This article makes it more clear why everything was kept quite quiet on this investigation, as arrests are now being made.  In fact the breadth of the problem is more than we knew earlier, with other merchants involved.

"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers,"

 What is intriguiing, is that the investigation began on something else, and landed on the "Citi" thing as part of that broader investigation.

Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.

Here is the detail, thanks to SecurityFocus. 

Relevance to Bankwatch:

 Stated quite eloquently in the article: "Moreover, the companies that are the source of the breaches should acknowledge the incidents and take responsibility". 

 _________________________________________________

Robert Lemos, SecurityFocus 2006-03-31

The U.S. Secret Service arrested seven people across the nation this week as part of an ongoing investigation that has turned up links to the massive debit-card breaches that have worried banks and consumers.

The investigation, dubbed Operation Rolling Stone, has resulted in 21 arrests in the last three months and involves local, state and international law enforcement. The online uncover operation targets Internet criminal groups that "threaten our financial infrastructure," Jonathan Cherry, spokesman for the U.S. Secret Service, told SecurityFocus.

"Rolling Stone is an ongoing and active operation in its initial phase with future coordinated arrests expected as the operation continues," Cherry said.

The operation could also shed some light on–and even lead to the perpetrators of–several massive debit-card data breaches that have left millions of consumer bank accounts at risk. Over the past two months, widespread debit-card fraud has led to a search for the sources of the breaches. Three major incidents in the last six months–a breach associated with OfficeMax, another with Sam's Club and a third compromising an ATM network–have likely all contributed to the current uptick in fraud.

Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.

"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers," he said.

Over the past two months, a spate of debit-card fraud has worried consumers and banks. While no company has come forward to claim responsibility as the source of the data fueling the fraud, three major breaches in the last six months are likely responsible, according to sources in the banking industry.

A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. In its annual report published last earlier in March, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

Last December, Sam's Club, a subsidiary of Wal-Mart, acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. While the retailer has only acknowledged those cases, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives. A Sam's Club statement stressed that the company does not believe its in-store or online systems were breached.

"If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system," Mark Goodman, executive vice president for Sam's Club, said in a statement released on March 3.

In early March, Visa and Mastercard warned banks of the most recent incident–a breach of an ATM network, according to financial industry insiders. Sources have said that data indicates the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International have not commented on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

The latest Operation Rolling Stone arrests took place in five states and the District of Columbia on Tuesday. The names of the suspects are currently being withheld, because the investigation is ongoing, the U.S. Secret Service's Cherry said.

The federal and international operation is not linked to the arrests of more than a dozen people in New York and New Jersey that allegedly conspired on credit- and debit-card fraud, said Edward DeFazio, the prosecutor for Hudson County, New Jersey.

"We had gotten the Secret Service involved in our case–they were the ones who were going to follow up with the international connections," DeFazio said.

While the arrests are a good sign, legislators need to respond the the debit-card data breaches with stronger consumer protections, because ATM debit cards have not historically had as strong defenses in place for account holders as credit cards, Chris Hoofnagle, the director and senior counsel for the Electronic Privacy Information Center's West Coast bureau.

"It has always been assumed that the ATM is more secure because of the PINs, but debit cards are being used everywhere so the PINs are everywhere," Hoofnagle said.

Moreover, the companies that are the source of the breaches should acknowledge the incidents and take responsibility, he said.

"The problem with the ATM breaches is that notice is even more important in these cases," he said.