This portion explores what happened in the climax and aftermath of the FBI's sting operation.

Interestingly, Thomas knew the hacker who cracked Paris Hilton's Sidekick and was one of the first to get Paris' photos.

We're interviewing David soon, probably this Sunday. What should we ask him, a man versed in all manner of identity theft and credit card fraud? — BEN POPKEN

Part 1: I Was a Cybercrook for the FBI
Part 2: Tightening the Net on Cybercrime
Part 3: The Boards Come Crashing Down

We first heard about this report back in July and are extremely excited that Wired has finally released it.

Also, Dave has agreed to an interview with The Consumerist. We want to ask him what consumers can do to protect themselves, what banks are doing that actually exacerbates the problem of identity theft, and how targets get picked. We also want to know what he knows about the doings behind The Russian Connection series after OfficeMax was compromised.

What questions would you like to ask? — BEN POPKEN

Stores in Carmichael, Modesto, and elsewhere were targeted.

The Secret Service is currently investigating, saying little, but one spokesman said "it's big."

For the time being, California discount shoppers may want to look elsewhere for their 100 tiny soldier packs and bags of single-ply toilet paper. Or pay in cash.

(Thanks to Beth!)

Allegedly, after the previous podcast broke out, Dillinger caught a lot of flack from his fellow thieves, as well as from blogs and sites like this. He also lapsed into drug abuse, principally meth. Paranoia overtook Dillinger. He started hallucinating, thinking that the neighbors were bugging his house. He called the cops to stop the imagined harassment. When the police arrived, they found drugs all around, as well as all his debit card smithing equipment. Now he's in jail on $800,000 bail as law enforcement is trying to make each debit card count as a separate charge.

El Mariachi also talks about the need to proactively secure your identity. He advises against posting your identity online, visiting porn or "illicit" sites, and using separate banking mechanisms for your offline vs. online transactions.

"If you're not willing to protect yourself from people like me, you will get screwed, " says El Mariachi. "It's not a question of if, it's when."

"Shadow Crew! Crime and Punishment" [Small World Podcast]

Previously:
• John Dillinger Was a Bank Robber Who Walked Through Walls
• Debit Card Hacker Interviewed

Is this a security issue? We think not. We just received our new gold WaMu Mastercard to replace the WaMu Visa, and the letter informed as that as a courtesy, they will let recurring payments and the like be charged for one month on the old card.

Are you reading, John Dillinger? This kind of annoying crap is the fallout from your supposedly victimless crime.

Disappointed's full letter, after the jump...

So Visa bribed Chase away from using MasterCard and the net result was that all the existing Chase debit cards have been replaced with these shiny gold cards with the Visa logo that look more important than they probably are. I activated mine yesterday - one assumes that since the new debit card with the brand new account number and expiration date are now in play, the old card would be no good. I even called Chase customer service to confirm that.
When cancelling my lousy Vonage service they tried to charge me the cancellation fee. I refused and they charged my Chase MasterCard, which I was reassured couldn't be used. Guess what? It went through! I had to call Chase who told me, yes Vonage went through but no, nothing else would. Could they really guarantee that? Probably not. I had to hang around while the customer service rep contacted security to make sure the card was cancelled.

So now if people don't want 2 Chase debit cards around they need to physically call and cancel their old card. I have to say I'm really disappointed with Chase. As for Vonage, I hope their stock plunge kills their lame static-y service and constant outages. Plus they owe me a $50 rebate which I have yet to see.

Sincerely,
Disappointed in NYC

"First off I never hacked those pins. And I only guessed that those were hacked I was never told that they were. It just seemed logical as there were hundreds of thousands of those data sets being past out. Not only to me but to many many others all around the USA and In Romania YES they do work in Ro. Dont beleave all what the financial institutions tell you in the press. And ID theft is diffrent than getting your credit card used. Its called credit card fraud. Getting your identity used to ubtain goods and services is way worse then your credit card getting used. there is no such thing as an The ethical hacker! a hacker is a hacker and its still ilegal. Big business like banks make out in the long run wile the consumer eats it in the end." [sic]

The more you know, the more you grow.

Incidentally, BazookaJoe will be interviewing us today so keep your magic audio devices tuned in to Small World Podcast.

comment on this post

Subject: Your Credit Card was cloned and used! From: VISA

Attention! Your VISA Credit Card has been violated!

You have received this email because we have strong reasons to believe that your VISA account had been recently compromised. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter.

Someone from Bulgaria tried to access your personal account from 2 different ATM's but with wrong pin! We were forced to freeze your Credit Card until you will confirm your identity online!

Please click the link below and enter your account information to confirm that you are not currently away. You have 3 days to confirm account information or your account will be locked.

We need hardly mention that if you're a victim of such an attack, your credit card company is going to call you, not email you.

comment on this post

"Initially the cardholder is the victim, but after the bank pays the customer back, the bank is the victim and if the bank doesn't report it, there's no case built against them," he says.

Listen to the interview here. Spotted at BoingBoing.

Gotta love the hacker's hollow rationalizations. However, he proves two of the things we've contended: 1) always run your debit card as credit and 2) forcible debit card reissues are sure signs your bank's center has been hacked.

This is pretty amazing... and the real culprit is the banks for not reporting it. Hackers just take advantage of the weaknesses, namely, consumer ignorance. UPDATE: We are, of course, referring to the consumer ignorance perpetuated by the banks hiding all of this from us.

Previously: The Russian Connection thread.

This morning, I got a VM from CitiCard asking me to call in regarding a security problem with my card. Not trusting a random VM, I went to the Citi website and called the number for reporting fraud. Turns out the VM was legit. My card has been "compromised" - employees can't tell me why, of course - and I'm getting a new card and new account. They are over-nighting the new card to me. Was told by customer service rep that she had dealt with "several" calls like mine today.

There is no fraudulent activity on my account.

Why won't Citi tell us where the breach occurred? If certain retailers repeatedly cause these breaches, I'd like to know so I can avoid using my card there in the future. If Citi causes them - I'd like to know that too.

We don't want to jump the gun here: this could just as easily be a merchant whose computer was stolen. Still, we get twitchy when the words "Citibank" and "compromised" are put in the same sentence. If this is another massive security breach, we want to be in on the ground floor.

Any other Citibank customers who have had their cards compromised? Mail us.

Yay.

Now we can buy all the gold we want.

What was slightly odd was that after calling and activating the new card, we went to the ATM and inserted our old card. It didn't work. Then we inserted the new card. Spit spit spit, three hot twenties came out just like we asked.

