Avivah Litan, an analyst at Gartner is beig very pro-active in breaking the news and risks emanating from the recent Citi, Wells, BofA debit card fraud situation. While information remains sketchy, it seems clear the bad guys were able to re-create a series of debti cards and their PIN’s and spend the money in the associated accounts.

USATODAY.com – Security breaks could curtail debit card use

PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases

The assumption has been that PIN will eliminate ‘card present’ fraud.  The combination of a chip card that can’t be replicated and a PIN is the panacea.  However the Citi ATM situation just validates what your internal security guys will always tell you.  The best you can do is manage fraud;  you cannot eliminate it because the bad guys are always one step ahead of you, and have already factored your new security into their plans.
Some things are clear, and this varies a little between Europe and North America, but not much:

Relevance to Bankwatch:

1. Simple introduction of PIN and shift of liability to the consumer could be an unmitigated disaster, without consumer support from the banks – consumers look to banks to provide security, not excuses
2. The management of concurrent mag stripe/ chip, and signature/ PIN could result in the worst of both worlds.  Increased operating costs, and increased fraud.
   

Continue reading “Consumer reaction to PIN based fraud will be mixed”

Its official and public now. 2007 will see the first pilots, and go live in 2008. Key is the joing announcement from Debit (Interac) and Credit (MasterCard & Visa)

Payments News » Canada Commits To Complete Chip Migration By 2010 » March 13, 2006

Members of the Canadian payment card industry — Interac Association, MasterCard Canada Inc., Visa Canada Association, and many of their respective card issuers and acquirers — have announced a firm commitment to a broad industry migration to chip technology beginning with deployments next year and migration completion scheduled for 2010.

Continue reading “Official: Canada Commits To Complete Chip Migration By 2010”

I am the last person to over hype a hack/ phish, but seems to me this one is huge.  I am particularly interested in Gartners view that Banks have nailed pishing, and ATM’s/ PIN fraud is next.  It makes sense actually.   Banks have beaten phishing down to a small pulp.  The bad guys continue to send out the emails, and about 13% of customers receiving those emails respond (Forrester), but the Banks catch them mid stream too.  As much as the bad guys are smart, the Banks fraud pattern recognition systems are getting pretty good too.  Its hard to believe … Continue reading PIN Scandal ‘Worst Hack Ever’; Citibank Only The Start – UPDATE 3

This from silicon.com confirms the methodology of accessing Citi ATM’s through a merchant server (OfficeMax). Citibank card fraud – magnetic strip to blame? – Financial Services – Breaking Business and Technology News at silicon.com Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a “block” of PINs and the keys to decrypt them. The article goes on to quote an expert, that Chip cards are better than mag stripe.  This article makes me still think that its a mistake to offer Chip … Continue reading Citibank ATM – update

Thanks to Wineboffin for this lead in the Citibank ATM case.  This news.com article quotes police in Leonminster, Mass here, indicating that it was not ATM fraud, but rather fraud at a merchant, OfficeMax, that compromised the debit cards. New debit card fraud tied to West Coast case | CNET News.com “I thought that the thefts may have involved a skimming device installed at local ATMs,” Wolferseder said. “Now I’m following up this OfficeMax connection.” The story indicates a massive debit card replacement took place recently on the US west coast, that involved several big banks. Two banking sources, speaking … Continue reading Citi fraud case may have begun at a merchant, not ATM skimming

Here is the original customer problem with additional details provided by Citi to the customer. The part that intrigues me, is the comment from the Citibank call centre employee regarding "crackers". There must be more about this somewhere, and I will track it down.
ioerror: Citibank – "We don't care about you!"

Citibank refused to tell me anymore details beyond saying a group of illegal
crackers had generated a bunch of account numbers and also generated a
bunch of pin numbers.

It all began this way….

I first attempted to use my ATM card at 4:42PM to access $100 from my
checking account. I was at a small local market, not a bank. To my
surprise, the ATM machine rejected the transaction and urged me to
contact my financial institution. The machine also reported on the
receipt "INELIGIBLE ACCOUNT." Thinking I'd merely made a mistake,
perhaps even in balancing my checking account, I attempted to withdraw
the same amount of money from my savings account. I know that I
correctly typed my pin number in but again, I was rejected and urged to
contact my financial institution. I assumed those messages about
rejection were just custom to the machine and there was some issue with
that machine.At this point, I was pretty sure that something was amiss but I decided
to defer judgment until I'd visited a real bank of some sort. It could
just be the ATM machine I'd used. I walked down the road to a Royal Bank
of Canada and I attempted to use my ATM card again. Having absolutely
zero Canadian cash with me, I was hopeful this would work. Much to my
dismay, it did not. Attempting to withdraw from my checking account
resulted in a similar "INVALID ACCOUNT" message. The same of my savings
account. An attempt to withdraw from my credit card tied to my ATM
account also failed.

Here
is the entire account. From a customer perspective this service level
is precisely why Banks have a bad reputation. It may not be the
customers fault, but the opportunity to make this one loyal customer is
lost forever now.

Continue reading “Citibank – “We don’t care about you!” – a sad customer story”

This just gets worse. The common thread, seems to be Visa and international network connections – but this Royal Bank problem takes us back to fraud. It says that 65,000 cards have been compromised and cancelled by the issuers. As asked here, "So what’s really going on? Is there a security breach or a vendor issue?" Given there are now two Banks involved, I would suggest there must have been a compromise at a payment / acquirer centre, probably in the US, and there will be more Banks involved before this is over. More to come! Massive Citibank Alert: UPDATE … Continue reading Royal Bank of Canada is having similar issues ( to Citibank ATM breakdown)

More on this story .. turns out there is a claim from Citi officials, that its a technical network problem and not fraud? The problem is confirmed as affecting access in Canada, UK, and Russia. Yet the Boing Boing story was referring to customers having to have their PIN changed. Seems there is more to this problem, with worldwide Citibank. Citi are not handling this very well … more to come. Relevance to Bankwatch: Banks are judged more on they manage and address problems, and lack of transparency makes it worse. Massive Citibank Alert: UPDATE – Consumerist They’ve known about … Continue reading Massive Citibank ATM failure