A security-conscious friend of mine recently received an automated call telling him that his ATM card was being cancelled due to a data breach. The robo call said a new card was in the mail, asked him to monitor the account for suspicious activity and not to use the card – hence the denial of service.
He felt there may be more to the story, being an infosec
professional – so he immediately called the bank to get more clues. He found the keyword to getting intelligent
insights from the bank was to use the word “fraud”, which got him to a
knowledgeable customer service rep quickly.
The bank’s story:
The bank indicated that they had received a call from VISA
specifying the ATM card number “might” have been compromised. The key thing to understand is that there was
apparently a data breach – his ATM number must have been in a breached database,
ostensibly a 3rd party database.
Remember, he only used this ATM card at bank-approved ATM machines, not
for anything else. According to the
bank, VISA did not tell them which 3rd party or database had been
compromised.
So it’s not a typical data breach, as he had only used
the ATM card in question at bank location ATMs.
So how did the ATM number end up in a 3rd party database? There are a limited number of ways immediately obvious:
- The bank sold
the ATM number
- The bank’s ATM
network was compromised and this card number was sold
- The fraud alert
was a fake by VISA or someone masquerading as VISA, designed to cost the
bank money to re-issue the ATM cards and to increase consumer fear that
their debit transactions are not safe
Scenario 1 is highly unlikely as it would be a huge GLBA
violation for the bank to sell an ATM number, and the bank is liable for any fraud.
Scenario 2 is also unlikely since there were no fraudulent
charges and the alert came from VISA, implying the card was used somewhere
That leaves Scenario 3, which is pretty darned stinky. VISA does make more money on credit cards
than debit cards. Also, in the words of
Sherlock Holmes, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth."
So you have the clues - what do you think really happened? Who dunnit?
Is there another explanation?
No comments:
Post a Comment