However, we didn't even have to embed a PIN on it. Convenient, but also seems to be a security gap? Which is funny, then, because the new cards were supposed to help prevent security gaps...

Along with its new account number, we'll experience the thrill of changing the credit card listed for every recurring charge we have linked to the card.

According to the Seattlest, "That's when we realized that we were anti-excited about the new opportunities and benefits our Gold MasterCard debit card was offering us. We were, in fact, annoyed."

Awesome! Thanks, Wamu!

"WaMu's New Gold Debit Card Proves Inconvenient" [Seattlest]

Previously: Washington Mutual Is Our Friend With Benefits (That We Couldn't Care Less About)

Our benefits will include:

• Double manufacturer's warranties for up to one year
• Toll-free US roadside assistance and worldwide travel assistance
• Theft and damage protection for 90 days after purchase
• Price protection for 60 days after purchase

Great! A bunch of stuff we don't need and didn't ask for.

Recently, our magnetic strip stopped reading as well and retailers have to punch the debit card number by hand. An eerie coincidence.

Ah, here it is, "you'll receive a Washington Mutual Gold Debit MasterCard to replace your Visa Check Card." That's right, we forgot, they're changing their debit card vendor. Maybe MasterCard will prove more resilient to people stealing debit card numbers, decrypting the PINs and making counterfeit cards and withdrawing all your money, as detailed our The Russian Connection thread.

The producer is looking to talk to people who had money withdrawn from their accounts during the scam wave. If you're interested in speaking on camera about your experience, drop a note in the comments or send an email to tips@consumerist.com. They're looking for people who actually had money fraudulently withdrawn, not just a forced debit-card reissue.

Not only will you be helping inform other consumers about how insecure PIN transactions are, you can also help promote the power of blogs on national TV.

Previously: The Russian Connection thread.

Our girlfriend (okay, this royal we shit is really weird sometimes) went to a Commerce Bank ATM on Saturday to withdraw $20. The first ATM didn't have any money to give her so she had to repeat the same transaction on the machine one over. No biggy.

On Sunday, Commerce Bank left her a message asking her to call in and verify some transactions...

When she did, an automated machine read off her latest transactions and queried whether any of them sounded strange. She pressed yes, as it had listed two $20 transactions right next to each other for Saturday night. The human operator she was connected to said those were indeed the activities that had set the system off. The reason being that it was two identical withdrawals, one right after the other and that the withdrawals, get this, were in a part of town that our girlfriend doesn't frequent. The Commerce rep chalked it up to a system glitch and sent our girlfriend on her merry way.

Perhaps Commerce just deserves some kudos for attention to detail. Then yesterday a reader emailed to say that her credit card was placed on hold by her bank two suspicious transactions: two online purchases totalling $5.50 at sites the account holder had previously shopped at.

These are just two in a million, but it got us wondering if anyone else out there has experienced an unusual amount of vigilance on the part of their credit card and/or banking companies lately?

If so, we would then hypothesize that after The Russian Connection ATM debacle, the financial institutions are getting hyper-paranoid about transaction fraud.

A shareholder queried the Citibank corporate office about the debacle and forwarded us the email:

From: Mcclure, Stacey
Date: Apr 3, 2006 4:43 PM
Subject: Your E-mail Dated March 6, 2006

That's right, it took almost a month for Citigroup to respond to one of its investors about the problem. Imagine their priority level for the average consumer...

The full content of their reply, which they seemed to have cut and pasted from press release drafts, after the jump...

Dear [withheld]:

I am writing in response to your March 6, 2006 e-mail to our Shareholder Relations Department. Your e-mail was forwarded to the Executive Communications Unit for review and response.

In your e-mail, you requested additional information regarding recent ATM restrictions in Canada. As you may know, there have been an increasing number of media reports regarding incidents of compromised data systems at retail establishments where some of our clients have used their cards. As a result, Citibank Banking card numbers may have been available to unauthorized individuals. While this information may not result in fraudulent activity on our clients' accounts, Citibank is taking steps to proactively prevent this possibility. One of these steps is issuing new Citibank Banking cards to our clients who may have been affected.

For added protection, we are also advising our clients to change their current Personal Identification Number (PIN) code on their reissued card. For their convenience, this may be accomplished at Citibank branches and ATMs in the United States, or online at www.citibankonline.com.

To ensure that our customers receive the very best service, as a standard practice, we monitor their accounts on an ongoing basis with our advanced Fraud Early Warning Systems. While the third party retailer occurrences noted above did not involve any security breaches at Citibank, we recently uncovered a new trend of unauthorized ATM activity. We want to assure you that Citibank took immediate action to block such activity from impacting our clients' accounts.

Mr. [withheld], you may rest assured that we are fully involved in the protection of our clients' accounts. You are a valued shareholder and we thank you for providing us with this opportunity to provide clarification regarding this very important matter.

Sincerely,

Stacey McClure

Client Liaison/Executive Communications"

See our the previous stories on "The Russian Connection."

Maybe the debit scam isn't over. That's what Jon thought we he got the pictured notice. You may recall through memory's hazy veil that scammers stole thousands of debit cards and their PINs in weeks past, creating counterfeit cards and withdrawing cash from ATMs around the world.

Well, they caught the main perps but Jon writes in to say he got a postcard from Citibank, letting him know his account was compromised. Yes, a postcard.

Read more, after the jump...

Jon writes:

"Dear Consumerist:

You guys kick ass. Keep up the incredible work. But enough vacuous ass-kissing.

I have been reading about the hacking and smacking going on with banks like Citibank cancelling people's debit cards because their account information has been compromised by hackers. I thought it was pretty much limited to checking accounts, but last weekend I found out it's not. Personally.

The Citibastards sent me a little postcard, via pre-sort mail no less, saying I "urgently" needed to call them. Ha, I needed to call them urgently, but the best they could do to notify me about an urgent matter was the cheapest possible method of contact, bulk-mail pre-sort? And the US mail is such a personable way to do business, don't you think?"

"I actually thought it was a scam at first, given how cheesy the postcard looked (see attachment). So I called the number on the back of my card instead of the number on the card. After the automated voice asked me the usual verification info, I was immediately transferred to a live human, amazingly one who appeared to be in the U.S. if I guessed right from his East Coast accent. Being sent to a live human pretty much told me right away I had a problem, because usually they put you on hold forever or send you through further automated mazes.

The Citibastard confirmed that my account info was compromised but wouldn't confirm which "third party" was to blame when I pressed him for the info. He said I needed to close my account immediately. When I told him I had a few automatically debited bills I would need to clear up first, and would need a few days to do so, he hesitated and seemed surprised I wasn't going to cower do what he said right away. He put me on hold for about 20 seconds, then came back on and "confirmed" that I had "approval" to cancel my account "within two days." He was generally friendly, but about as informative as a deaf mute amputee when I asked specific questions. He just had to stick to the script.

