Date: Sun, 28 Dec 1997 09:22:45 -0500 From: Steve Bellovin <smb@research.att.com> Subject: Debit-card program cancelled because of fraud According to the AP, Burns National Bank (Durango, CO) is cancelling its debit-card program because of fraud. The article is maddeningly incomplete about technical details. Apparently, the "hackers" (to quote the article) counterfeited plastic cards and "took account number sequences off software that resides on the Internet before encoding them in the magnetic strip on the back of the card." When the fraud was detected, some customers had new cards issued, with some unspecified extra security feature. It didn't work; within a month, the accounts were penetrated again. Three other banks have been victimized by a similar scheme. All four use the same debit card vendor; Burns blames the vendor for inadequate security, in some unspecified form. They're looking for a new supplier; until then, the entire program is being suspended. Losses to date -- which are apparently being absorbed by the banks -- total $300,000.