Gov’t red-faced as card data leaks lead to thefts

Fear of hacked personal information being used in financial fraud and leading to actual losses, which the financial authorities promised was unlikely to happen, has been realized.

As a result, public mistrust and frustration is growing over the assurances by the financial authorities.

Yesterday, the financial authorities issued a warning to the public after personal information of 200,000 credit card accounts was hacked via a point-of-sale card reader at a cafe in Mokpo, South Jeolla.

Information about 200,000 credit card accounts was leaked since January from that single cafe, and the hackers withdrew cash to 268 accounts before they were caught recently.

According to the Financial Supervisory Service, the three hackers were able to access the information about consumers who used credit cards or SK’s “cashbag” card, a customer loyalty program, when buying coffee or cakes at the cafe.

From the credit cards, the hackers were able to obtain the customers’ credit card numbers and expiration dates stored on the credit card reader. From the cashbag cards swiped on the same machine they were able to obtain the four-digit PIN code customers used to claim rewards.

They figured that many people would use the same four-digit PIN codes for their credit card when taking cash out of ATM machines.

They created false credit cards for those accounts and used ATM machines to withdraw cash, using the four-digit PIN codes valid for that customer’s cashbag account.

The police found that 120 million won ($115,617) was withdrawn through 268 bogus credit cards. The FSS said the four-digit PIN codes of customers who made purchases with credit cards but didn’t use their cashbag cards were not leaked.

The FSS said it informed 10 credit card companies on Monday that a total of 200,000 card accounts were hacked.

BC Card is likely to be the biggest victim, with information on 34,000 card accounts leaked.

The credit card hacking was revealed after a BC Card customer informed the company on Jan. 29 of unauthorized withdrawals.

According to the police, two of the hackers have been arrested while the gang leader, who fled to Cambodia, has been arrested there.

The credit card companies said through the financial authorities that they are closely monitoring whether the stolen cards are being used in an illegal manner.

If those cards are used by unauthorized people, the companies will make full refunds, the FSS said.

The FSS said the point-of-sale (POS) system that is widely used at stores and restaurants should be changed to devices that use integrated circuits. It encouraged consumers to upgrade to IC-enabled cards.

Cards with magnetic stripes are vulnerable to duplication and are more likely to be used in illegal withdrawals of cash. IC cards have a gold turtle-shell chip on the front.

The watchdog also warned consumers that they should use different passwords for different cards and that they should not make a credit card’s password the same as that of a loyalty or cashbag card.

“There are high possibilities of additional crimes that use the stolen information,” the FSS said in a statement.

The government and private institutions jointly launched an investigation group to look into financial crimes involving illegally distributed personal data.

The group held a launch ceremony at the Seoul Government Complex in Gwanghwamun yesterday.

It was joined by 11 government branches including the Ministry of Strategy and Finance and seven private institutions and businesses like SK Telecom and Naver.

The credit card hacking comes on the heels of the first financial losses from personal information leaked by financial companies earlier this year.

Although shadowed by a larger credit card information leak in January, two major foreign banks - Standard Charter Korea and Citibank Korea - suffered from a leak of their client’s personal information last December.

The police said Wednesday that they arrested four people who allegedly extorted about 37 million won through voice phishing by using personal information stolen last year.

One of the arrested, surnamed Lee, called 10 bank customers and cheated them by promising to convert current 10 percent interest rate loans to lower interest rate loans.

Lee, who worked at a subcontractor of SC Bank, copied customer information stored in a bank’s computer network on a USB and gave it to accomplices, the Seoul Metropolitan Police Agency said.

Lee allegedly had personal data of about 1,900 financial customers of Citibank.

One of the accomplices, surnamed Park, was a former employee at Citibank and leaked 34,000 loan borrowers’ information from the company’s computer network by printing it out, according to the police. It was the first reported case of leaked personal information being used against a customer and resulting in an actual financial loss.

This is scaring many consumers, especially those who use Citibank and Standard Chartered. Combined, information on three million customers is at risk with information from 50,000 already circulating in the market.Citibank made an official apology on Wednesday. But criticism is mounting over the financial authority’s handling of the issue.

The FSS did not properly warn consumers of possible losses from the leaked data and made repeated assurances that they were safe.

The FSS said that even though the information was sold to loan brokers, it would not lead to direct damages such as credit cards being cloned or cash being withdrawn from accounts. It insisted the data were mainly sold for marketing purposes and did not include PIN codes or passwords, so consumers were safe.

“We analyzed the personal information leaked from these two banks since last December and found no bank account numbers or passwords,” said a spokesman for the FSS. “We also conducted field investigation, but in the course of that process, data was being sold.”

BY SONG SU-HYUN, KIM JUNG-YOON [ssh@joongang.co.kr]