The unfolding debit card scam that rocked Citibank last week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
On March 8, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K. In May, a box of unencrypted tapes with information on 3.9 million CitiFinancial customers being shipped via UPS never reached its intended destination. But this incident looks more serious.
Nevertheless, Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam - and scandal - has hit national banks such as Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio and Pennsylvania, all of which have reissued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that requires it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
Editor's Note: This article, which includes reporting by InformationWeek's Larry Greenemeier, originally appeared at TechWeb News. Both TechWeb News and InformationWeek are sister publications of Insurance & Technology.