I plan to do cancel my account tonight, but only after I decide if I'm actually going to open another account with them. I know the hacking probably isn't their fault, but they have handled this in such a demented way that it's hard to have any faith in their ability to protect my security in the future.

- Jon Ehret"

Most likely, Jon's account info getting stolen is not the same as the PIN block attack because he says that it wasn't his checking account that was compromised, but it's still scary nonetheless.

You have to wonder what's going on at Citibank if their commitment to protecting your account information is anything like their commitment to informing you about their failure to protect you.

"Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers," in a CNET report pointed to us by Jon.

According to reports, OfficeMax uses the software in their registers and is still denying any security breach.

"Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site."

Translation: It only means they "might" not meet industry standards, a possibility which seems to have been fulfilled.

"It's really the responsibility of a company doing business to protect their customers," said Branden Williams, a principal consultant at computer-infrastructure firm VeriSign.

Translation: Heads will roll. We think they all should, all the way down the line, from card machine software maker to Office Max to the banks to the credit card companies handling the transactions. We'll get the WD-40 and whetstone out for the guillotine.

Previously: Scamming ATM Cards for Fun and Profit

All you need is a $100 reader and a $1500-$2000 encoder. You can buy a reader and the necessary software at Staples. The encoders can be had on eBay.

The Red Tape Chronicles writes, For demonstration purposes, the Deignan brothers took my debit card, dropped it in an encoder, copied the data from the back, and handed the card back to me. Then they took a piece of white plastic, a second card, inserted that into the encoder, and essentially pasted my ATM information onto the second card. The process took less than 15 seconds.

Within moments, the was able to withdraw $100 from his bank account using one of these manufactured white cards.

We just changed our PIN code this weekend. The Washington Mutual bank officer asked if our new ATM card had arrived yet. We said no, we hadn't requested a new card. Peering a little skeptically, the officer asked why we wanted to change our PIN. We said, "I just want to."

A few moments later at the bank's encoder and we were lock and load. Unfortunately the bank was closing, otherwise we would ve stuck around and quizzed them on what they knew about the debit card hacks and what they were going to do about it.

We've also been using our debit card as a credit card in order to avoid punching our PIN code in and having it possibly get stolen. Sometimes it takes a few extra steps. Often the clerks automatically set it up to enter the PIN and we've just had to ask, can you please ring this up as a credit card? It's worth the hassle. If you haven't changed your PIN yet, do so now.

Because, as Digg member incognegro wrote, In Soviet Russia, the debit card scams you!

Previously: ATM Scam UPDATE: Crooks Caught!

Of course not. If they're so stupid as to allow the theft in the first place, why should they be in any position to evaluate their security system's strength?

Look at the over twenty stories we posted here of people who were forcibly reissued debit cards.

One of the victim's daughters wrote in "Around then [February] the San Jose Mercury ran a story on a security breach at an office retailer. My mom reviewed 6 months of debit card purchases. OfficeMax is the only retail store in her list."

It's entirely possible that the fact that a great deal of the victims were Office Max shoppers is coincidental. The data in the SoCal Office Max security breach might not have been used in this particular scam.

But it sure is a big, funny, fat, stinking coinkydinkus.

Previously: ATM Scam UPDATE: Crooks Caught!

Like we reported and you confirmed with your stories last week, the unnamed national office retailer was indeed OfficeMax.

But the investigation implicates other businesses, which remain unnamed.

More after the jump.

14 people were arrested by New Jersey prosecutors in the crime spree forcing banks nationwide to reissue debit cards to hundreds of thousands of customers.

"This was a sophisticated network," Hudson County Prosecutor Edward DeFazio said. "These guys have been around. It looks like they figured this was a safer way to generate cash, safer than dealing drugs or other crimes."

Now comes the hard part, getting the industry to institute the changes necessary to prevent the crime from happening again. Remember though, you can protect yourself by never typing in your PIN except at ATMs for withdrawals, instead, ask to sign a receipt.

Full scoop at CNET.
(Thanks to Stephen for the link!)

Previously:

Washington Mutual (WaMu)was one of the many banks with compromised debit card data. Rather than announce the intrusion, WaMu forcibly reissued cards and called it an upgrade.

The ad pictured is a portion of one of four ads in a in a two-page spread in today's LA Times.

Here's an idea: how about taking out a huge spread announcing the dangers of PIN Block Attacks to your existing customers?

Collect all four, after the jump...

The following ads, sent in by reader Pual, were on pages A8-A9. Each is a half-height ad. Paul found the ads especially curious as this is the first he's seen WaMu advertise in the LA Times or the Orange County Register.

3 Cents Back

Footnote: "When your account is open on its anniversary date, you will receive $.03 for each debit card purchase transaction made within the last year up to $250. Minimum balance to open: $1 ($100 at wamu.com)."

Free ATM Withdrawls

Good to know ATM thieves won't be inconvenienced by transaction surchages... but oh wait, what's down there...

"ATM operator may charge non-refundable fee."

Free Checking for Life

"Free checks when ordered through us; select styles available."

Translation: Enjoy your sheets of cardboard.

Why Haven't You Switched?

Because we like to keep our money.

New suckers only, please, as the offer is, "Not available with Free Checking accounts opened prior to 3/11/06."

What an interesting date... two days after we started seeing this issue on sites like MSNBC.com.

Previously: Consumers with Forced Debit Card Reissues Step Forward

That's from a brief posted on March 8th by by Avivah Litan (pictured) of Gartner Research, the only person who's talking and knows jack-all about the PIN block scam. She confirms what we've suspected; that the debit card accounts and PIN codes are not only being stolen, they're being counterfeited— and then used for fraudulent ATM withdrawals. Read her short report, after the jump.

But first, here's a thought. Why haven't they caught the crooks yet? They should know which ATMs were compromised and at what times... isn't there security tape footage we should be seeing?

Recent automated teller machine (ATM) fraud involving Citibank and other banks points to a new wave of "personal identification number (PIN) block" schemes.

Event

On 6 and 7 March 2006, Citibank issued statements in response to consumer complaints that they were unable use their ATM cards to make cash withdrawals in certain countries (Canada, Russia and the United Kingdom). Citibank said that accounts that were "possibly compromised in previous retailer breaches in the U.S." in 2005 were being monitored for fraud.

