TJX Data Breach -- 45 Million Cardholder Accounts -- Thieves Had Encryption Key

In the past few days, newspapers, TV and the internet have all been saturated with news about the TJX data breach. Most reports state that information about 45.7 million credit and debit cards was stolen. According to the Washington Post, approximately 75% of the cards had expired by the time of the theft or the data stolen did not include security information. In September 2003, TJX started "masking" much of the sensitive data, meaning that it was partially or completely overwritten with asterisks. In other words, card account numbers would have been stored as "**** **** **** 1234."

This information follows on reports earlier this week of the arrest of a number of people in Florida who were caught buying gift cards at Wal-Mart using stolen TJX card data and then using those gift cards at Sam's Club stores (an affiliate of Wal-Mart) to purchase electronics and jewelry. Police estimate the scam netted $8 million. These bad guys are not suspected of the TJX data theft but rather are thought to have obtained the stolen card numbers from the data thieves. They created new credit cards reflecting the stolen account numbers which they then used to buy gift cards at a number of Wal-Marts across Florida.

The information for most of the news reports comes from a 10-K report which TJX filed with the Securities and Exchange Commission on March 28, 2007. The most ominous, and to my knowledge, so far unreported factoid in the filing is this:

Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.

The 10-K also states that one reason TJX has had difficulty determining what data was stolen because many of the files in question have been deleted in the normal course of business.

TJX's filing lays out the time line for the discovery and reporting of the intrusion.

On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

In an (un)related matter, the TJX Board recently approved a $1 Billion stock buy-back. program.

California Supreme Court to Hear Miller v. Bank of America

The California Supreme Court has agreed to hear the appeal in Miller v Bank of America and decide the question: Does California law, which provides that a bank account into which public benefit funds or Social Security payments have been electronically deposited is exempt from attachment and execution, prohibit a bank from exercising its right to setoff as to charges - such as overdraft fees and insufficient fund fees - arising out of use of that same account?

The trial court applied Kruger v. Wells Fargo Bank (1974) 11 Cal.3d 352 (Kruger), a California Supreme Court decision which prohibited a bank from utilizing the banker’s setoff against public benefits to recover on an account holder’s delinquent but separate credit card account. The First Appellate District reversed, holding that the setoff to collect a debt owed the bank related to the account against which setoff is exercised is significantly different from Kruger in which the debt's origin was an unrelated account.

While the legal question at issue may at first glance appear to be somewhat technical and trivial, in reality, large sums of money and significant issues of public policy are at stake in this case. The First Appellate District explained:

When it ruled on summary judgment, the court also certified a plaintiff class consisting of “All California residents who have, have had or will have, at any time after August 13, 1994, a checking or savings deposit account with Bank of America into which payments of Social Security benefits or other public benefits are or have been directly deposited by the government or its agent.” In 2003, the Bank had 1,079,414 such accounts. Each month more than $800 million in government benefits is electronically deposited into class members’ accounts. Between January 1994 and May 2003, the Bank debited at least $284,211,273 in NSF and other overdraft fees from accounts containing Social Security direct deposits.

The trial court ordered Bank of America to pay compensatory damages and restitution of $296,650,220, an astonishingly large amount even for an entity like Bank of America. The appeals court reversed, however, finding a distinction between using setoff to satisfy a debt not tied to the operation of the account being debited (prohibited by Kruger) and the facts in Miller.

Collecting a debt unrelated to the bank account, such as a credit card debt, does not implicate the internal balancing of a single bank account. Neither Miller nor his various supporting amici curiae have cited, and we have not found, a single case that interprets Kruger to prohibit a bank from applying a deposit against a negative balance in a single bank account, or towards fees assessed because of that negative balance; indeed, the distinction between that practice and the banker’s setoff against an independent account that was of concern in Kruger was observed in a closely related context. In Lopez v. Washington Mut. Bank, FA (9th Cir. 2002) 302 F.3d 900, the Ninth Circuit concluded that federal law exempting Social Security benefits from seizure6 did not prohibit a bank from debiting a customer’s account for overdrafts and NSF fees. (Id. at pp. 902-906.)

The appellate court was also concerned that prohibiting banks from practicing standard setoff procedures on accounts receiving public benefits, would drive banks away from providing banking services to benefit recipients.

