Target: Were Debit PINs Compromised?Card Issuers Question Why Chase Has Imposed ATM Limits
JPMorgan Chase Bank's decision to impose limits on daily ATM withdrawals made with debit cards exposed in the Target Corp. payments breach is raising questions about whether PINs may have been compromised in the retailer's security incident (see Target Issues Phishing Warning).
See Also: Proactive Malware Hunting
Two executives with card issuing institutions affected by the breach tell Information Security Media Group that they wonder if Chase has information about debit numbers breached at Target that other banking institutions do not. But a card fraud expert suggests that Chase is likely just being extra cautious.
On Dec. 23, Target confirmed that malware infected its point-of-sale system and was to blame for the compromise of as many as 40 million U.S. debit and credit cards. Target has repeatedly said PINs were not exposed.
Chase spokesman Thomas Kelly says the bank has no comment on whether the possible compromise of PINs was the catalyst for the $2.5 trillion bank to limit daily ATM withdrawals to $250 per day for debit cards linked to the breach.
Meanwhile, a news story from Reuters on Dec. 24 said an unnamed executive with a leading U.S. card issuer claimed PINs associated with debit transactions could have been compromised in the breach. The executive told Reuters the hackers could have cracked the encryption code used to protect PINs.
Target did not respond to Information Security Media Group's request for comment about the Reuters story.
In the wake of the breach, Sen. Richard Blumenthal, D-Conn., has asked the Federal Trade Commission to review Target's data security practices.
"A breach of this size indicates that somebody gained extensive and unfettered access to customer information held by Target," Blumenthal says. "The fact that the intrusion lasted for more than two weeks indicates that Target's procedures for detecting and shutting down an effort to steal customer data does not live up to a reasonable standard."
Card Issuers' Questions
Card issuers are not convinced that the breadth of the attack has been fully discovered or revealed.
"One thing that comes back to question is why Chase is lowering ATM withdraw limits," says one executive with a smaller card issuer in the Midwest, who asked to remain anonymous. "What do they know that the rest of us don't?"
That executive has seen no evidence yet to suggest PINs have been compromised, but anticipates the worst is yet to come.
Another executive with a leading U.S. card issuer, who also asked to remain anonymous, questions Chase's motivation.
"With JPMorgan as an outlier from the industry, I ask, 'Do they know something more than us on this compromise?" this executive asks. "Are they concerned about some cash-out-like scheme? I would normally think the biggest bank would have some insight, possibly better than what is publicly being discussed. However, I think JPM had some people reading between the lines of what Target was saying.
Just Being Cautious?
But John Buzzard, who heads up the FICO Card Alert Service, says it's likely Chase is just being overly cautious. Since news of the attack against Target's point-of-sale system broke, card issuers have been holding their breath about massive waves of card fraud, he says.
"I think Chase used good judgment on the lowering of daily limits, just in case something developed around PIN fraud," Buzzard says. "We have not identified any PIN compromises yet linked to Target. This breach made everyone really pensive as to what is to come."