With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.
Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.
The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.
The incident calls into question the security of the four-digit code that for years has made PIN-based transactions less subject to fraud than signature-based credit card transactions.
"This is the absolute worst hack that has happened, the biggest scam to date," said Gartner analyst Avivah Litan.
In recent weeks, Bank of America, Wells Fargo, Washington Mutual and Citibank have all reissued debit cards after detecting fraudulent activity. Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps.
Consumers complain around the country
In the meantime, complaints from consumers who say thousands of dollars has gone from their accounts continue to multiply. Police in Erie, Pa., say they've taken reports from dozens of residents. There are more than 100 reports of fraud in Las Cruces, N.M. In Western Massachusetts, after mounting complaints, including 147 compromised accounts at the Fitchburg Municipal Employees Federal Credit Union, the state Consumer Affairs Office issued a warning about debit card fraud.
The tales of theft are consistent and disturbing.
"Last week, I was online paying some bills and noticed several ATM transactions from Toronto, Blainville ...," wrote Dana Lark of Naples, Fla., to MSNBC.com. "By the time I called my bank and reported the problem, they had gotten $1,300 of my money. I told my husband to check his business account, which has an ATM card tied to it, and he found over $1,500 of unauthorized charges from those same places and also Bulgaria."
Financial institutions around the country continue to issue warnings, the most recent this week by Citibank, which said it had spotted fraudulent withdrawals from U.S. accounts made in Canada, the United Kingdom and Russia.
In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame.
The Secret Service is investigating the incidents, said spokesman Eric Zahren. He stressed that the agency is studying potential data leaks "that involve a number of retailers."
Why debit cards and PINs are now targeted
But the key question surrounding the attack is this: How did the thieves get the PIN codes they needed to perform ATM withdrawals?
It's typical for thieves to take credit card numbers and attempt purchases — but that's risky business. It takes effort to turn stolen merchandise into money. Debit card account information, combined with PIN codes, make a much better mark. Criminals can just go to ATMs anywhere in the world and walk away with cash. They don't even have to interact with store cashiers, making so-called "white card" fraud — creation of counterfeit cards, often plain white, loaded with stolen data — easy.
But getting consumer PINs has always been a hurdle. At times, criminals have resorted to drastic measures such as using miniature cameras or other technologies to steal PINs one at a time. But the sheer number of stolen accounts linked to the latest data theft suggests there must be another method.
On Thursday, Litan will release a report indicating she believes the PIN information was stolen in bulk, at the same time the account information was stolen.
Stealing PINs sharply ups the ante in the cat-and-mouse games between criminals and banks.
Litan says many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen.
"Once the thieves have a cardholder's PIN, they have enough data to create and use counterfeit cards to withdraw cash at ATM machines," Litan said. In her report, she says careless PIN storage by retailers is to blame for the recent spate of ATM fraud, including Citibank's troubles.
“But in defense of (the retailer), it’s just using payment software and probably doesn't even know what's in there,” she said. “The software is storing PINS just because it can. No one is paying attention to this stuff, it's deep in the software.”
Surprise: Merchants keep your PIN
None of the banks involved would discuss how the criminals managed to get customer PINs. But a researcher familiar with the investigation, who asked for anonymity because he said he wasn't authorized to speak publicly, confirmed that Litan's description is the operating theory on the recent rash of debit card fraud.
Several banks have made clear in their announcements that PINs were stolen and used to make fraudulent withdrawals. In its announcement this week, Citibank said specifically it had locked out suspect cards from PIN-based transactions, after there were "several hundred fraudulent cash withdrawals" in Canada, the United Kingdom and Russia.
Consumers might be surprised to learn that their PIN numbers are stored by merchants they shop at, and can be stolen from merchants by hackers.
While storing PINs is against network rules, many retailers inadvertently store the information, said Mike Urban, who runs Fair Isaac Inc.'s ATM fraud detection program called CardAlert. It ends up accidentally saved in temporary files and other software nooks and crannies.
"There are so many places along the transaction that the numbers can be," he said.
Those nooks and crannies worry Urban, who like Litan, thinks PIN theft — leading to cash machine withdrawals — is the next major trend in fraud.
"There's a shift going on in fraud," he said. "(Criminals) are moving to where the cash is, and moving away from credit.”
Urban confirmed that his company is investigating "several large compromises of cards and PIN data." The number of compromised accounts could easily reach six figures, he said.
For consumers: Avoid the PIN pad
Litan says consumers concerned about the scam should avoid PIN-based retail transactions, and chose instead to make signature-based, credit-card-style transactions when making purchases with debit or check cards at stores. That means pushing away the PIN pad and signing a receipt instead. Doing so will limit the number of computer systems where a PIN may end up in storage.
"There are so many point-of-sale terminals everywhere, it's hard to know how safe they are," she said. A sloppy retailer, or a sloppy software provider, could end up leaking the PIN to a criminal. There is no reason for added scrutiny of bank ATM machines, Litan said, which tend to have far stricter security standards.
Debit card theft can be far more severe than credit card theft for consumers. For starters, different consumer protections apply. Account holders are liable for only up to $50 of credit card fraud — but consumers can be liable for the entire balance of their bank account after debit card fraud, according to federal banking regulations. Many banks voluntarily extend credit card-style protection to debit cards, but they are not required to do so.
Moreover, debit/check/ATM card fraud means money is instantly missing from the consumer's account. That can lead to bounced checks and other hassles. In credit card fraud, consumers generally never lose the money and simply don't pay the bill for the fraud.
Also, while most consumers have multiple credit cards, many only have one cash/debit card. If the account is suspended, they may not have access to the cash in their primary checking or savings account.
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic