Citibank PIN/ATM fiasco "worst ever," involves more banks

Snip from a TechWeb item by Gregg Keizer about the security breach first reported here on BoingBoing one week ago:
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.


Previously on Boing Boing:
- Consumers with Forced Debit Card Reissues Step Forward
- Citibank "live richly" ads remixed for security alert
- Citibank security breach: undisclosed *internally*, let alone publicly?
- Citibank under fraud attack, customers locked out of accounts
- HOWTO Cancel someone else's Citibank credit-card

Reader comment: Seth says,

Saw the story on BB, put 2+2 - my wife got a new debit card *completely out of the blue* a few weeks ago. We were like "WTF?". (Particularly since I didn't get one myself). Now explained. She has shopped at Office Max, Wal*Mart & Costco. I have not. If indeed this is why it was replaced, I prefer their method of sending us the new card right up front. I would have liked an explanatory note, though.

Reader comment:Tracy Fisher says,
Hi Xeni, I've seen your posts about citibank. for one, thanks, because i'm experiencing the nearly the same thing (but not thru citibank), and can't get much info on it. my visa has been cut off and my credit union is sending me a new card w/a new card number.

Here's an excerpt from my notification letter:

"We have been notified by Visa Fraud Control that a US ATM processor was potentially compromised. Any cardholder that used an ATM serviced by this processor may be at risk. The data compromised was not part of the City-County Federal Credit Union's member database.

The following information may be at risk: Your card account number, expiration date and CVV code.

We strongly encourage you to call and report your card as being compromised immediately!" (letter sent Feb. 21, 2006)

when i called the visa company they said very little. then i called my credit uion (got the card through them), and they said someone indeed had gotten my card number information, but said they didn't have more info.

Some notes: I don't know if this case is related, but the timing is the same. (I don't shop at Sam's Club or Office Max, so I don't fit into that theory.) And I'm wondering why are the notifications all from credit unions? Were the big banks hit too? Well, I'll keep an eye on boing boing to find out the latest, since this doesn't seem to get any coverage elsewhere.

Reader comment:John Clark of The Republic says,
I think the problem is more widespread than just Citibank. I just received a similar letter from National City… And yes, I recently shopped at OfficeMax.
Reader comment: Anonymous says,
I work for Citigroup in London. Boing Boing seems to have been banned by the proxy servers on Thursday night. Coincidence with you guys pushing the recent data loss issue?