Debit card thieves get around PIN obstacle

The Secret Service is investigating the incidents, said spokesman Eric Zahren. He stressed that the agency is studying potential data leaks "that involve a number of retailers."

Why debit cards and PINs are now targeted
But the key question surrounding the attack is this: How did the thieves get the PIN codes they needed to perform ATM withdrawals?

It's typical for thieves to take credit card numbers and attempt purchases — but that's risky business.  It takes effort to turn stolen merchandise into money.  Debit card account information, combined with PIN codes, make a much better mark. Criminals can just go to ATMs anywhere in the world and walk away with cash. They don't even have to interact with store cashiers, making so-called "white card" fraud — creation of counterfeit cards, often plain white, loaded with stolen data — easy.

NBC VIDEO Debit card fraud Some consumers who travel overseas are finding they can't get cash. MSNBC

But getting consumer PINs has always been a hurdle. At times, criminals have resorted to drastic measures such as using miniature cameras or other technologies to steal PINs one at a time.  But the sheer number of stolen accounts linked to the latest data theft suggests there must be another method.

On Thursday, Litan will release a report indicating she believes the PIN information was stolen in bulk, at the same time the account information was stolen.

Stealing PINs sharply ups the ante in the cat-and-mouse games between criminals and banks. 

Litan says many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen.

"Once the thieves have a cardholder's PIN, they have enough data to create and use counterfeit cards to withdraw cash at ATM machines," Litan said. In her report, she says careless PIN storage by retailers is to blame for the recent spate of ATM fraud, including Citibank's troubles.

“But in defense of (the retailer), it’s just using payment software and probably doesn't even know what's in there,” she said.  “The software is storing PINS just because it can.  No one is paying attention to this stuff, it's deep in the software.”

Surprise: Merchants keep your PIN
None of the banks involved would discuss how the criminals managed to get customer PINs. But a researcher familiar with the investigation, who asked for anonymity because he said he wasn't authorized to speak publicly, confirmed that Litan's description is the operating theory on the recent rash of debit card fraud.

Several banks have made clear in their announcements that PINs were stolen and used to make fraudulent withdrawals. In its announcement this week, Citibank said specifically it had locked out suspect cards from PIN-based transactions, after there were "several hundred fraudulent cash withdrawals" in Canada, the United Kingdom and Russia.

MORE FROM SECURITY

Security Section Front

Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? 'Public' online spaces don't carry speech, rights Security Section Front   Add Security headlines to your news reader: