March 13, 2006 7:20 PM PST

Prosecutor: Debit card crime ring busted

A correction was made to this story. Read below for details.

Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards.

The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.

Some of the stolen credit card information came from the office-supply chain OfficeMax and other businesses, DeFazio told CNET News.com on Monday. "We had cooperation from the security people from many victimized businesses," he said.

Credit-card issuers Visa and MasterCard have blamed a growing number of thefts from debit-card holder accounts--in areas ranging from San Francisco to Boston--on a security breach suffered by a merchant, but they've refused to identify the company.

In the past two weeks, police conducting investigations in some of the regions hit by the fraud have discussed finding links between the victims and Itasca, Ill.-based OfficeMax, which has repeatedly denied suffering a breach. An OfficeMax representative was not immediately available for comment Monday.

Regardless of who is responsible for losing the data, the case could undermine the public's faith in debit cards, analysts say. While this isn't the first theft of debit cards, this is the first time thieves have snatched thousands of PIN codes, Gartner Research Director Avivah Litan said.

"This is the worst hack to date," Litan said. "All the other hacks were trying to get to this hack. All the previous hacks were leading up to finding a way into your bank account. For the criminal, this is the pot of gold."

Turning credit cards into cash is time consuming and costly for crooks, Litan said. With stolen credit-card data, thieves are forced to first buy goods and then fence the merchandise in order to generate cash.

"With this kind of debit-card fraud, they can go straight to the cash," Litan said.

An informant tipped off the Hudson County Sheriff's Department to the 14 who were arrested, DeFazio said, adding that the group has ties to criminal gangs residing overseas. Victims in the United States have reported discovering unauthorized charges or withdrawals in such places as Great Britain, Pakistan, Romania and Spain.

Hudson County sheriff's deputies launched their six-month investigation last June. Working with the New York City Police Department, sheriff's deputies began making arrests in December after finding the machinery allegedly used to create fake cards in a Manhattan commercial district.

As part of their investigation, Hudson County detectives served arrest and search warrants in Georgia, Massachusetts, South Carolina and Florida, DeFazio said.

"This was a sophisticated network," he said. "These guys have been around. It looks like they figured this was a safer way to generate cash, safer than dealing drugs or other crimes."

One of the accused ring leaders, Frank Robertson, was arrested last December and has already pled guilty to several fraud counts, DeFazio said. Robertson faces up to 15 years in prison when he is sentenced, DeFazio said. At the time of his arrest, Robertson was on parole for other credit-card fraud convictions, said DeFazio.

 
Correction: Due to incorrect information provided to CNET News.com, this story incorrectly stated the role of North Carolina's State Employees' Credit Union in the loss of of some customers' credit card information. Some members of the credit union were victims of credit card fraud, but the data was obtained from a third-party merchant.

See more CNET content tagged:
debit card, OfficeMax Inc., prosecutor, arrest, sheriff

