Latest updates on what certainly seems to be the largest PIN/ATM fraud ever. Card networks are only as secure as the weakest links. Somehow the electronic message has to get from a merchant/ ATM to the issuing bank. Along the way are a series of third party payment networks, and this underlies the inherent risk here.

Relevance to Bankwatch:

Banks have to get used to bad guys doing bad things, and get their minds around guarantees to customers.  Its like the Rolls Royce story – they never break down, and banks should be the same.

Guarantee your customers that their money is safe.  Eliminate the subtext and condition that bankers always leave as an out, just in case customers try to defraud them.  But how many actually try to do that?  Its time to manage to the majority that are honest customers who simply want to rely on their bank.

From Techweb:

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

Here is what Citibank said:

Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.

And finally, here is how the US banks are co-operating to try and stem risk from reliance on third parties.

These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can’t be easily fixed.

Full Techweb report:

By Gregg Keizer, TechWeb News

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.”Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

“This is the worst hack ever,” Litan maintained. “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things.”

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

“That’s the irony, the PIN was supposed to make debit cards secure,” Litan said. “Up until this breach, everyone thought ATMS and PINs could never be compromised.”

Litan’s sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards’ magnetic stripes, the associated “PIN blocks,” or encrypted PIN data, and the key for that encrypted data.

The problem, she continued, is that retailers improperly store PIN numbers after they’ve been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with “at least a couple of thousand records, maybe more” and have cashed out to the tune of “millions already.”

The victim of the hack attack isn’t yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.

“This will become a trend with criminals,” she bet. “Hackers will do this as much as they can” because it’s far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.

So what’s a consumer to do?

“Security is tight at the ATM, but point-of-sale is a whole other story,” said Litan. “Look at your [debit card] account on a regular basis, and don’t use a PIN-based debit card at point-of-sale,” she recommended. “I never do.”

_________________________