rapidly growing areas of opportunity for card issuers in North
America. But the cards are also the targets of increasingly
sophisticated criminals who, if unchecked, hold the potential to
severely damage consumer confidence. Charles Davis
The meteoric rise of the use of debit cards in the US masks an
increasingly disquieting downside: the more the card numbers grow,
the higher the fraud incident rate.
According to the 2007 debit card market study by electronic
funds transfer network Pulse EFT Association, debit card fraud
losses in 2005 (the latest available data) totalled $662 million,
21 percent up on the $546 million in 2004. In 2005, PIN debit fraud
at ATMs was $364 million, up 6 percent from $345 million in 2004,
while signature debit losses were up 28 percent to $247 million
from $193 million in 2004. While still relatively rare, PIN debit
fraud at the point of sale grew 163 percent to $21 million in 2005
from $8 million the previous year.
Debit card fraud is a growing concern for issuers, as payments
volume continues to migrate to debit cards. Fuelling the fear is
the fact that today’s debit card fraud employs increasingly
sophisticated methods, and that the scams are being used on a
system level rather than individual cardholder level.
Data breaches and other high-profile incidents continue to focus
industry attention on debit card security issues.
The latest massive breach involved TJX, the parent company of
T.J. Maxx, Marshalls and other retailers, which revealed in a 30
March regulatory filing with the US Securities and Exchange
Commission (SEC) that data on more than 45 million credit and debit
card users was stolen and sold to fraudsters. The company has not
yet said whether it knows how the breach occurred, but many IT
professionals in the trade press suspect that TJX was a victim of
‘wardriving’ – the practice of driving around with a laptop and
antenna to detect wireless access points and assess how they are
When a global positioning system receiver is added, a map can be
made of the different access points. A telescope antenna lets
wireless poachers attack their targets from miles away; they don’t
even have to be sitting in the store’s parking lot.
In one of the cases, a ring of thieves was foiled at a Wal-Mart
store in Gainesville, Florida when police apprehended them
attempting to use gift cards that had been converted from stolen
TJX credit card account numbers. It is estimated that up to $8
million was loaded onto gift cards purchased at Wal-Mart and Sam’s
Club retail locations in Florida. The full scope of the impact has
not been fully determined outside Florida.
Experts said that it’s likely that the cyber attacker or
attackers who stole millions of customer records from TJX stumbled
across a vulnerable store location while staking out a shopping
centre from a car.
A recent study by research company Tower-Group stressed the
vulnerability of store-branded gift cards, particularly their
anonymous nature, as offering a vulnerable target for criminal
activity. A number of US and Canadian agencies have also cited the
anonymity of prepaid gift cards as a potential risk for money
laundering and tax avoidance.
Meanwhile, the fallout from the breach continues for TJX. The
company is now facing investigations by several government
agencies, including the Federal Trade Commission, a multi-state
group of 30 attorneys general and two Canadian privacy groups. TJX
is co-operating with each of these investigations, according to the
company’s SEC filing.
The SEC filing also lists 18 lawsuits banks and consumers have
brought against TJX.
Banks forced to reissue cards
Hard on the heels of the TJX breach came a second major fraud
event, this one in Canada, which resulted in debit cards issued by
the Bank of Montreal, Royal Bank of Canada and CIBC being frozen
for several days after Winnipeg police apprehended a pair of fraud
suspects. Authorities recovered $105,000 in cash and over 100 debit
There is no question that data breaches are taking a toll on
debit card issuers. A survey by trade association America’s
Community Bankers found that data breaches have forced 91 percent
of its more than 1,000 member institutions to reissue cards, the
majority of which were debit cards. Seventy-one percent reported
that they had to reissue cards three or more times over the past 24
To fight fraud, issuers are implementing neural-network
technology to look for unusual transaction activity, and some are
beginning to score PIN and signature debit transactions to protect
against evolving fraud tactics, Pulse said.
The stakes are huge: according to a recent survey by Javelin
Strategy & Research of more than 1,200 consumers, 77 percent
said they would discontinue shopping at merchants that suffered
major data breaches. Some 85 percent of respondents said they would
prefer to reward companies that avoid major incidents by giving
them more of their business.
Technology fights back
The answer may well lie with card technology vendors, which
already are offering novel ways to combat debit card fraud.
One potential answer could come from payment systems developer
Innovative Card Technologies (ICT). It has announced a partnership
with Activ-Identity, a security vendor, that will allow issuers to
offer customers security tokens embedded within payment cards. The
one-time-password token technology generates a numerical pass code
that quickly expires, so it cannot be reused if a criminal manages
to steal the number. By adding token technology to payment cards,
ICT’s solution overcomes the hurdle of external hardware, removing
a major obstacle to tokens among consumers.
Despite the growing fraud issue, the Pulse study found that the
volume of debit card transactions grew at 18 percent in 2006. That
rate is expected to slow to 16.8 percent this year, but still
represents heady growth and – if fraud has any relationship to
transaction volume – continued headaches for issuers.
Look for US debit issuers to devote significantly more time and
money to the fraud problem, which now threatens the viability of
debit like never before. Wary consumers are watching closely for
signs that the industry will stay ahead of the issue. Consumer
activists already are warning consumers about using debit cards at
all: the Federation of State Public Interest Research Groups, a
consumer advocacy body, has called for shoppers to use credit cards
for all purchases until steps are taken to better fight fraud.