Analysis

Citibank's actions follow similar measures taken by other U.S. banks, which have reissued ATM cards after customers' cards were compromised, allegedly through a retailer security breach. Gartner believes that these combined bank actions reflect the largest PIN theft to date and point to a new wave of "PIN block" card fraud. Gartner believes the banking industry is less than halfway through this latest scam, which will continue to affect large numbers of cardholders.

In "PIN block" schemes, hackers break into retailer servers and steal PIN blocks that represent encrypted PIN data (which, along with card numbers, is sent to processors that execute PIN debit transactions). The thieves also steal terminal keys used to encrypt PINs. These keys are typically stored on retailers' terminal controllers. Armed with the PIN block and terminal encryption key, the thieves can determine a cardholder's PIN, then create counterfeit cards that enable them to withdraw cash at ATM machines. In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate.

Recommendations

• Card issuers: Ensure that the Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations.
• Enterprises: Never store PIN blocks or magnetic stripe card data. Never store encryption keys along with encrypted data, and keep the encryption keys in high-security environments, such as hardware storage modules available from Safenet, Thales and other providers.
• Payment vendors: Modify your software to make the storage of PINs, PIN blocks and cards' magnetic-stripe data impossible.
• Banks: Validate magnetic-stripe card data at terminals to make the use of counterfeit cards that do not have this data impossible.
• Regulators: Modify Regulation E, which governs consumers' rights with regard to unauthorized bank account withdrawals, loosening the consumer notification timing requirements so that consumers can get their money bank more easily.

Analytical Source: Avivah Litan, Gartner Research

[via garnter.com (click Litan, then Latest Research, then "Fraudulent ATM Withdrawals Reflect a Widespread Threat"]

Danilo writes: "If people stop using their Visa checkcards debit cards and opt for the credit option, instead...stores will end up eating much more money in transaction fees...So, a bit of poetic justice for you. These careless retailers are killing their own golden geese."

Amanda, who got about $1000 in unauthorized funds withdrawn from her account from ATMS in Brooklyn, was able to get Bank of America to give her money back, except for $49 in withdrawl fees resulting from the fraudulent transactions taking place at non-Bank of America ATMs.

"I'm told they can take up to 90 days to do so because they don't do this until their investigation into my dispute claim has been completed," she writes, "I was able to request that they credit me right away, but I could only do so by asking a fraud department representative to send an email to the investigation department, and she couldn't tell me whether they would do it or not."

A security analyst says, "What's really exposed are the retail systems that use the ATM system. It could have been an insider it's very hard to know. It was someone who had access to the [encryption] keys data. They were very skilled."

"The analyst said the crime reflects the largest PIN theft to date and the financial industry will be hit by more PIN-block fraud in the future," writes Consumerist reader Brian.

"But Citibank is only the tip of the iceberg," said Avivah Litan (pictured), a Gartner research vice president and apparently, the only person who knows anything and can talk to the press, "The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks."

"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."

PIN block hacks are this year's phishing.

[via Information Week] (Thanks to Brian!)

Google, "office retailer security breach."

If you've used a debit card at OfficeMax:

1) Change your PIN code right now.
2) Don't shop there ever again.

If you don't shop at OfficeMax but have a debit card:

1) Change your PIN code right now.
2) Don't swipe and punch in your PIN at the shops. Ask to sign a receipt.

The fastest way to change your PIN is to visit your bank and ask them to change it. You can also call them and ask for a mailer, but that's not a very speedy process.

These thieves walked away with hundreds of thousands of accounts. Just because they might have been stopped in the OfficeMax case (which probably hasn't happened otherwise it would've been announced!), what's to stop them from striking again?

Especially since they were so successful this time.

•Affected Bank was a small credit union

•Unauthorized withdrawls from New York

•Unauthorized withdrawls from Russia

•Theft started on or around Feb. 8th

Anyone notice similar articles in their local papers? (Thanks to Brian!)

Previously: Consumers with Forced Debit Card Reissues Step Forward

We're getting reports from all around the country. Several are from Southern California. But the problem is not limited to just that region.

Christopher writes, "My wife is a debit card holder of a Farmer's and Merchants National Bank here in Columbia TN and she just got a notice last week to reorder her card. the bank will be forcibly canceling her current card in April.

She uses her personal card for business transactions (she is reimbursed later) at all of the stores in your latest post. the letter that she got said the loss happened between Nov '05 and Jan '06."

More readers share similar stories, after the jump. Please send yours in to tips@consumerist.com.

Christopher continues, "I hold the same type of card that is tied to our joint account and have not received any notice. I primarily only use my card for gas and food (non PIN # transactions."

We caution that his story and the following only constitute circumstantial evidence. Regardless, it's evidence, something this situation has been sorely lacking.

Brian from Texas has a story sounds right on the money. He shops at Sam's Club and someone tried to withdraw $500 from his account on February 8th. From Moscow. "The transaction happened just after midnite, and I'm certain I was not in Moscow at the time since I was sleeping here in Texas." He writes,

"My VISA checking card was used, showing a $500 ATM withdrawal from Moscow. I called my credit union and reported it, the same day I went to the police to report the theft and visited the credit union personally to order a new card. My $500 was returned less than two hours after I gave the CU a police report number.

The local paper said between 20 and 50 people at four local banks (but predominantly at my credit union, Aggieland Credit Union) experienced similar fraudulant activity, most of it originating outside the country. Local police are unable to do much other than notify the Secret Service and VISA.

Rumors locally are that a "local vendor stored credit card information on their computer" and they suspect that may be the problem. I'm wondering if it isn't so local.

Yes, I use my card frequently (and PIN) at Sam's Club. Sam's (ours at least) will not let you use it as a credit card and sign for it, but has always allowed you to use a debit card. Buying gas I always use it as a credit card because I'm lazy and don't want to type a four digit PIN. I've also used it at grocery stores. Note that I have used my card this way for years and this is the first theft for me.

Brian
College Station, TX"

Three weeks ago my card was locked down without warning. I called WaMu and was told that nothing appeared out of the ordinary on my account. Still, the card was locked. Tracked down a "fraud prevention" number and they told me my card had been counterfitted and was being used to buy gas at multiple stations in FL, utilizing my PIN.

Never been to Sam's...I'm a Costco guy if I have to be...but did make a purchase of pen refills — using my PIN — at Office Depot almost one month to the day before the fraud.

Interesting, and might all be a coincidence, but interesting.

Brandon"

I couldn't use my old card anymore (it worked for about 3 days after I activated the new card). There was no reason given in the mail as to why I was receiving this new card. I'd never merited one of their GOLD debit cards before, I don't know why they'd give me one now.