There was also considerable testimony that extending Kruger to internal account balancing practices would have adverse consequences not implicated in the context of a traditional banker’s setoff. Bank witnesses testified that prohibiting a bank from debiting an account for overdrafts, chargebacks and NSF fees when a customer account contains directly deposited public benefits will cause banks to substantially curtail the services available to such account holders. Consequences might include dishonoring any checks that would overdraw those accounts instead of offering overdraft protection; dishonoring other payment requests, such as automatic bill payments, that could overdraw the account; placing maximum holds on deposited funds; forbidding online or telephone banking; and canceling or restricting account holders’ use of ATM and debit cards.

The United States also weighed in on the issue. The Treasury Department expressed similar concerns on behalf of the federal government. According to the Treasury, the injunctive relief would likely cause banks to reduce the range of services available to recipients of government benefits in order to minimize the risk of overdrafts, or cause higher prices for such services, working a significant detriment on both the plaintiff class and the general public interest. Other approaches banks potentially could take to address the increased risk of loss from overdrafts would include requiring account holders to maintain a segregated balance of nonbenefit funds in their accounts or attempting to return direct deposits of benefits that are directed to overdrawn accounts and instead requiring deposit by check. These changes, the Treasury says, would undermine the federal government’s goals of affording recipients of public benefits the same consumer protections offered other account holders and encouraging financial institutions to offer electronic banking services, including direct deposit, to individuals who traditionally do not use banks. There is no indication that any such consequences were implicated in Kruger.

Miller's counsel, as one would expect, was described as "ebullient" and quoted as saying " I have confidence that in granting the petition [for review] it intends to reinforce the public policy rule it set forth in 1974."

Google Regisers as E-Money Issuer in EU

On March 19th, the UK Financial Services Authority authorized Google Payment Limited to issue electronic money in that country. With its UK registration, its fairly simple under European Union rules for Google to "passport" into other EU jurisdictions and be allowed to issue e-money across the continent. Under Paypal's UK registration, for example, it is authorized to passport into 24 other countries.

There's no official word from Google on its plans in the EU, but clearly, it has plans.

PayPal Not Worried About Competition from Google Checkout

Yesterday, CNET News ran an interview with PayPal's Chief Technology Officer Scott Thompson. There are several questions about phishing and security, but I thought the most interesting part was a question about competition from Google.

Can you comment on the competition you might be seeing from Google Checkout? Have you seen any loss of market share or revenue?
Thompson: Sure. The first thing I would say is payments are really hard to deal with. It's a business that is built around precision. There is no margin for error in anything associated with payments, and that's the relationship we have with both buyers and sellers on the eBay site and our customers and merchants on eBay. Beyond that I fully expect that because payments is such a big business, that all the competitors that we know of today are going to be there tomorrow, and there is probably going to be a whole lot more that people are dreaming of right now in start-ups in Silicon Valley and elsewhere.

So there is always going to be competition, and I actually love good competition. It raises your game to a higher level when you have good competition. So as it relates to Google Checkout, where as you would expect we are very aware of what they are doing, we don't think they are in a payment system business. We think they are specifically in a check-out business, and there is quite a bit difference between checkouts and payments. I would argue that we have such a lead in the business of global payments that if somebody wants to chase after us a little bit, I think they are going to realize it's hard to do, and I think they will fully appreciate and understand the head-start we have. Nobody here is overly confident, but I think what we need to do is have a strategy and focus on that and not on any competition.

In addition, we learn that micropayments are tough:

How big do you see the market for micropayments? It seems like you would have the infrastructure to do that more broadly. Are you seeing content owners like music or print publishers going in that direction?
Thompson: Micropayments is a remarkably big opportunity. I said doing payments is hard. Well, micropayments is extremely hard, and that is why nobody has cracked the code on it yet. It's just very, very tough to do. You probably recall 10 to 12 years ago the phone companies thought micropayments (would be a way to) extend their billing reach further into their customer set. But every phone company that tried that has realized that this is a whole lot harder than they thought, and they all backed off those initiatives. So, I think somebody at some point will come up with a real cute idea on this, and it will be one that changes the game. I think that's one where you stay tuned. It probably plays out two or three years from today

and PayPal currently has no plans to enter the world of online banking:

Is PayPal planning to move into online banking services?
Thompson: If you are PayPal, you can never say never. But I can tell you, we don't do online banking today. In the near term, we don't intend to do online banking. We have a rate payments business. We have tremendous future growth opportunities in the payment business that we are in. We are completely focused on that online payments business, and we view something like online banking as an adjacency that may be of interest some number of years from today. But now we are solely focused on online payments, and we don't want to be distracted.

