he recent, unprecedented and widely reported wave of PIN theft - the largest to date, and still unraveling according to experts - is raising disturbing questions for the payments industry.

Well over 200,000 debit cards are expected to be reissued by multiple banks (including Citigroup Inc., Bank of America Corp., National City Corp., PNC Financial Services Group Inc., Wells Fargo & Co., Alabama Credit Union, and Washington Mutual Inc.) in response to a massive spike in fraudulent PIN transactions throughout the United States, Canada and Europe, with particularly frequent links to Eastern Europe.

The secrecy by all parties involved has fueled a tsunami of rumor. Questions proliferate on who will eventually be held liable, who is responsible for informing consumers or law enforcement agencies of suspected breaches and what changes will be necessary to prevent future wide-scale PIN theft.

A rude awakening

PIN-based transactions have long been viewed as the most secure of all bankcard transaction types. But if the breach occurred the way experts speculate, it was not a single weakness but a combination of weaknesses that made the PIN theft possible, leaving open the question: How much is still at risk?

According to research and consulting firm Gartner Inc., debit-card fraud costs banks $2.75 billion and affects 3 million people a year. But until recently, PIN theft was cumbersome to pull off and typically involved only a small number of accounts. This latest wave of fraud ups the ante.

Avivah Litan, an Analyst at Gartner thinks what has been reported is just the tip of the iceberg. "It's huge," she said. "The losses are definitely in the millions, and that's a conservative figure. It's not trivial.

"This points to a new wave of PIN block card fraud. Criminals are aggressively pursuing access to ATMs. PIN-based debit card theft is the Holy Grail of fraud. Why would credit card criminals bother with purchasing and fencing goods when they can just get cash?"

One of the troubling questions this breach exposes is how the thieves managed to decode the PIN encryption, which was believed to make PIN-based transactions the most bulletproof of card transactions.

To access PIN data, the miscreants needed to get card information and the PIN encryption key. Because of the sheer number of accounts breached, some experts (speaking off the record) have speculated that the criminals got the encryption key through an inside source or a hack distinct from the hack or hacks that accessed the card information.

Criminals can make counterfeit cards using card numbers, encrypted PIN information, and the corresponding decryption key.

The source, a well-kept secret

The institutions involved have not identified the retailers where the breach is suspected to have occurred, nor have they divulged the depth and breadth of the breach. But it is rumored that well over a half a million debit cards have been compromised and that the breaches occurred at one or more major retailers. Wal-Mart Stores Inc.'s Sam's Club and OfficeMax are the two most frequently mentioned in the rumors.

Sam's Club refused to respond when asked whether cardholder data was stolen, but the company did announce in early December that it was working with Visa U.S.A. and MasterCard International, the Secret Service, and the Arkansas U.S. Attorney's Office to investigate credit card fraud affecting at least 600 known cardholders who purchased gas at Sam's Club fuel stations between Sept. 21 and Oct. 2, 2005.

The company stressed that the electronic systems and databases used inside its stores and for its Web site www.samsclub.com are not involved, but left open the possibility that wireless POS connections at the gas pumps were involved.

OfficeMax has steadfastly denied that its customer data were stolen and in March released a statement claiming that an independent security audit had cleared them. A Feb. 14, 2006, article in the San Francisco Chronicle had named OfficeMax as the source of the data theft. On the same day, San Francisco Bay Area new station CBS 5 reported that the FBI confirmed it was investigating the possible theft of OfficeMax customer data that led to several major banks canceling thousands of debit cards.

The Sacramento branch office of the FBI transferred the case to its Charlotte, N.C., office. The FBI will not comment on current investigations, but said that they were working with other organizations, including the Secret Service, to investigate the matter.

Operation Rolling Stone targets online fraud and theft investigated by the Secret Service's 15 electronic crime task forces and nine electronic crime working groups. On March 28, the agency arrested eight individuals for debit card PIN fraud (and has arrested a total of 21 to date) but will not comment on whether they are linked with this particular wave of PIN data theft.

Secret Service Agent Jim Macken did confirm that some of the people arrested were associated with organized PIN fraud and had ties with Eastern Bloc countries.

Congressman Barney Frank, the ranking member of the House Financial Services Committee, called on Visa and MasterCard to identify the two retailers, or be held responsible themselves for the latest breach of card data.

"The party responsible for security systems that are breached by unauthorized parties should be the one to notify customers of the breach or, at minimum, should be identified publicly as the party responsible for the breach," Frank wrote.

He pointed out, however, that there is no law requiring the card Associations to identify the parties responsible.

The recent $10 million fine imposed by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach, on the heels of the agency's settlements with shoe retailer DSW Inc. and BJ's Wholesale Club Inc. for similar credit card data breaches (coupled with a very real threat of litigation) may be contributing to the wave of "no comments" issued by those involved in the case.