Of the companies you listed, the only one I would have done a PIN transaction was Wal Mart, and the last time I used my debit card there was (according to wells fargo website) 1/17/06. Other places are Target, Starbucks, and one of those post office automated stamp thingy's. Everything else is at gas stations.

This article is the first I'd heard, and I'd be interested to hear more."

We're interested, too, especially if any of you can send scans of any documents related to your card reissue.

"I came home from a trip to find a FedEx Express envelope leaning against my door. I opened it to find a new ATM card from my credit union - DCU (Digital Credit Union). I'll skip the rant about my ATM card sitting outside my door where anyone could have grabbed it...

With my new ATM card was a bright yellow slip of paper:

If the fact that his new ATM card was sitting outside his front door is any indication of how concerned the banks are about your debit card security... Start hoarding shiny metal objects and colored beads.

"In December 05 I received an overnight package via DHL from my bank, Wells Fargo. Inside was a new ATM card and instructions on how to activate it, with no indication of why I was being sent a new card. I activated it, chose a different PIN and the very next day there was a pending withdrawal from an ATM in Southern California (we live in Washington State) for $300 when we checked our account online. We called Wells Fargo, verified they had sent the new card, and complained about the withdrawal. They said they couldn't do jack about it since the activity was still pending, but they could tell that it was a PIN-based transaction.

So we watched our account and the following day there was another withdrawal, from a different account in Southern California. We called them again and asked them to put a stop on all activity to and from our account, which they said they would. The checked he numbers on the card used to make the withdrawals and it was from my old card, not the new one they had just sent me. By this time the first withdrawal had cleared and the money was officially sucked out of our account, so we could officially begin the process of getting our money back. The next day there was another withdrawal, this time from an ATM in Brooklyn, NY, another $300 (the daily maximum?). We waited another day and a second withdrawal happened from New York.

I called Wells Fargo customer service and ask them why the fuck there were still withdrawals from our account when I had told them to stop all withdrawals. The CSR said they had only stopped check activity, not ATM/DEBIT card activity. At this point I lost my mind, asked her why the fuck would you stop us from writing checks when the problem was with PIN-based ATM withdrawals, and did everyone there at the call center have their heads up their asses? She asked if my card had been stolen, I said no it was right here in my hand, and then she asked if I had ever given anyone my PIN "Uh, no" then she suggested I report the card as stolen and that was the only way they could stop the transactions. I told her to do it and the withdrawals stopped. It only took Wells Fargo 5 days and $1300 of my money to stop the fraudulent activity on our account.

The dispute process itself took about 3 weeks for us to get all our money back at which point we closed all our accounts and moved everything to a local credit union . One of their investigators told us they had sent out the new card because there was some reason to think that my existing card had been compromised, he wouldn't say how except they were reviewing places I had used my card to see if there were any matches.

A friend who works in the fraud department of a large bank told us they sometimes keep the old card and its PIN active for up to 30 days after you activate a new card unless you explicitly report it as stolen. So they sent me a new card, suspecting there was going to be some fraudulent activity, and then kept the old one active so the fraudsters could do what Wells Fargo suspected they might do. Really fine service Wells Fargo, way to put the customer first.

-J."

"Hi,

In late Jan my mom's Mastercard [MC] statement showed $800 in overdraft transfers. She called MC as she never uses overdraft. They only told her to call her bank, Wells Fargo, and didn't warn her about current MC activity.

She almost immediately called WF: $4,000 in fraudulent pin-based debit card existed. ($100 from the historic balance, $3900 transfered in from MC- trouble in itself as her MC rate doubled!) Between the calls to MC and WF MC still transferred $300 to WF before WF cancelled the debit card.

The fraud was mostly $300 ATM withdrawals and some $10-50 purchases all in the Philipines in January (with one last ATM in NYC). WF's algorithms hadn't caught this, although WF was aware that pins had been compromised. They had told my mom "Don't worry, you're not alone" when she first called fraud.

Around then the San Jose Mercury ran a story on a security breach at an "office retailer." My mom reviewed 6 months of debit card purchases. OfficeMax is the only retail store in her list.

All her other retail purchases were from small local restaurants or grocers. The only other chains were Arco gas and Marriotts.

Undoing the MC interest rate doubling took more time than undoing the fraud- that's another issue.

My mom had to pay MC the $4,000 to prevent a "30 days late" credit report flag. WF refunded the $4,000 once the fraud investigation was over. Given when the fraud started, she could easily have owed MC $6k- only the statement timing prevented that.

She paid because she had it in savings, but how many people have thousands of dollars readily available *and* can afford to lose access to it for the days or weeks until an investigation is done? Lost access is a harm.

MC "understood" my mom's concerns but insisted she pay to avoid the credit rating hit.

Helen"

My card was cancelled with NO notice. i was forced to get another one.

I live in san francisco and my bank said that there was a scam going on dowtown of people's pins and info being stolen from ATMs in the financial district.

This was around the first week of Feb. 06.

When i complained, they said it was 'for my own safety.'

I work for a large bank in the southeast as a CSR. (I'm honestly a bit scared to talk about this and ID the bank, as while I don't plan on working their forerver, I do need my job for a few more months. Let's just say its initials are ST. You're all smart people.)

In February, we had an internal memo that said almost 6000 check cards had been compromised, and that clients might be calling in about them. We were told to assure them that they'd been turned off as a 'precautionary measure' and that they'd have their new cards in 7-10 (?????) buisness days.

I didn't realize anything at the time, and while we haven't heard anything offical inside, I can't help but believe it's related.

Not as large as our friends at CitiBank, but...

Oh, and I've been giving out advice for a *long* time that you should always sign instead of using your pin. Just based on who's involved alone, you get more help with your signature. Visa tends to be more protective of their corperate image than ANY bank is. A bank will not hesitate to tell 2000 people "You're fucked. Deal with it." Visa, from what I undestand, will.

-Plaid

Just writing to tell you that I'm a Washington Mutual customer in Seattle, and I was just issued a new debit card on 3/3/06. It got switched from a Visa to a Mastercard. Didn't think much of it at the time when I received a letter telling me I was going to get a new card, because it was expiring this year, but now that I checked - it didn't expire until June. The letter specifically said that I would be keeping my previous PIN. Looks like I should probably change that, eh?

Anyway, hope this helps with your data collection. Thanks for keeping us updated on this stuff!

Bonnie

I was sent a letter in early March about a security breach. A new card was sent the next day. No name of company was given. I have not shopped at OfficeMax, Wal-Mart, Sam's Club or Office Depot.

The bank was National City Bank, based in Cleveland. I am in Columbus OH.

