Debit card breach
Note: Correction added 3/17
Someone has stolen not only a whole heck of a lot of debit-card numbers, but also the PINs that go along with them, forcing a list of banks to cut off access to those accounts until they reissue cards, or in some cases to simply send customers new debit cards before those accounts can be comprimised.
Affected so far are at least Bank of America, Citibank, National City Bank (Ohio), PNC Bank (Pennsylvania) Washington Mutual, and Wells Fargo.
What makes this event so scary for banks — and, of course, customers — is that the data thieves have cracked into the PINs. We’ve all heard of credit-card numbers being stolen, but not debit cards and access codes.
See, the magnetic stripe on your debit card contains your bank and account information as well as the PIN for that card. (It’s encrypted, of course.) When you pop it into an ATM and enter your PIN, the ATM verifies that what you punched in matches what’s on the card. If it does, it will contact your bank to make sure you have enough money for your widthdrawal. encrypts your PIN and sends it to a payment processor, which decrypts it and verifies with the bank that the PIN is correct and that you have enough money to cover the purchase.
Somewhere in the giant financial system that connects consumers, merchants, payment processors, and banks there was a data breach. But no one is talking about where it was.
Informed speculation is pointing to Wal-Mart, its subsidiary Sam’s Club, as well as Office Depot (or OfficeMax in some reports). That’s because some merchants’ systems store customers’ PINs when they choose “Pay with Debit Card” at the checkout. They shouldn’t store that, but they apparently do.
The problem first reared its ugly head in February, when the Modesto Bee reported that “Thousands of debit cards have been canceled and replaced in recent weeks after banks discovered security problems.”
But it really hit the big time when Citibank customers who used their ATM cards in Canada, Russia, or the U.K. found those cards cancelled by the bank when it discovered there was a security problem. It didn’t explain to those customers what had happened except to say there was a security breach.
Avivah Litan, a Gartner researcher, then weighed in writing, “Gartner believes that these combined bank actions reflect the largest PIN theft to date — and point to a new wave of ‘PIN block’ card fraud.”
Is your bank worried? If you suddenly get a new ATM card even though yours isn’t due to expire, then yes. Ditto if you got a sudden upgrade to a gold debit card, or if you were switched from, say, Visa to Mastercard.
The FBI is apparently investigating, and chances are this isn’t the last you’ll hear of this. You can read more about it at BoingBoing.
Leland says:
It is ironic that Wal-Mart, who changed their policy to force debit card users to use the card with the PIN code, is the source of this headache. Two or three years ago when the blue vested minions attempted to force their policy on me, I wondered about the security my PIN code. (I believe this particular ration of idiocy came from an economic stand off over the size of the bite Mastercard took off every sale.)
I am pleased to announce that Wal-mart has never had a shot at losing my PIN number. On that first day and from that day forward if I really feel the need to use plastic at a Wal-Mart store, they get the American Express card. No skin off my nose, but if I remember right, Amex’s bite is roughly double the rest.
Great move Wal-Mart! You rock!