Monday, March 13, 2006

Losses Could Top $1 Billion in PIN Debit Fraud

The widening damage from the unfolding debit card hacking incident is challenging the conventional wisdom that PIN-based debit cards are inherently more secure than credit cards, which rely on signatures—though it still doesn’t make a case for chip cards. That’s according to one expert whose latest estimates are that this latest breach has so far affected far more than half a million cards and could cost consumers or their banks more than $1 billion.

Through the use of magnetic-stripe systems such as card-verification values and a host of back-office security improvements invisible to cardholders, the credit card industry has driven down the fraud rate to less than half what it was 15 years ago. Today, the bank credit card fraud rate is only 5 basis points of transaction volume, according to analyst Avivah Litan, research vice president at Stamford, Conn.-based Gartner Inc.

Litan notes that while the latest debit card security compromise probably would not have happened if the cards had been chip-equipped smart cards, that still doesn’t create a business case for an expensive retrofit of the U.S. payment system for smart cards. Such an upgrade would cost billions because card issuers, merchants, and processors have so much invested in mag-stripe technology. “I think the solution is back-end fraud detection,” says Litan.

The recent debit card breach, which Litan estimates has compromised 600,000 cards and has forced at least 20 banks to reissue cards, shows also that PIN-based security is far more vulnerable than generally supposed. Indeed, Litan calls this the worst debit card compromise ever. She estimates direct consumer losses conservatively will be at least $100 million and could go as high as $1 billion or more, based on losses in previous incidents that ranged between $1,000 and $2,000 per account. “In terms of consumer impact, it’s definitely been the worst,” she says, adding that federal investigators are only about halfway through their probe.

Though details are far from complete, Litan and others who have talked to bankers and other informed sources believe computer hackers probably obtained stored card numbers and encrypted data, or so-called PIN blocks, linked to the personal identification numbers of debit cards used for purchases. They also apparently obtained the electronic “keys” that would allow them to de-encrypt the PIN blocks, and then connected the de-encrypted data with the correct card numbers. Then they were free to make bogus cards and withdraw cash at ATMs, which they did in several countries, until the issuers caught on and blocked the accounts.

A California outlet of Itasca, Ill.-based office-products retailer OfficeMax Inc. has been named in various press accounts as a possible source of the breach, but OfficeMax has consistently denied having knowledge of a compromise, and Litan believes more than one retailer probably is involved.

While they don’t have inside knowledge of the investigation, Bill Pittman, president and founder of Redmond, Wash.-based payment software firm TPI Software LLC and Andrew Chau, TPI’s chief technical officer, say it is possible that software dubbed “middleware” may have made the breach possible. Middleware is a piece of software containing a master key that can de-encrypt PIN blocks, according to Chau. Normally such master keys are injected into point-of-sale PIN pads by transaction processors.

But merchants, particularly if they’re going to change processors, sometimes use middleware to store the keys themselves at their corporate headquarters. That saves them the hassle of making changes at individual terminals when changing over to a new processor.

Litan also says that while they’re not supposed to store card numbers and encrypted PIN data, retailers often do. That practice arises not from a deliberate flouting of the rules, but from the longstanding practices of computer programmers, who by nature store all manner of data.

“People store it just because they can,” she says.

Though much about the latest breach is unknown, the apparent theft of de-encryption keys shows to payment experts that the hackers may have had help from insiders, or at the very least were extremely knowledgeable outsiders. “I don’t think this was pure luck. This was a sophisticated operation,” says Pittman.

From Digital Transaction News