20 comments

Join the conversation!
Add your comment
Chain should be held accountable
By what right did the chain have to store the pin number? They didn't need it. When you make a transaction, it gets verified with the bank. They had no right to keep it on file... but they did. They should be held accountable for the losses. It would be a good lesson in the responsibility that comes with storing personal data.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
I agree, some responsibility should be held...
Without a doubt, the only way this is going to stop is to hold retailers who choose to retain customer-payment-information insecurely completely responsible. They should be held liable for the damages caused, and also be required to carry insurance if they choose to retain customer-payment-information like PIN numbers and such.
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.
Posted by NoelWeb (2 comments )
Link Flag
Chain should be held accountable
By what right did the chain have to store the pin number? They didn't need it. When you make a transaction, it gets verified with the bank. They had no right to keep it on file... but they did. They should be held accountable for the losses. It would be a good lesson in the responsibility that comes with storing personal data.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
I agree, some responsibility should be held...
Without a doubt, the only way this is going to stop is to hold retailers who choose to retain customer-payment-information insecurely completely responsible. They should be held liable for the damages caused, and also be required to carry insurance if they choose to retain customer-payment-information like PIN numbers and such.
As a software-developer who works with e-commerce applications, the very thought of retaining this type of information scares me. I know that NO security-system is truly secure. I also know that security, in a lot of cases, can only be as good as the developer(s) implementing a security scheme. Thus, ALL of my payment-systems NEVER retain information that could lead to a problem like this. Credit card numbers, expiration dates, social security numbers, etc, are all discarded as soon as they've been used to authorize a payment or confirm an identity. They are NEVER even saved. I realize not all applications have the luxuries that mine have in the past. Then again, I've made these points clear with my clients up-front, BEFORE we've even started developing an application.
The flip-side to this concerns the users of a security system, themselves, in this case, a retailer. These retailers SHOULD know better! Not only that, but the retailer in question here is a provider of technology-related products. What a blow to their reputation! As an example of what I've seen clients do, I can't count how many times I've visited a client of mine, only to see their passwords clearly written on sticky-notes, attached to the bottoms of their monitors. An I/T department who hasn't educated their employees well-enough to not do something so STUPID, should also be scrutinized and brought to task, along with the employees themselves.
Security should not only cover electronic access, but physical, and social as well. For a retailer as large as the one mentioned in this article, I find it pathetic and in-excusable that this would be allowed to happen.
Posted by NoelWeb (2 comments )
Link Flag
Many are at fault
Those who stole the debit card data are obviously the ones who need to be prosecuted, but are they the only ones who are at fault? How about the merchant who stored the pin numbers in a database so that they could be stolen. This is as irresponsible as it gets. I hope this practice isn't widespread. My debit card number was among those that needed to be cancelled. I am now questioning the loyalties of my credit union. They are keeping secret the identity of the merchant who caused this problem. They should be publishing the identity of this merchant to their customers. They need to do this so that debit card holders can protect themselves by shopping elsewhere.
Posted by picklesdaddy (6 comments )
Reply Link Flag
Many are at fault
Those who stole the debit card data are obviously the ones who need to be prosecuted, but are they the only ones who are at fault? How about the merchant who stored the pin numbers in a database so that they could be stolen. This is as irresponsible as it gets. I hope this practice isn't widespread. My debit card number was among those that needed to be cancelled. I am now questioning the loyalties of my credit union. They are keeping secret the identity of the merchant who caused this problem. They should be publishing the identity of this merchant to their customers. They need to do this so that debit card holders can protect themselves by shopping elsewhere.
Posted by picklesdaddy (6 comments )
Reply Link Flag
User Beware
When using a debit card, one should always be concerned about the transmission and storage functions carried out on one's behalf by any company swiping the card. By using a third party card, such as a credit card, one mitigates the risk for direct fraud somewhat by not keying in a direct access PIN code for a personal bank account.

Let the credit card companies deal with the risk since one typically pays for it anyways.
Posted by (3 comments )
Reply Link Flag
User Beware
When using a debit card, one should always be concerned about the transmission and storage functions carried out on one's behalf by any company swiping the card. By using a third party card, such as a credit card, one mitigates the risk for direct fraud somewhat by not keying in a direct access PIN code for a personal bank account.

Let the credit card companies deal with the risk since one typically pays for it anyways.
Posted by (3 comments )
Reply Link Flag
Bricks And Mortar And Stovepiping
What this story tells me is that one needs to keep the majority of one's cash and cash equivalents in bricks and mortar institutions like banks and not have these accounts be electronically accessable via cards. You need to keep only a small amount of money in a card accessable account, and then periodically go down to your local bank and use a paper deposit/transfer slip to move the money between your large protected account and your small unprotected account.

The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.
Posted by Stating (869 comments )
Reply Link Flag
Bricks And Mortar And Stovepiping
What this story tells me is that one needs to keep the majority of one's cash and cash equivalents in bricks and mortar institutions like banks and not have these accounts be electronically accessable via cards. You need to keep only a small amount of money in a card accessable account, and then periodically go down to your local bank and use a paper deposit/transfer slip to move the money between your large protected account and your small unprotected account.