This can be a very big problem for people who have automatic payments set up on their cards. I got my notice of cutoff only 1 day after a large cable bill went through (Time-Warner changed billing systems, and there were 2 payments due at the same time.)

National City banks must have also been effected by the leak. I received a notice last week that because of security reasons they would be reissuing my check card. I called customer service to find out what all the hubbub was about but was directed from once representative to another and not one had any idea why my card needed to be reissued. Then the next day I saw the story of the Citibank leak on Boing-Boing.

Scott of Michigan

Two days after this article appeared in our local paper we noticed three ATM withdrawls from London totaling over $1,500. I know of several other people that this has happened to within the last week. We haven't had any transactions with OfficeMax, but have with Wal-Mart. I'll never use the debit function on my checking account again!

Hi there,

This may or may not be related, but I received a call two weeks ago from Keypoint Credit Union, saying that my debit card was in a "range of compromised cards" provided to them by Visa, and that all ATM and credit activity on my card had been blocked. They were very proactive about it, and they've since sent me a new card and PIN, although I had to wait two weeks for it. Fortunately, there were no fraudulent transactions on my account.

As for the source of the compromise, my last "Office Retailer" transaction was at Office Max last September. Our other 2 ATM cards (including one with more recent Office Max and Wal-Mart transactions) were not affected.

-Chris

Hi there. I'm a Bank of America customer and had my ATM card counterfeited and used to withdraw about $1,000 at ATM machines in New York City last week (I live in Southern California). The counterfeiters made 20 different ATM transactions, most for $40, at the same Citibank ATM machine, on the same day.

First, if this is from the same security breach as all the other incidents, then I can tell you for sure it's not from Sam's Club/Wal-Mart or Office Depot/Max, since I haven't bought anything at all from any of those places in the past few months. I reviewed my statements and the only three places (other than at ATM machines) where I've used my card as a debit card and entered my PIN since November are: Robinson's May, Taco Bell, and the Post Office. One transaction each. Maybe there's been more than one of these security breaches? I noticed one other person mentioned the Post Office as one of their transactions.

Second, I have a qualified rant about Bank of America's handling of this situation. I suppose they haven't been completely awful about it, but they definitely haven't been great either. They cancelled my ATM checkcard without warning when they suspected the security breach (they claim they sent me a letter, but I haven't received it yet and I've already gotten the new ATM card at this point), AND they canceled my online access to my account at the same time, so that I couldn't look at what transactions were fraudulent until I physically went into a branch and spent half an hour to get online account access set up again. Also, they apparently weren't going to send me a new card until I called them and requested one. Which, if I hadn't, you know, tried to use my card and called them to find out what the hell, might not have happened until I received the "letter" they "sent" me on "March 4th."

On the other hand, when I called Bank of America in a panic late on the evening I found out about this, they were able to pick out all the fraudulent transactions and credited me for them the next day, which fortunately meant no charges to my account bounced. And every B of A employee I've spoken with has been very kind and as helpful as they could be (and, for whatever it's worth, obviously based in the USA).

BUT. Back on the original, evil hand, they have NOT credited me yet for $49 worth of non-Bank of America ATM fees resulting from the 20 different fraudulent ATM transactions; and I'm told they can take up to 90 days to do so because they don't do this until their investigation into my dispute claim has been completed. So, in other words, the money that the counterfeiters got, they're willing to give me back right now; but as for the money that Bank of America gave itself because of transactions that they're already pretty sure are fraudulent, well, those charges they have to "investigate" before they give back. I was able to request that they credit me right away, but I could only do so by asking a fraud department representative to send an email to the investigation department, and she couldn't tell me whether they would do it or not. The same apparently applies to insufficient funds fees (which I only through a stupendous stroke of luck didn't have any of).

Anyway. I'll be reading Consumerist for the news on all this crap. Grr.

Amanda M.

"Got home today to discover a love note from Washington Mutual.

PO Box 2436
Chatsworth, CA 91313-2436

February 18 2006 [odd, it's March 11th today. Chatsworth isn't that
far from me.]

Customer McCustomer
address
city, state, zip

Dear Customer McCustomer:

Exciting news! We are converting all of our customers' debit cards
from Visa to MasterCard, and we are upgrading your debit card to gold
status for free. In the next few weeks, you'll receive a Washington
Mutual Gold Debit MasterCard to replace your Visa Check Card ending in
XXXX.

This upgraded Washington Mutual Gold Debit MasterCard will offer all the same benefits and more, with the same PIN.

With your upgraded card, your benefits will be expanded to include the following and much more:

* Double manufacturers' warranties for up to one year
* Toll-Free US roadside assistance and worldwide travel assistance
* Theft and damage protection for 90 days after purchase
* Price protection for 60 days after purchase

Please keep an eye on your mailbox

Your upgraded debit card will arrive in the next few weeks. If you
have additional Washington Mutual Debit or ATM cards, you'll receive information about each card in the mail. If you have questions, you can reach us in one of the following ways:

* Click: Visit us online at wamu.com/debit
* Call: Toll free 1-800-788-7000
* Come in: Stop by any Washington Mutual Financial Center

Thank you for choosing Washington Mutual!

Sincerely,

Doug Marshall
Senior Vice President

There's a footnote, too, which notes that a Guide to Benefits will be
mailed under separate cover.

Kind of interesting that it's dated almost a month prior to now and
yet I just got it in my mailbox. Looks like WaMu has decided to put
their trust elsewhere... also, I wonder if only some customers are
getting the gold upgrade, since it says they're reissuing everyone's
cards and then says "upgrading yours." If anyone else sees a
different version of this letter, that might be worth checking out.

This may be totally unrelated to the debit card news you've been splashing about, but 3 weeks ago (just before I started reading about the debit card fiasco), I got an urgent phone call from Citibank on my voicemail, asking me to call immediately.

When I phoned them, they told me that one of the vendors where I had used my credit card had reported that it "may have been" stolen, and they wished to re-issue a new credit card to me right away. I asked them WHICH vendor had reported that the card had (er. MAY have) been stolen, as I wished to avoid them in the future. They told me that "they can't release that information." Which, frankly, struck me as damned odd. Nonetheless, I agreed to have a new credit card issued to me. In a moment of astonishing cheapness (and a nice Consumerist moment), they said it would be 5 to 10 days to get the card by mail; I laughed at the phone-troll and said that there was no way I was waiting 10 days to get a new credit card when I hasn't had anything to do with the loss of my information, after which she relented and said they would send it UPS overnight.

