News

Komolafe bought identities from theft rings, complete with Social Security numbers and birth dates, according to testimony at his criminal trial in federal court in Pittsburgh in July. He acquired personal information on 68 individuals and used it to open accounts with stolen and bogus checks, then emptied those accounts of money. He was convicted of bank fraud and identity theft.

"These accounts were all opened over the phone or Internet. The banks could have told him to come in with identification cards. He did not have any," said assistant U.S. Attorney Brendan Conway in Pittsburgh. "But there's always a conflict between being customer-friendly and trying to protect people's accounts."

Can't banks and other custodians of card-holders' information do more to protect people's personal data? Yes and no, experts say. Banks and card processors monitor card transactions and use anti-fraud software, but those steps can fall short.

Roughly 3 million Americans were stung by debit card fraud in the year ended July 2003, and about 6.6 million Americans were victims of credit-card fraud in 2002, according to the latest figures from Gartner Inc., a technology analysis firm in Stamford, Conn.

"There is absolutely no limit to the ingenuity of the people doing these schemes," said Jay Foley, co-executive director of the Identity Theft Resource Center, a consumer advocate in San Diego.

"They usually get (card information) from a hotel clerk or some mall employee, offering a free cell phone or TV," said Andrew Richards, a U.S. postal inspector for white-collar crime and former supervisor for the Pittsburgh office of the Financial Crimes Task Force, a multi-agency law enforcer. "But I don't think there's anything more the banks could be doing," the investigator said.

Computer hackers sometimes tap into personal financial data at several points -- including computer servers at credit-card processing firms, as 1,300 Dollar Bank customers in Pennsylvania and Ohio learned in August.

A debit-card data leak at a credit-card processor led the Pittsburgh-based bank to issue new cards and account numbers Aug. 3 to customers in Western Pennsylvania and Ohio. It did so after MasterCard International Inc. informed the bank that cardholders' information may have been compromised.

"Our understanding is the shoe chain, DSW Shoe Warehouse, didn't have proper security of its card information," said Dollar executive vice president Jeffrey Morrow of a notice from MasterCard. "Then, we flagged all the accounts to look at their activity."

Calls to DSW Shoe Warehouse were not returned.

When Dollar later found an odd transaction, it suspended all 1,300 debit card accounts whose information was found at the retailer because of potential fraud, Morrow said. Reissuing the 1,300 cards cost Dollar about $1 apiece. They represent 1.4 percent of Dollar's 90,000 debit-card accounts.

Dollar did not issue new cards immediately after the fraud alert from MasterCard because only card numbers -- not cardholder names and addresses -- were compromised, said Morrow, and that's not enough information to commit fraud. "If they've got the name, address, account number and expiration date, then we issue new cards immediately," he said.

The Federal Trade Commission estimated U.S. businesses in 2002 lost $48 billion from identity theft, largely from stolen credit and debit cards. The Identity Theft Resource Center puts the annual damage at $119 billion.

"We monitor customer card activity on an hourly basis," said PNC Bank spokesman Patrick McMahon. "We generally know about fraudulent purchases before the customer knows and notify them when we believe a fraudulent transaction was made."

McMahon declined to discuss actual fraud occurrences and how or whether PNC prosecuted them. As with other banks, PNC victims are not held liable for fraudulent purchases made with their cards, he said.

"The risk-free thing for the bank to do is close down the old card and issue new ones," said Dollar's Morrow, who noted any fraud losses are borne by the bank. "But that means the customer is without a card for a few days. So that's not something we're quick to do."

The Identity Theft Resource Center's Foley said, "The banks and merchants and credit-card companies are installing lots of software to prevent (cyber fraud) from happening." But he and other experts say no software is perfect or fool-proof.

"Overall, the security side is getting better," said Chenxi Wang, a research professor of electrical and computer engineering at Carnegie Mellon University, and a member of a the university's consortium for cyber security.

"But because systems are so large and fast and have (older) legacy components, it's very hard to update them completely," Wang said. "So, there will be security flaws here and there."

Once a computer programming flaw enables an attacker to gain entry to a data base, the hacker can install a "back door," which is a means of repeatedly accessing the database without entering a password or otherwise being detected, Wang said.

With a card transaction at a store or online, information is transmitted to the card processor and stored in a temporary memory bank. If the system is not purged daily, it can be vulnerable to a hacker attack, Wang said, adding that's especially true if card information is not encrypted.

Computer hackers are sometimes able to access card processors' servers, the central computers where account and transaction information is stored. That's what happened in June with card processor CardSystems Solutions Inc. in Tucson, Ariz., Wang said.

Nearly 40 million holders of Visa, MasterCard and American Express credit cards became vulnerable to fraud when a computer hacker broke into CardSystem's records. The incident included personal data stolen from nearly 100,000 Visa card holders at National City branches in seven states, nearly 1,000 of whom were hit by fraud.

"We suspected something was wrong through normal monitoring of customer account activity," said Bill Bostwick, senior vice president of bank card operations at National City, Kalamazoo, Mich. "It's a matter of trying to keep ahead of fraudsters and where they will try to attack next."

A CardSystems spokesman declined to comment.

Federal authorities continue to investigate CardSystems, said MasterCard spokesman Dave Collett. Meanwhile, MasterCard continues to use CardSystems for processing transactions, and Collett could not say such breaches would not happen again.

• Most Read
• Most E-mailed
• Latest News