Debit card thieves get around PIN obstacle

Wave of ATM fraud indicates criminals have upped the ante


By Bob Sullivan
Technology correspondent
MSNBC
Updated: 2:00 p.m. ET March 9, 2006

With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.

Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.

The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.

The incident calls into question the security of the four-digit code that for years has made PIN-based transactions less subject to fraud than signature-based credit card transactions.

"This is the absolute worst hack that has happened, the biggest scam to date," said Gartner analyst Avivah Litan.

In recent weeks, Bank of America, Wells Fargo, Washington Mutual and Citibank have all reissued debit cards after detecting fraudulent activity. Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps.

Consumers complain around the country
In the meantime, complaints from consumers who say thousands of dollars has gone from their accounts continue to multiply. Police in Erie, Pa., say they've taken reports from dozens of residents. There are more than 100 reports of fraud in Las Cruces, N.M. In Western Massachusetts, after mounting complaints, including 147 compromised accounts at the Fitchburg Municipal Employees Federal Credit Union, the state Consumer Affairs Office issued a warning about debit card fraud.

The tales of theft are consistent and disturbing.

"Last week, I was online paying some bills and noticed several ATM transactions from Toronto, Blainville ...," wrote Dana Lark of Naples, Fla., to MSNBC.com. "By the time I called my bank and reported the problem, they had gotten $1,300 of my money. I told my husband to check his business account, which has an ATM card tied to it, and he found over $1,500 of unauthorized charges from those same places and also Bulgaria."

Financial institutions around the country continue to issue warnings, the most recent this week by Citibank, which said it had spotted fraudulent withdrawals from U.S. accounts made in Canada, the United Kingdom and Russia.


Regulation E protects consumers when they are hit by electronic financial fraud
• What's covered
• Consumer liability
• What consumers should do
• What banks are required to do
• For more information


Consumers have well-defined rights with respect to fraudulent electronic transfers, and should generally be able to obtain refunds with little hassle. The rights are spelled out in what's known as "Reg-E," or the Federal Reserve Board's Regulation E. The Fed was authorized to draw up the regulation by the Electronic Funds Transfer Act of 1979. The regulation covers all manner of transfers into and out of bank accounts outside of paper checks, including the use of debit cards. It does not cover credit card transactions.

In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame.

Click to expand...