"Somebody had to help [hackers] get the [PIN encryption] key," said Litan. "I don't think that part of it was hacked."
Most theories of the debit card breach maintain that an encryption key necessary to unlock the PINs was also stolen. Because the PIN was probably secreted away in a different network location than the debit card account data, Litan believes an insider handled that part of the crime.
Unfortunately, the real criminals may never be found even though more than a dozen people were arrested last week in New Jersey and charged with using stolen credit and debit card data to counterfeit cards.
"They're just the lackeys, not the brains behind this," Litan said. "They're not going to lead you to the organized criminals."
She estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist. "They sub out parts of the work, whether to petty criminals for counterfeiting the cards or to crack addicts to pull the money from ATMs."
To stymie such breaches, Litan urged banks and card associations like Visa to adopt the same kind of back-end fraud detection systems currently used to spot suspicious credit card purchases.
"The only way to lick this is to have fraud detection across the board. First you have to spot [illegal activity], then you have to go back to the user and re-authenticate," she said, to pin down whether the purchases or cash withdrawals were legitimate.
"They need to do for the banking and asset side what they've been doing for the credit card side," Litan recommended.
Even then, putting the brakes on developing debit card theft may be tough. There are, on average, eight entities between a retailer and a bank involved in processing debit cards payments. "The security of consumer PINs is dependent on all these getting it all straight."
Nor is the chip-and-PIN solution adopted in the U.K. -- where the credit or debit card is actually a smart card with an embedded chip and the PIN only unlocks that security chip -- likely to make its way across the Atlantic.
"There are just too many banks and too many retailers in the U.S. to change everything," said Litan. "It would cost billions to upgrade to chip-and-PIN."
"They have to stop money from leaving accounts, that's the only way."