In terms of the debit card discussion, this MAY be a red herring, in that I don't have a Citibank-issued debit card; I have a 100% pure MasterCard for its chewy credity goodness. But, I *do* shop at OfficeMax, and I *have* used this card there before (as a credit card), so the timing seems very suspicious. I sure would be interested to hear if other "credit-only" Citibank customers were affected; if so, the scope of the problem may be even larger than what you've reported. Or, heck, it could be totally legit and the restaurant down the street had a disgruntled employee issue.

Thought I'd add to the steaming pile of knowledge y'all are wading hip-deep in.

Cheers!

..Chris..

"Here in Iowa , my wife and I got home Friday to find new Wells Fargo debit cards for each of us - I wasn't due for a replacement until January, and I'm not sure when hers was due. A letter was included stating that the numbers may have been stolen and this was precautionary. We haven't noticed any strange things on the account yet (we check mutiple times daily anyway) but have changed our pins already since I had been reading this topic for the last few days. After I told her about this she called Wells Fargo to ensure our old cards would be disabled as soon as we activated the new ones, but didn't get any more information on why this had happened. We have a habit of using our cards as debit cards, but that's quickly changed. We've ranged around the midwest a bit since November, and have visited several of the stores listed. -Rhys"

"I received a reissue of my Visa debit card from Washington Mutual. I felt that the wording of the note is very strange. I can type it up or scan it for you guys if you want. I live in Southern California, if that helps.

The re-issued cards are MasterCards, instead of Visas, which we always have had at WaMu.

What's funny is I remember asking my banker what would happen if my debit card was used fraudulently, and they said something like, "well, you'd be responsible, that's why we recommend you get a credit card." They had no option to get a strictly ATM card, rather than a debit card.

-Paul"

Here are scans of the "card upgrade" Paul was forced to do:

Front

Back

"Howdy,

I saw your article on recent debit card reissues via a link from BoingBoing. I just got a new debit card from Washington Mutual. The letter included reads "We are providing you with this replacement card because we have reason to believe the the information on your Washington Mutual Gold Debit MasterCard may be at risk of fraudulent activity. Although we are unaware of any fraudulent use of your card as of the date of this letter, please activate this card immediately and destroy your old card for your protection."

I didn't connect this with the recent story until I saw your article. I believe Washington Mutual partners with Citibank for these cards"

"Hi,

I just read your post "ATM Fraud UPDATE: Wal-Mart, OfficeMax, Sam's
Club, Office Depot Suspected" and wanted to let you know that I am a
Washington Mutual customer and was recently sent a new debit card when my old one still has months until it expires. The letter that was sent with it said that there may have been fraudulent activity in my account and that is why they were sending me another one. I got worried and called (also called because I traveled to Costa Rica last year and Washington Mutual decided to turn off my card because I didn't tell them I was traveling, however I had never had a problem using my card before in France, Japan, or Singapore, but that's another story.)

Anyway when I got someone on the phone they told me that there wasn't
any fraud in my account (neither had their been in Costa Rica) but
that they thought that all of their customers deserved gold card
instead of the previously issued blue ones. Um waste of money! Maybe they wouldn't need to charge $30 for an over draft if they didn't decided to change the color of their cards for what I thought was no reason. Maybe the reissue of the WaMu gold cards has something to do with this however? BTW the gold card doesn't get me anything more than the blue one I had for years before.

Thanks!
Phoebe"

"Thanks so much for staying on top of this story. It is really disturbing how little MSM press this has gotten. We'd really like to know just how far reaching this is and what retailers plan to do about it. It irks us that they won't disclose which retailer or third party transaction processor is at fault.

It's been over a week since our money went missing. Our bank (Suntrust) has been really great. They redeposited the funds to our account within 48 hours. They told us we didn't need to file a police report because of the sheer volume of cases in our area that were already reported.

We still haven't gotten our replacement cards yet, so we have no way to get cash other than checks, which ironically means we have to make charges on our traditional credit cards. I'd like to also mention that Suntrust did, about a month ago, pull the same thing other banks have done; cancelling good check cards and send out new ones. A friend of mine had gone to lunch, went to pay and had her card decline even though there was money in her bank account and her card had not expired. The only explanation she got from Suntrust at that time was they were cutting off an "old" version of the check cards and sending out new ones. Her main issue was that they cut off her card before she received a new card. Since we bank at the same bank and because I too had the "old" card, I asked if the same thing would happen to me. They said it could but would send me a new card right away just in case. No mention of fraud at all. Unfortunately for us, I got the new card but my husband's card was the one that got nabbed. Now we'll both get new cards. That will make new two check cards for me within one month.

Anyway, thanks for all the great work! For all of us that have gotten taken, we're still paying attention.

Sincerly,
Sarah"

"I bank with National City and recieved a letter then a new debit card would arrive. But heres what really is stupid is that of course my debit card is one of two tied to our joint checking.. The bank only reissused my card, they didn't suggest closing down our checking account! Hello wouldn't that have made sense too CLOSE the checking account too! Why invite trouble and cause stress, the bank wasn;t going to tell me anything they didn;t have too I had to ask a million questions, of course I read everything I could on the banks web site on fraud and I as amazes on what they refused to tell me untill I grilled them on the policy."

"I know you guys don't care much for personal anecdoes (or so I read), but I thought you might be interested to know that my bank, Wachovia (I'm in North Carolina), sent me a new debit card in the mail, unsolicited by me, with a letter that said they had been informed by VISA that "an incident involving unauthorized access into third party merchant systems had occurred," and that "based on the information provided by Visa, it has been determined that [my] Visa Check Card number, name as it appears on the card, expiration date, and magnetic strip data were potentially exposed."

The use of my new card will deactivate my old one. The letter also reminds me that I'm not responsible for any fraudulent purchases under "Wachovia's Zero Liability Fraud protection policy," plus more marketing stuff. Fortunately, I've never had to submit any claims under this policy, but I can't vouch how "zero liability" it really is. Interestingly, my card has the same account number, and I assume the same pin number until I change it so I guess the new magnetic strip makes a difference? In any case, it's cool that my bank caught wind of this pretty quickly and sent out new debit cards to their customers (presumably all their debit card customers - no small feat in a few days)."

"Here's my report of a debit card reissue.
BB&T bank sent me a letter the other day saying (in part) this:

"Visa U.S.A. notified BB&T and other financial institutions of a security breach that affected the data base of a U.S. merchant. This breach MAY (emphasis theirs) have put a very small percentage of BB&T cardholder information at risk. Your BB&T Check Card was identified as one of the cards that may have been affected.

