Avivah Litan, an analyst at Gartner is beig very pro-active in breaking the news and risks emanating from the recent Citi, Wells, BofA debit card fraud situation. While information remains sketchy, it seems clear the bad guys were able to re-create a series of debti cards and their PIN’s and spend the money in the associated accounts.

USATODAY.com – Security breaks could curtail debit card use

PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases

The assumption has been that PIN will eliminate ‘card present’ fraud.  The combination of a chip card that can’t be replicated and a PIN is the panacea.  However the Citi ATM situation just validates what your internal security guys will always tell you.  The best you can do is manage fraud;  you cannot eliminate it because the bad guys are always one step ahead of you, and have already factored your new security into their plans.
Some things are clear, and this varies a little between Europe and North America, but not much:

Relevance to Bankwatch:

1. Simple introduction of PIN and shift of liability to the consumer could be an unmitigated disaster, without consumer support from the banks – consumers look to banks to provide security, not excuses
2. The management of concurrent mag stripe/ chip, and signature/ PIN could result in the worst of both worlds.  Increased operating costs, and increased fraud.
   

Security breaks could curtail debit card use

By Kathy Chu, USA TODAY

A recent spate of fraudulent bank card transactions is complicating a question that arises each time you reach the checkout register: debit or credit?

Citibank, Wells Fargo and Bank of America are among the banks that have reissued U.S. debit cards in recent months after a third-party security breach allowed fraudsters to obtain bank card information — including some customers’ personal identification numbers, or PINs.

The banks haven’t identified the source of the breach or how many cards have been reissued.

But as more people become aware of the incidents, “I think consumers will think twice before they enter a PIN anywhere,” says Avivah Litan, an analyst at Gartner.

Some consumers could decide it’s safer to sign for bank card purchases with a Visa or MasterCard logo, Litan says.

At the least, “People may be more leery about making sure that no one’s behind them when they type in their PIN numbers,” says Chris Allen of Dove Consulting, a research firm.

The security breach comes as consumers are increasingly using debit cards to pay at the cash register. Debit transactions are the fastest-growing form of electronic payments; they nearly doubled, to 15.6 billion transactions, in 2003 compared with 2000, according to the most recent Federal Reserve data.

Much of the growth of debit cards in that period came from signature transactions, rather than PIN-based ones.

Historically, though, PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases. A 2005 study by Pulse, a debit card network, showed that a PIN debit card transaction was about 15 times safer than its signature counterpart, based on losses per transaction and per sales volume.

That’s because fraudsters who obtain a traditional ATM card — without a MasterCard or Visa logo — would have to know the PIN to make a purchase. But the recent breaches could shake public confidence in the security, Litan says.

Also, the industry may have to rethink how it detects fraud, because, “Systems around PIN debit are not as advanced as the ones around signature debit,” she says. “There was never a need.”

If fraud occurs in a credit card transaction, you usually have no liability. Signature debit card transactions often enjoy the same protection. But if fraud occurs with a PIN debit card transaction, the consumer’s protection can vary by bank.

Wells Fargo, Bank of America and Citibank say customers have zero liability from fraudulent debit card transactions, whether signature or PIN-based. Consumers should notify the banks, however, within 60 days of when the statement is mailed.

By law, banks must limit debit card liability to $50 if you notify them within two business days after a debit card has been lost or stolen.

If you notify your bank within 60 days of when the statement is mailed, you could be liable for $500. Wait longer than that, and you could lose much more.