China Bars Conversion of Virtual Currency into Material Products

A number of news outlets are reporting on a recent rules issued by the Chinese government limiting the use of virtual currency in that country. The best online explanation I've found is a story by Mure Dickie in the Financial Times.

A formal notice quietly issued to officials last month by the Communist party and government departments, including the central bank, has ordered “strict differentiation between virtual exchanges and online commerce in material products”.

The notice says: “The People's Bank of China will strengthen management of the virtual currencies used in online games and will stay on the lookout for any assault by such virtual currencies on the real economic and financial order.”

Virtual money can only be used to buy virtual products and services the companies provide themselves, issuance will be limited, and users are “strictly forbidden” from trading it into legal tender for a profit, says the notice.

The new restrictions appear to be a reaction to the growing popularity of a virtual money product known as "QQ Coins."

The restrictions follow Beijing’s growing concern about the influence of currencies created by internet companies, particularly the wildly popular "QQ Coins" issued by Hong Kong-listed messaging and games provider Tencent.

Tencent's messaging system is used by an estimated two-thirds of Chinese internet users and its QQ Coins have been accepted as payment by other companies as well as sold for legal tender.

It isn't clear what exactly is China's primary concern about virtual currencies. The AP says the worry is "money laundering or illicit trade." The Asia Times, however, has suggested that there is concern that the virtual currency could harm China's real currency.

The so-called "QQ" coin - issued by Tencent, China's largest instant-messaging service provider - has become so popular that the country's central bank is worried that it could affect the value of the yuan.

Public prosecutor Yang Tao issued this warning: "The QQ coin is challenging the status of the renminbi [yuan] as the only legitimate currency in China."

Some additional interesting tidbits on QQ coins from the Asia Times:

Tencent boasts more than 220 million users, and its QQ coins can be purchased with a bank, telephone or "QQ" card at an official price of 1 yuan (12.5 cents) per coin. Originally, the virtual coins were designed to pay for Tencent services such as electronic greeting cards, online games and anti-virus software. Now, however, they have reportedly developed into an alternative currency traded on the black market and used for other, less savory services, such as online gambling and private chats with "QQ girls".

Xinhua, China's official news agency, reports cases of people earning thousands of yuan per month trading in QQ coins, which they can win by playing online QQ games that pay out one coin for every 10,000 points earned. Xinhua also reports that the operators of some Internet forums are now paid in QQ coins rather than the official currency. And there is evidence that other online sites not associated with Tencent also accept QQ coins.

In addition, unofficial online vendors have sprung up to take advantage of QQ fever. They accumulate large numbers of coins by hiring professional game players to win them and also through gambling ploys, inside connections at entertainment companies and even by hacking into user accounts and simply stealing them. Then they sell the virtual currency below its official value, at a rate of 0.4-0.8 yuan per coin.

Tencent recently reported that its 2006 revenues were $358.6 million, an increase of 96% over the previous year. Net profit was $136 million, a whopping 119% jump over 2005. I can't find an official statement (at least one in English) on either the Tencent or QQ.com sites responding to the new rules on virtual currency.

I can't wait to see if other countries follow the Chinese example and attempt to limit the use of virtual currencies to purchase material goods. I don't see how such a rule could be successfully implemented without a corollary prohibiting the sale of virtual goods for real money. If you want to prevent financial transactions which are illegal in this world from taking place in a virtual world, you will have to severely limit the movement of money and goods between the two.

House ILC Hearings Postponed to March 29

UPDATED

The House Financial Services Committee hearings on the Industrial Bank Holding Company Act legislation have been postponed until March 29, 2007. A list of persons who will testify has finally been posted on the committee's web site, although no prepared statements are available.

The witnesses will be:

Panel One:

• The Honorable Donald L. