April 21, 2006 — -- After their banks quietly informed them their debit card and bank information may have been stolen, thousands of Americans could lose as much as $500 in money taken from their accounts.
In possibly the biggest incident of debit card hacking theft, thousands of U.S. consumers have been told that their bank accounts may have been compromised by computer hackers who stole debit information and personal identification numbers (PINs) from their bank accounts.
"This is the worse debit-PIN breach that has been reported to date," said Avivah Litan, analyst and digital banking expert at Gartner.
During the past few weeks, banks across the country quietly informed consumers who may have been victimized by the breach, which occurred more than a month ago.
Litan said that 200,000 to 300,000 consumers may have had new debit cards issued, and the banks reportedly monitored account activity for the consumers at risk. But some consumer groups questioned why the notification letters were not more specific about the details of the breach, such as whether it was a specific merchant whose security was compromised.
"The letters seem to be pretty vague. They're not being told where the breach occurred. The notices tell them that something happened, but it won't tell them where or how," said Gail Hillebrand of the nonprofit group Consumers Union. "If you're a consumer, it would help to know which retailer made your information available, because maybe you wouldn't want to shop there again."
One privacy expert said that banks and retailers often wrangle over the particulars of notifying consumers when a security breach occurs.
"No one wants to send out a security breach notice," said Chris Hoofnagle of the Electronic Privacy Information Center. "You instantly become a pariah, and the fear is that you'll start to lose customers."
Unlike credit cards, which by law hold consumers responsible for only $50 in the case of theft, card issuers can hold debit card holders responsible for up to $500 when their money is stolen. Electronic money transfers, including debit card transactions, are governed by a Federal Reserve Board regulation known as Regulation E. One of its stipulations puts the onus on consumers to report irregularities with electronic transfers. If consumers fail to notify card issuers about breaches in a "timely fashion," the card issuer could hold the consumer responsible for up to $500.
But Hoofnagle said it was doubtful that banks and merchants would hold consumers liable for such a large amount of money.
"I can't imagine when you have a breach like this, where the consumer is not at fault in any way, that banks would hold them responsible for that $500," Hoofnagle said.
At least one bank said the breach compromised an outside merchant, not the bank. Wachovia Bank released a statement saying that Visa notified the bank that "security breaches occurred at merchants or what are called third-party vendors."
The bank notified customers, issued new debit cards and monitored account activity. The Wachovia statement also made it clear that customers would not be held responsible, saying, "it's important for customers to know that if fraud is detected they are fully protected by Visa's zero liability policy, which means they will pay nothing in the event of a fraudulent purchase."
But if you're hacked, you'll still face difficulties.
"Even though you almost always get your money back, it's not a simple wrap," Litan said. "You have to go through all kinds of phone calls and forms, and it's a hassle."
In many cases, there is little justice for cyber thieves. Often authorities have little evidence to track the crimes, and hackers are known to respond to new cyber security measures with even better hacking technology.
"These crooks get away with it, and that's why they keep doing it. They've got about a one in a thousand chance of getting arrested," Litan said.