March 13, 2006 7:20 PM PST
Prosecutor: Debit card crime ring busted
- Related Stories
-
FBI widens probe of debit-card theft
February 22, 2006 -
Congressman wants retailer ID'd in data breach
February 15, 2006 -
FBI makes connections in data breach case
February 10, 2006
Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards.
The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
Some of the stolen credit card information came from the office-supply chain OfficeMax and other businesses, DeFazio told CNET News.com on Monday. "We had cooperation from the security people from many victimized businesses," he said.
Credit-card issuers Visa and MasterCard have blamed a growing number of thefts from debit-card holder accounts--in areas ranging from San Francisco to Boston--on a security breach suffered by a merchant, but they've refused to identify the company.
In the past two weeks, police conducting investigations in some of the regions hit by the fraud have discussed finding links between the victims and Itasca, Ill.-based OfficeMax, which has repeatedly denied suffering a breach. An OfficeMax representative was not immediately available for comment Monday.
Regardless of who is responsible for losing the data, the case could undermine the public's faith in debit cards, analysts say. While this isn't the first theft of debit cards, this is the first time thieves have snatched thousands of PIN codes, Gartner Research Director Avivah Litan said.
"This is the worst hack to date," Litan said. "All the other hacks were trying to get to this hack. All the previous hacks were leading up to finding a way into your bank account. For the criminal, this is the pot of gold."
Turning credit cards into cash is time consuming and costly for crooks, Litan said. With stolen credit-card data, thieves are forced to first buy goods and then fence the merchandise in order to generate cash.
"With this kind of debit-card fraud, they can go straight to the cash," Litan said.
An informant tipped off the Hudson County Sheriff's Department to the 14 who were arrested, DeFazio said, adding that the group has ties to criminal gangs residing overseas. Victims in the United States have reported discovering unauthorized charges or withdrawals in such places as Great Britain, Pakistan, Romania and Spain.
Hudson County sheriff's deputies launched their six-month investigation last June. Working with the New York City Police Department, sheriff's deputies began making arrests in December after finding the machinery allegedly used to create fake cards in a Manhattan commercial district.
As part of their investigation, Hudson County detectives served arrest and search warrants in Georgia, Massachusetts, South Carolina and Florida, DeFazio said.
"This was a sophisticated network," he said. "These guys have been around. It looks like they figured this was a safer way to generate cash, safer than dealing drugs or other crimes."
One of the accused ring leaders, Frank Robertson, was arrested last December and has already pled guilty to several fraud counts, DeFazio said. Robertson faces up to 15 years in prison when he is sentenced, DeFazio said. At the time of his arrest, Robertson was on parole for other credit-card fraud convictions, said DeFazio.
See more CNET content tagged:
debit card, OfficeMax Inc., prosecutor, arrest, sheriff
20 comments
Join the conversation! Add your comment (Log in or register)
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.
Let the credit card companies deal with the risk since one typically pays for it anyways.
Let the credit card companies deal with the risk since one typically pays for it anyways.
The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.
The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.
Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.
Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.
It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!
Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!
If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!
Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!
Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?
This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!
It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!
Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!
If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!
Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!
Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?
This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!