It's getting tough to even use the services of a bank anymore, this seems to be happening at an alarming rate: 
Banks scramble after cyber-breach
Stolen card numbers could mean millions in losses.
From Citibank to SunTrust, credit unions to community banks, America's financial institutions are scrambling to deal with the biggest cyber-heist of customer debit-card numbers to date.
The huge computer-hacking incident, which took place more than a month ago, has led to potentially millions of dollars in theft by a global ring of hackers using the stolen debit information and personal-identification numbers, industry experts said this week.
In recent weeks, the nation's banks have quietly tried to extinguish the problem by closing hundreds of thousands of debit-card accounts and providing customers new cards, account numbers and PINs, industry officials said.
Exact figures are unknown -- some banks have reported numbers; others have not. It is thought that at least 350,000 accounts across the country were defrauded, involving more than $10 million in losses, according to some experts.
"In terms of financial damage, this is definitely the biggest documented case of debit-card fraud we know of," said Avivah Litan, a banking analyst and online-fraud expert for Gartner Inc., an information-technology research company.
Central Florida's three major banks -- Bank of America, Wachovia and SunTrust -- have acknowledged notifying certain customers about the problem, closing an unspecified number of accounts and issuing new cards and PINs.
The banks said they are closely monitoring the affected accounts for suspicious activity and that a large majority of their customers were not hit by the electronic theft.
Customers whose accounts may have been affected are getting new cards in the mail with letters instructing them to destroy the old ones. Most banks are telling customers that their old cards may have been exposed to fraudulent activity because of a "third-party" security breach.
Kurt Koehler, a Valencia Community College student and part-time house painter, said he got a notice from Bank of America that included a new debit card but said little.
"It was very low key, not a big deal; but it didn't give much information at all, nothing about how it happened or when it might have happened," he said. "And that made me feel even more uneasy."
SunTrust began to take action about four weeks ago after detecting fraudulent charges on some accounts, bank spokesman Hugh Suhr said. Not all customers who were contacted were victims of fraud, he said.
"Our card processor gave us a list of account numbers that might have been compromised," Suhr said. "As a precaution, we've been replacing them in several waves. We're probably in the final wave of that right now."
The financial-services industry's latest security breach came after a series of incidents last year in which more than 50 million account numbers were stolen or misplaced and exposed to potential fraud.
In one case alone, hackers invaded the computers of an Atlanta-based credit-card-processing company, stealing an estimated 40 million credit- and debit-card numbers. The company, CardSystems Solutions Inc., processed card transactions for Visa, MasterCard and all major card brands.
The current case, however, has triggered even more fraud than the CardSystems incident, banking officials said. That's because this time the hackers also captured customer PINs, which made it possible for them to quickly make unauthorized purchases from all over the world and loot accounts from any automated-teller machine.
Banks are trying to find out who's responsible for the breach, said Doug Johnson, counsel for the American Bankers Association. The evidence suggests that it occurred in the retail sector, not the banking system, he said.
"We believe there's a retailer at the end of this chain that was improperly storing PIN-number information in their computer database," Johnson said.
Last month, Visa issued a warning that identified office-supply retailer OfficeMax Inc. as a source of the breach. OfficeMax denied involvement.
Litan, the Gartner analyst, said the source of the problem is more likely a third-party transaction processor that works electronic transactions for a number of retailers. Technically speaking, it is more likely the hackers captured the PIN data as it was speeding through the third-party computers, she said.
Whatever the source, Litan said the banks are being more proactive than ever in dealing with this case. In past breaches, many banks were hesitant to notify customers and reissue cards until actual fraud occurred, she said.
"When you're talking about debit fraud that involves the use of PINs, the banks are required to absorb those losses," Litan said. "With credit-card fraud and debit fraud involving signatures, the losses are eventually shifted to the retailers. That's why the banks have been taking action so quickly this time."
Law-enforcement agencies have also focused on the financial sector's latest security breach. Although the hacker ring is thought to be based in eastern Europe, authorities last month arrested 14 people from New York to Georgia on charges of buying stolen debit-card data, creating counterfeit cards and using them to make fraudulent purchases. Several suspects have already pleaded guilty.
Information from the Knight-Ridder Tribune wire service was used in this report. Richard Burnett can be reached at 407-420-5256 or
rburnett@orlandosentinel.com.
Login
FAQ
Search
