I am the last person to over hype a hack/ phish, but seems to me this one is huge.  I am particularly interested in Gartners view that Banks have nailed pishing, and ATM’s/ PIN fraud is next.  It makes sense actually.   Banks have beaten phishing down to a small pulp. 

The bad guys continue to send out the emails, and about 13% of customers receiving those emails respond (Forrester), but the Banks catch them mid stream too.  As much as the bad guys are smart, the Banks fraud pattern recognition systems are getting pretty good too.  Its hard to believe a customer can make a debit transaction in Edinburgh and a ATM transaction in New York at the same time, so its pretty easy to build models to watch for that pattern.

This pattern recognition, will drive the bad guys to go deep on the weak links, such as PIN/ debit card before we go to chip card.

InformationWeek | E-Fraud | PIN Scandal ‘Worst Hack Ever’; Citibank Only The Start | March 9, 2006

The scam has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, all of which have re-issued debit cards in recent weeks, says a Gartner research vice president.

By Gregg Keizer
TechWeb News

Mar 9, 2006 04:35 PM

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.”

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

“This is the worst hack ever,” Litan maintained. “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things.”

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

“That’s the irony, the PIN was supposed to make debit cards secure,” Litan said. “Up until this breach, everyone thought ATMS and PINs could never be compromised.”

Litan’s sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards’ magnetic stripes, the associated “PIN blocks,” or encrypted PIN data, and the key for that encrypted data.

he problem, she continued, is that retailers improperly store PIN
numbers after they’ve been entered, rather than erase them at the
PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often
stored on the same network as the PINs themselves, making a single
successful hack a potential goldmine for criminals: they get the PIN
data and the key to read it.

In this case, Litan said, the thieves used the information to
crank out counterfeit debit cards, then emptied accounts at ATMs. She
estimated that they absconded with “at least a couple of thousand
records, maybe more” and have cashed out to the tune of “millions
already.”

The victim of the hack attack isn’t yet known, although some
banks have pointed fingers at OfficeMax, which has denied that its
system was penetrated.

Litan believes it much more likely that a third-party processor
or terminal supplier was involved; the silence about the victim could
point to a processor, she said, because they have the most to lose by
the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive
breach that involved millions of accounts; CardSystems essentially sank
under the publicity, and was later bought by Pay By Touch. In February
2006, the FTC reached a settlement with CardSystems that require it to
adopt more stringent security measures, but the company remains open to
consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway
through cleaning up the breach, said Litan. And more of the same is on
the way.

“This will become a trend with criminals,” she bet. “Hackers
will do this as much as they can” because it’s far easier to empty
checking accounts at ATMs than to buy goods with purloined credit
cards, then sell the goods to generate cash.

So what’s a consumer to do?

“Security is tight at the ATM, but point-of-sale is a whole
other story,” said Litan. “Look at your [debit card] account on a
regular basis, and don’t use a PIN-based debit card at point-of-sale,”
she recommended. “I never do.”