts involved in the breach
could number in the millions.
Representatives
at Visa and Mastercard International refused to comment on the issue. However,
Citibank released a statement confirming
the ATM network breach, but not naming the company responsible for the network.
In
the most recent incident, Visa has said that payment software manufactured by
Fujitsi Transaction Solutions has flaws that could put customers information at
risk, according to a Friday article in the Wall Street Journal.
Despite
the recent epidemic of debit and credit card fraud and last year's titanic breach
at CardSystems Solutions, Congress is considering a bill that will let more companies
escape taking responsibility for fraud, consumer advocates charge.
The
bill, known as H.R. 3997 or the "Financial Data Protection Act of 2005", would
let companies decide when a data breach is significant enough to merit warning
their customers. The House Financial Services Committee approved the legislation
on Friday.
"It is ironic that after a year in
which over 55m Americans' identities were put at risk through preventable data
breaches, the House Financial Services Committee would repeal state laws that
have protected consumers from identity theft," Susanna Montezemolo, policy analyst
with Consumers Union, the nonprofit publisher of Consumer Reports magazine, said
in a statement following the vote.
The federal
legislation would supersede the laws passed by states with significantly weaker
protection against identity theft. At least 11 states have stronger notification
language than the H.R. 3997 and another eight have stronger rules allowing consumers
to freeze their credit accounts to prevent fraudulent use, Montezemolo said.
The
key flaws in the bill highlighted by consumer advocates include a requirement
of a police report verifying an incident of identity fraud before the victim can
place a security freeze on their account and so-called trigger language, which
allows the company that suffered a breach to make the decision over whether the
incident merits disclosure.
"Having trigger language
is ridiculous," said the Privacy Rights Clearinghouse's Givens. "If this bill
passes and the trigger language remains intact, there will be few, if any, disclosures
about data breaches."
H.R. 3997 will next be considered
by the full House of Representatives.
This article
originally appeared in Security
Focus.
<
