Debit Card Debacles: Why Consumers Need to Worry About the Recent, Massive Wave of Debit Card Fraud,
And What Legal and Technological Protections Can Prevent Future Harm

Over the past month, as many as 600,000 debit cards may have been compromised in a wave of large scale security breaches. Debit card security problems had been growing: From 2001 to 2003, the number of compromised U.S. debit cards tracked by Fair Isaac for its financial-institution clients doubled; by 2005, that number exceeded 60,000. But this month's developments represented a new level of massive fraud.

Despite protection via personal identification numbers (PINs) - once heralded as a great security feature - the accounts linked to the cards were still looted. (PINs, of course, are needed to make ATM withdrawals and point-of-sale purchases at retailers such as grocery stores.)

In this column, I will discuss how this happened, how it can be prevented from happening in the future.

How Did This Happen?

The current wave of fraud was first detected in early March, when reports of suspicious account activity at major banks such as Citibank, Washington Mutual, Wells Fargo and Bank of America began to appear. Reportedly, debit cards linked with those U.S. accounts was being used to withdraw cash in Canada, Russia and the U.K. - cleaning out accounts without the cardholders' knowledge. This means that thieves were able to create forged duplicate cards; using a PIN without a card, of course, does no good.

How did the thieves get consumer information in the first place? Reports indicate that the problem probably stemmed from a security breach at a major office supply retailer - one that reportedly (and perhaps unwittingly) uses cash register software that stores customer PINs.

This was not supposed to happen: It is against MasterCard and Visa rules for merchants to retain sensitive debit card information, such as mag-stripe data (the information on the back stripe of the card) or PIN numbers. Indeed, merchants who store such information can be fined by the companies, by agreement - for they may have made customers sitting ducks for fraud.

In connection with the recent wave of fraud, two versions of cash-register software made by Fujitsu Transaction Solutions are now under scrutiny -- according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers.

Assuming the software did store the PINs, the thieves still would have had to access the system - through a hack, or through interception while the transactions were being processed. In either case, the thieves likely would have had to obtain an encryption key (though another hack or an inside job).

And even once the thieves had captured the PINs, they would also need mag stripe data to be able to forge the cards. Such data can be copied via a practice known as "skimming": installing copying software at ATM machines or point-of-sale terminals. (In the recent round of fraud, experts suspect the skimming occurred at point-of-sale terminals.)

What Legal Protections Are Needed When Debit Card Fraud Occurs?

Typically, consumers are fully protected when they suffer losses as a result of the unauthorized use of their debit cards or debit card numbers. Of course, the discovery of the theft is stressful and annoying - and other transactions may be interrupted once the account is cleaned out. But in the end, at least, consumers typically get their money back, along with a new card. For instance, MasterCard- and Visa-branded debit cards will likely carry a $0 or $50 liability policy.

Still, legal protections could be improved - in case some companies' policies might diverge from those of Mastercard and Visa. Currently, credit card holders get more legal protection than debit card holders when it comes to fraud.

For example, initial liability for loss with a credit card or a debit card begins at $50, under federal law. But a credit cardholder's liability for unauthorized use is capped at $50 - period. By contrast, with debit cards, the loss can rise to $500, 2 days after a cardholder learns of the fraud, and then can be potentially unlimited, if a cardholder does not read his or her bank statement and report errors within 60 days of being sent a statement. (Indeed, with electronic statements now available, a company might argue that a consumer has 60 days from the date of the first unauthorized transaction to make a report, or risk potentially unlimited liability.)

It's possible legislators left debit card holders exposed because they reasoned that the only way their accounts could be cleaned out is if they were careless with their PINs. But the recent massive wave of fraud - which affected consumers who'd done nothing but type their PIN in as required - shows that the assumption that the card holder is negligent is incorrect.

Are Technological Fixes Needed Too? And Should They Be Mandated By Law?

One answer to the fraud issue may be better technology. And there is a more secure debit card technology, currently available to consumers in Europe - "chip and PIN cards." These cards feature an embedded chip that stores information such as a PIN. It is currently not possible to duplicate such a chip.

Experts argue, however, that given the huge U.S. debit card network (much larger than Europe's), it would be too burdensome for retailers to have to switch to new types of technology to validate debit card transactions. Still, it's possible debit card issuers will force the switch - or even that Congress and/or federal regulators could mandate (or at least recommend) it.