Now this is scary. Bank of America and the NC State Employees Credit Union are among the institutions that have acted to stop a seeming wave of debit card fraud. Those instittutions, along with several others, have either moved to block certain transactions in certain areas around the globe or totally reissued to debit cards to customers.
The Credit Union, for example, just undertook a massive re-issue effort:
[SECU has] over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of ‘PIN block’ card fraud.”
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer’s terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
Ideally PIN numbers would be something you could quickly and regularly change, but that would create security problems of its own.