How did it happen anyway?

Where, and when, the culprits accessed the PIN data is also a mystery. Citibank spokeswoman Elizabeth Fogarty suggested that consumer accounts had been compromised during data leaks by third-party U.S. retailers. Some experts believe that the thieves accessed the data by eavesdropping on POS software through insecure wireless networks at the retailer level.

Another possibility is that intruders copied card data (card validation codes and card verification values) from magnetic stripes at POS terminals, then hacked and stole PIN information held by the retailer or retailers.

The Payment Card Industry (PCI) Data Security standard prohibits PIN block (encrypted code associated with PINs) storage and covers terminal operations, but it is believed that many retailers continue to store such information, some without realizing it.

Visa recently issued a warning to some acquirers stating that some POS transaction software may incorrectly store sensitive cardholder data, fueling rumors that this was the access point for the thieves.

Ed Soladay, Chief Operating Officer at Fujitsu Transaction Solutions, a software manufacturer mentioned in Visa's warning, said that his company's software does not store personal information, but a free add-on trace utility program can be configured to use such information for diagnostic purposes.

Fujitsu's trace utility program is designed for internal testing of bankcard transaction processes and to help identify problems during installation and maintenance. Using trace utility programs in a live environment does not comply with PCI standards. The utilities are intended "to be used in trials to fix any bugs that can possibly come up," Soladay said. "Virtually all retailers use these kinds of utilities, and most use them in a safe and secure manner.

"We have always strongly recommended that utilities should not be used in live environments, and that when this kind of information is used in a test environment it should be immediately deleted.

"Our products are completely PCI compliant when used correctly," he said. "A strict adherence to PCI standards is critical, not just for retailers, but also for technology companies such as ours, and we work closely with Visa to ensure that our products meet standards, and that the standards stay abreast of new criminal attacks ... I don't think Visa intended to cast aspersions on our software, but their first advisory may have been misleading."

Visa issued a second advisory clarifying that the potential problems are related to using all trace utilities in live environments rather than current versions of Fujitsu's POS software. (See "Visa clarifies data retention danger" in this issue of The Green Sheet.)

"I don't know if Visa raised the issue now because of particular thefts, or just to raise awareness of the security risks involved in using utilities in that way," Soladay said.

"None of our clients have ever called us to report any security breaches that occurred with our software or the trace utility we provide. We have no recorded flaws or bugs in our software that could cause a security breach."

OfficeMax and a host of other large retailers including Best Buy, Dress Barn, Staples and Payless ShoeSource use http://www.fujitsu.com/us/news/pr/archives/subsidiary/2005/index_ftxs.html" target="_blank"> Fujitsu Transaction Solutions GlobalSTORE software in their POS terminals and mobile devices. Sam's Club and Wal-Mart do not use Fujitsu's software.

Lax security consciousness

The skyrocketing usage of PIN-based debit cards has exposed an Achilles heel for the security of debit cards. PIN-based magnetic stripe card systems were designed for use at bank controlled ATMs, but debit card systems have become increasingly common at the retail level, creating millions of additional points of attack.

And according to Litan, retailers are generally less security conscious than banks. "Misused trace utility programs may be very common," she said. While technology is available to stop data theft, Litan reported that some banks aren't even validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions, which when done, can help prevent the use of counterfeit cards. Litan said that hackers call banks that don't do this validation "cashable."

As a result of this latest wave of PIN attacks, "banks will almost certainly beef up their fraud prevention measures and will crack down on suspected fraud earlier," Litan said.

According to Mike Lee of the ATM Industry Association (ATMIA), the Global ATM Security Alliance (GASA) has produced an ATM lifecycle security best practices document for members of ATMIA and GASA. It also issues global fraud alerts.

"We have to monitor global crime trends because organized crime has become a globalized 'business'," he said.

"We are also currently drafting international best practices for multichannel security to complement the lifecycle security best practices because the ATM channel is not an island; ATM fraud can originate through compromises of POS devices and also as a result of phishing."

Last year, Litan found that the growing use of phishing attacks to gain financial information through phony e-mails is eroding consumer confidence, so Gartner is planning to do a survey later this year to see whether these attacks have undermined consumer confidence in PIN card security.

But Litan said it is unlikely that this wave of fraud will have an immediate effect on consumers.

"Some 10 to 15% typically change banks after their cards are cancelled, so I wouldn't be surprised to see that kind of a response, but the consumer is mostly shielded from actual losses," she said. "The banks, however, are not.

"It is very likely that we'll see debit card fees increase in the next year as a result. The banks have lost money that they may not be able to recover. The increased risk will most certainly affect fees.

"I think the thieves are laying low right now, because of all the attention. But we haven't heard the last of this. Not by a long shot."