The public has clearly been sold a bill of goods by being encouraged to do paperless banking, online banking, ATM banking, and to use cards of various sorts for retail transactions (Master the possibilities, VISA it's everywhere you want to be). Sure this is good for the banks, because it lowers their transaction costs (they can close branches and layoff tellers), but it clearly creates a huge fraud exposure problem for the public. I will once again repeat my mantra to use cash for any retail purchase of $100 or less. The people who bought their paper, pens, and ink from OfficeMax with cash were not exposed to a security breach. The fewer electronic transactions you do, the less risk you run of becoming a victim. This is the electronic equivalent of avoiding walking through bad neighborhoods. Nowdays one must assume that ALL electronic neighborhoods are bad neighborhoods.
Posted by Stating (869 comments )
Reply Link Flag
It was Office Max
I was one of those whose numbers were stolen. My wife, who has an account at the same financial institution, wasn't. The only place on my account that doesn't also show up on hers is Office Max, where I purchased ink for my printer.
Posted by Magicland (603 comments )
Reply Link Flag
It was Office Max
I was one of those whose numbers were stolen. My wife, who has an account at the same financial institution, wasn't. The only place on my account that doesn't also show up on hers is Office Max, where I purchased ink for my printer.
Posted by Magicland (603 comments )
Reply Link Flag
Why Retain a PIN?
For what purpose was Office Max capturing and storing PIN numbers particularly from customers who visited one of their brick and mortar stores? I cannot think of one legitimate purpose.

Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.
Posted by tbsteph (62 comments )
Reply Link Flag
Why Retain a PIN?
For what purpose was Office Max capturing and storing PIN numbers particularly from customers who visited one of their brick and mortar stores? I cannot think of one legitimate purpose.

Obviously the info thieves are ultimately to blame but Office Max and any others bear a degree of responsibility for making such a data theft even a possibility. Being stupid, lazy or crooked in not a very good defense of their behavior.
Posted by tbsteph (62 comments )
Reply Link Flag
Wal-Mart/Sams Club Too
My card was involved with this also. The only place I have ever entered my PIN, besides the ATM, was Wal-Mart. I have never bought anything from Office Max. I know my local Wal-Mart forces me to enter my PIN even though I choose credit. They have changed this in recent days. One should have the choice to choose credit/debit on their bank card and not be forced to one or the other.
Posted by nightstar (23 comments )
Reply Link Flag
Wal-Mart/Sams Club Too
My card was involved with this also. The only place I have ever entered my PIN, besides the ATM, was Wal-Mart. I have never bought anything from Office Max. I know my local Wal-Mart forces me to enter my PIN even though I choose credit. They have changed this in recent days. One should have the choice to choose credit/debit on their bank card and not be forced to one or the other.
Posted by nightstar (23 comments )
Reply Link Flag
One small problem
One small problem, called lack of trust, the top four major banks in the country involved in the scam, whilst issuing large numbers of replacement cards, deliberately took the combined steps of initially telling total lies and virtual propaganda, when customers queried why the existing cards became suddenly locked out!

It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!

Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!

If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!

Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!

Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?

This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!
Posted by heystoopid (691 comments )
Reply Link Flag
One small problem
One small problem, called lack of trust, the top four major banks in the country involved in the scam, whilst issuing large numbers of replacement cards, deliberately took the combined steps of initially telling total lies and virtual propaganda, when customers queried why the existing cards became suddenly locked out!

It wasn't until, the episode, was blogged on the internet, and became public knowledge, that some more truthful information was eventual given to persistent irate customers only(but never full disclosure), and the lies from these venerable institutions continued to be issued unabated for the masses!

Question is this if a major bank is willing to insult it's customers over a small security breach involving several million debit cards, then the next question is what else are they also hiding from their customers on a daily basis!

If truth be told, all customers affected should be sent a formal appology letter with a detailed explanation, signed by both the Bank's Chairman of the Board and CEO, as to why their staff were instructed to tell lies on their behalf!

Anything less than that, means they hold their customers in total contempt and will continue to treat them like lambs sent to the slaughterhouse! , and no longer deserve the trust of the cashed up customers, nor to hold their funds anymore!

Oh well, choices, who do you trust when they tell lies and propaganda to cover up the facts?

This new century, appears to be the age, where both fiction and propaganda, is the now common standard method of communication to all customers, by banks and corporporations!
Posted by heystoopid (691 comments )
Reply Link Flag
My card info and pin were stolen
I am furious at Citibank. My card and pin info were stolen and used on the 18th to withdraw several hundred dollars. From the article, the suspected vendor I've shopped with is Officemax. I work in IT, know SQL - couldn't they have simply queried all of their customers who shopped at these compromised vendors in the last year and notified them?
Posted by polov (2 comments )
Reply Link Flag
My card info and pin were stolen
I am furious at Citibank. My card and pin info were stolen and used on the 18th to withdraw several hundred dollars. From the article, the suspected vendor I've shopped with is Officemax. I work in IT, know SQL - couldn't they have simply queried all of their customers who shopped at these compromised vendors in the last year and notified them?
Posted by polov (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.