This breach was not the result of any actions taken by BB&T; it does not mean that there has been an unauthorized transaction on your account. However, as a precaution, we are ordering a new BB&T Check Card for you. The card will have a different number, but for your convenience, your Personal Identification Number (PIN) will remain the same. You should receive your new BB&T Check Card prior to March 28, 2006."

So, step #1? I Google "Visa database breach" to see what's up. Seeing breached from last July, I modify the search, adding 2006 to the above, and found your site.
Step #2? I logged into BB&T online banking to see my statement and I find no suspicious activity and breathe a sigh of relief.

There were lots of Sam's Club transactions, not surprisingly, that's where I get my gas. From one of the entries on somebody's page it looks like I can skip the PIN part when buying gas, so I might do that...

You can bet that I'll change the PIN ASAP!

Thank you!

Richard D.
Charlottesville, Va. "

Ross writes on 4/3/06:

"This week, 2 things happened to my girlfriend and I;

First, she was buying a few items at a pharmacy and they declined her Bank of America debit card. She went to the nearest BofA and they told her that her atm card was compromised. They told her they'd issue her a new one and she would receive it in the mail in 7 to 10 days. My girlfriend insisted on finding out the source of the compromise, but BofA told her it wasn't her business. Enraged, she told me also there was no communication from BofA telling her that her debit card had been shut down, no email, phone call or letter. This is a complete inconvenience for a person who uses their debit card daily.

Then on Saturday night I went to a BofA atm and it declined my transaction, after using it only a few hours before for dry cleaning, gas, breakfast. I went to another atm down the street and it also declined my call. After repeated attempts at calling BofA, I could not get a human on the phone! Their system told me I could get an associate on the phone between the hours of 7am and 10pm and hung up on me, but this was only after 7pm PST! Imagine if I had an emergency, this is one of the largest banks in the country and I can't get a person on the phone on the weekend? So I called the next morning and their atm dept told me they detected an abnormality with the gas station I went to that afternoon and froze my card. After verifying who I was, they unblocked my card.

I wanted to know if there was any other word of this compromise from anyone else this week?

Thanks,

Ross"

Keep those stories coming in and we ll add them here.

Previously:

• ATM Fraud UPDATE: Wal-Mart, OfficeMax, Sam's Club, Office Depot Suspected
  
• The Office Hax 'Guarantee'
  
• ATM Fraud Update
  
• Alert! Citibank Scandal Update: It's Not Just Citibank...
  
• Citibank's Statement on the ATM Crisis
  
• Citibank s ATM Crisis Merely Extends Money Don t Matter Campaign
  
• Massive Citibank Alert: UPDATE
  
• Massive Citibank Fraud Alert: UPDATE
  
• Massive Citibank Fraud Alert

They name...Office Depot (not Office Max, as we heard) and...

Come on, wait for it... your favoritest company in the whole world... oh yes, here it is, here it comes.......

WAL-MART! Wheee! Blog yourself outta of that one, sucka!

A Computerworld article sent in by reader Georgia (thanks!),says the offender may be Sam's Club, a division of Wal-Mart. We learn that Visa, in response to a letter sent by Rep. Barney Frank (D-Mass.) in February, concerned over retailer intrusions, said, "Accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair... Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa."

Computerworld's source who works for a company aiding the lawmen following the fraud says most evidence suggests that a point-of-sale (POS) system at a California OfficeMax is involved.

OfficeMax has flatly denied these allegations, leading one analyst to posit the source is a third-party transaction processor.

Questions remain. Who are the retailers responsible? Why are the credit agencies hiding their identities? And, why isn't this being reported in the mainstream media? The WSJ was said to be doing an article but it's failed to surface as of yet.

Many, many things about this are not adding. These companies mutual masturbation doesn't help assuage our concerns.

If you or someone you know is a customer of Citibank, Bank of America Corp. Wells Fargo Bank, or Washington Mutual and that bank forcibly reissued you a new debit card, let us know at tips@consumerist.com.

Previously:

• The Office Hax 'Guarantee'
  
• ATM Fraud Update
  
• Alert! Citibank Scandal Update: It's Not Just Citibank...
  
• Citibank's Statement on the ATM Crisis
  
• Citibank s ATM Crisis Merely Extends Money Don t Matter Campaign
  
• Massive Citibank Alert: UPDATE
  
• Massive Citibank Fraud Alert: UPDATE
  
• Massive Citibank Fraud Alert

Oh ho ho reaalllllllllly? And how exactly will you back that up, pray tell?

Great! Dinner for two at Outback Steakhouse! (dessert not included)

(Thanks to Georgia!)

Previously: ATM Fraud Update

One name that keeps getting bandied about is... Office Max.

Check what the Raleigh, NC New & Observer has to say:

"Bank officials and federal investigators will not disclose the retailer or retailers thought to be at the center of the data breach because the investigation continues.

Local customers said OfficeMax is the name given by their financial institutions when asked for details. Many of the transactions appear to have been made in February, though investigators won't define the period."

See, that wasn't so hard. All we have to do is go to Staples.

This is actually really good news. Now we can easily dub the fiasco, "Off!c3 H@x0r."

(Thanks to Carbunkle!) [photo]

Thieves are stealing debit card information from third-party retailer's sloppy systems and siphoning money off vulnerable accounts.

PIN codes are supposed to prevent such an attack, but the sheer number of compromised cards indicates the thieves snagged PIN codes as well. These PINs, which are supposed to be destroyed or disposed of after a transaction, can end up accidentally stored in temporary files or other nooks and crannies in poorly designed merchant software systems.

There's tons of PIN terminals around the world and their oversight and maintenance is left to the individual merchant's discretion.

If you're concerned, until much more robust standards are demanded and implemented, choose getting hassled over getting hacked. Avoid PIN transactions and opt to sign a receipt instead.

Or, as David wrote in to remind us, do what they've been telling you to do all along: change your PIN frequently. Pick something memorable without it being your birthday or something silly that could easily be found by stealing your wallet. Something like, "I've got 3 front windows, 1 car, 2 cats and 0 aliens."

Or pay in cold, hard, cash. Cash on the barrel head. Like your grandpappy did, you sissy.

Wave of ATM Fraud Indicates Criminals Upped the Ante [MSNBC] (Thanks to Melsky!)

Previously: Massive Citibank Alert: UPDATE

"Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in the UK, Russia and Canada on customer accounts that had been possibly compromised in previous retailer breaches in the US. To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN based transactions. We are currently reissuing cards, as appropriate, to affected customers.

Protecting our customers' accounts and personal information is one of our highest priorities."

The security breach is said to extend from a data loss by two retailers that occurred over a year ago. When asked who the retailers were, she said that data was not available at this time.

It seems