Visa's Blaming Of Fujitsu In Debit Card PIN Breach Draws Ire

One Gartner analyst suggested the PIN problem was probably a combination of an inside job and outside hacking help, and estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist.

Gregg Keizer, Contributor

March 21, 2006

4 Min Read

Visa's fingering of Fujitsu-made software for allegedly storing confidential customer data, including PINs, is a "cheap shot," said an identity theft analyst Monday.

Last week, Visa warned retailers that two point-of-sale (POS) programs produced by Fujitsu Transaction Solutions, Inc., a Texas-based subsidiary of Japan's Fujitsu Ltd., could be storing debit card PINs in violation of credit and debit card rules.

Although Visa would not confirm that it had named Fujitsu's RAFT and GlobalStore software, Fujitsu Transaction's chief operating officer, Ed Soladay, acknowledged that his company's products were the focus of the Visa alert.

"I wish we could have talked [with Visa] before the alert came out," said Soladay. "Our software doesn't capture PIN data, and anything in clear text is encrypted," he said in rebutting Visa's allegations that RAFT and GlobalStore put retail customers' bank accounts at risk.

Visa's charges and Fujitsu's denial are notable because both came on the heels of a debit card breach that has exposed an estimated 200,000 bank accounts to criminals who, armed not only with the magnetic stripe data but also the necessary PINs, have pillaged accounts.

The two events are no coincidence, said Avivah Litan, a Gartner research vice president and identity theft expert. "They're definitely linked," she said.

But although she's "89 to 90 percent certain" that the breach or theft involved Fujitsu's software, Litan called out Visa for naming names without all the facts. "I think it's a cheap shot to blame Fujitsu. It makes sense that the problem is at the point-of-sale environment, but I think it's probably much more likely that it was an add-on package's [fault]," Litan continued. "Likely some customized code. I can't imagine that Fujitsu's software would be keeping PINs."

Fujitsu Transaction's Soladay seized on Litan's take to point the blame elsewhere. "Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.

"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."

So far, two major retailers -- Sam's Club and OfficeMax -- have dominated the reports which have named common retailers among the consumers whose accounts have been sacked. OfficeMax has vehemently denied a breach, going so far last week to release a statement claiming that an independent audit cleared the company. While Litan's sources haven't named any one retailer, she's convinced that the problem was at the retailer level, and that it was probably a combination of an inside job with outside hacking help.

"Somebody had to help [hackers] get the [PIN encryption] key," said Litan. "I don't think that part of it was hacked."

Most theories of the debit card breach maintain that an encryption key necessary to unlock the PINs was also stolen. Because the PIN was probably secreted away in a different network location than the debit card account data, Litan believes an insider handled that part of the crime.

Unfortunately, the real criminals may never be found even though more than a dozen people were arrested last week in New Jersey and charged with using stolen credit and debit card data to counterfeit cards.

"They're just the lackeys, not the brains behind this," Litan said. "They're not going to lead you to the organized criminals."

She estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist. "They sub out parts of the work, whether to petty criminals for counterfeiting the cards or to crack addicts to pull the money from ATMs."

To stymie such breaches, Litan urged banks and card associations like Visa to adopt the same kind of back-end fraud detection systems currently used to spot suspicious credit card purchases.

"The only way to lick this is to have fraud detection across the board. First you have to spot [illegal activity], then you have to go back to the user and re-authenticate," she said, to pin down whether the purchases or cash withdrawals were legitimate.

"They need to do for the banking and asset side what they've been doing for the credit card side," Litan recommended.

Even then, putting the brakes on developing debit card theft may be tough. There are, on average, eight entities between a retailer and a bank involved in processing debit cards payments. "The security of consumer PINs is dependent on all these getting it all straight."

Nor is the chip-and-PIN solution adopted in the U.K. -- where the credit or debit card is actually a smart card with an embedded chip and the PIN only unlocks that security chip -- likely to make its way across the Atlantic.

"There are just too many banks and too many retailers in the U.S. to change everything," said Litan. "It would cost billions to upgrade to chip-and-PIN."

"They have to stop money from leaving accounts, that's the only way."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights