Hacker forces banks to cancel Visa debit cards

By Dan Verton

(IDG) -- Several banks in the Washington area have been forced to cancel and reissue thousands of Visa debit cards after a hacker allegedly intercepted a file containing purchase data from a local online merchant.

First Virginia Banks Inc. in Falls Church, Va., this week began notifying 500 of its customers that their card numbers and expiration dates, telephone numbers and addresses had been compromised. Likewise, Atlanta-based SunTrust Banks Inc., which has branch offices in northern Virginia, Washington and Maryland, also began monitoring several customer accounts that may have been compromised.

This comes two weeks after Washington-based Riggs Bank on Aug. 21 sent letters to 3,000 of its customers informing them that a local online merchant's customer database containing their Visa debit card numbers had been hacked into and compromised. Officials at First Virginia, Riggs and Visa declined to name the merchant where the customer data originated.

All the payment data belong to customers who had made purchases at an online merchant in the Washington area. However, Visa declined to say whether the data was taken directly from a system belonging to the merchant or from one of the many companies that process electronic payments between online retailers and Visa.

In a written statement, Visa characterized the incident as "a potential compromise of cardholder data stored on a third party's computer." Visa alerted various banks in the area "as a precautionary measure so that these banks may take the appropriate steps to protect cardholders whose data may have been compromised," the statement said.

Rick Bowman, chief financial officer at First Virginia, said his bank has "no way of knowing which merchant it is that had their database hacked. Visa does not disclose that information." Bowman said First Virginia receives similar alerts about once every six weeks and often has to issue new cards to customers.

A Riggs official who spoke on condition of anonymity, said, "It would not be fair to identify the merchant," because the matter is still under investigation by the FBI and the incident could have been the result of security holes at one of several third-party companies that process Visa transactions.

To date, there is no evidence of fraud stemming from the compromise, the official said.

Carolyn Gosselin, a spokeswoman for SunTrust Banks, said security officials at the bank are "monitoring a few accounts that may have been in contact with the merchant." So far, SunTrust hasn't uncovered any fraudulent activity that would force the bank to reissue cards to all of its customers in the area, she said. "We hope not to have to do that."

Because Visa debit cards are linked directly to customer checking accounts, officials at both First Virginia and Riggs are urging users to destroy their cards and inspect their next bank statements carefully. A security official at First Virginia told customers that the merchant would be notifying them of the incident by e-mail "within a couple of days."

News of the incident comes as Foster City, Calif.-based Visa on Sept. 4 announced its new Visa Authenticated Payment system, which is designed to help online merchants conduct real-time verification of the identities of online shoppers.

As of June 1, Visa required e-merchants to post their privacy policy and transaction security capability on their Web site so that cardholders know what type of protections are in place when they shop online.

Visa has also put in place a requirement, effective Jan. 1, 2002, that online merchants who accept Visa credit or debit cards offer encryption protection to cardholders during their online purchase. Any e-merchant participating in Visa Authenticated Payment satisfies this requirement.

In May, Visa inked deals with three of its top member banks -- First USA Bank NA in Wilmington, Del., FleetBoston Financial Corp. in Boston and Providian Financial Corp. in San Francisco -- to sign on to the Verified by Visa program. Visa said it expects to eventually win over all 14,000 of its card-issuing banks (see story).

Mike Yakel, vice president of Visa USA's e-Visa division, said all online payment transactions go through "an acquirer," or third-party payment vendor, that submits the purchase from the merchant to the Visa system over the Internet. There are about 50 to 100 companies nationwide that provide payment services, including Certegy (previously known as Equifax Payment Services), First Data Corp., Global Payments Inc., Total System Services Inc. and Vital Processing Services.

"Because the Internet is an open network, there is far more potential that the data could be accessed by somebody," said Yakel.

However, banks that issue cards and sponsor payment vendors to become part of the "Verified by Visa" initiative also assume liability and have a responsibility to prevent security breaches from occurring, said Yakel.

"At the end of the day, the consumer information is being conveyed over an open network," he said. "That is the problem."

http://www.cnn.com/2001/TECH/industry/09/07/visa.debit.cards.idg/index.html

-- Martin Thompson (mthom1927@aol.com), September 07, 2001