Debit card thieves get around PIN obstacle

Consumers might be surprised to learn that their PIN numbers are stored by merchants they shop at, and can be stolen from merchants by hackers.

While storing PINs is against network rules, many retailers inadvertently store the information, said Mike Urban, who runs Fair Isaac Inc.'s ATM fraud detection program called CardAlert. It ends up accidentally saved in temporary files and other software nooks and crannies.

"There are so many places along the transaction that the numbers can be," he said. 

Those nooks and crannies worry Urban, who like Litan, thinks PIN theft — leading to cash machine withdrawals — is the next major trend in fraud.

"There's a shift going on in fraud," he said.  "(Criminals) are moving to where the cash is, and moving away from credit.”

Urban confirmed that his company is investigating "several large compromises of cards and PIN data."  The number of compromised accounts could easily reach six figures, he said. 

For consumers: Avoid the PIN pad
Litan says consumers concerned about the scam should avoid PIN-based retail transactions, and chose instead to make signature-based, credit-card-style transactions when making purchases with debit or check cards at stores.  That means pushing away the PIN pad and signing a receipt instead. Doing so will limit the number of computer systems where a PIN may end up in storage.

"There are so many point-of-sale terminals everywhere, it's hard to know how safe they are," she said.  A sloppy retailer, or a sloppy software provider, could end up leaking the PIN to a criminal. There is no reason for added scrutiny of bank ATM machines, Litan said, which tend to have far stricter security standards.

Debit card theft can be far more severe than credit card theft for consumers.  For starters, different consumer protections apply. Account holders are liable for only up to $50 of credit card fraud — but consumers can be liable for the entire balance of their bank account after  debit card fraud, according to federal banking regulations. Many banks voluntarily extend credit card-style protection to debit cards, but they are not required to do so.

Moreover, debit/check/ATM card fraud means money is instantly missing from the consumer's account. That can lead to bounced checks and other hassles.  In credit card fraud, consumers generally never lose the money and simply don't pay the bill for the fraud.

Also, while most consumers have multiple credit cards, many only have one cash/debit card.  If the account is suspended, they may not have access to the cash in their primary checking or savings account.

Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic

Print this Email this Blog this  IM this

MORE FROM SECURITY

Security Section Front

First music download trial may get do-over Google starts to blur faces in Street View Perils of the pocket call Hackers try to spur epileptic seizures MySpace wins $234 million in spam case Panel chair offers network neutrality bill Facebook, states set predator safeguards Yahoo search to alert users to bad Web sites Bad idea? Posting all Italians' incomes on Web Government Web site posts Italian incomes Security Section Front   Add Security headlines to your news reader: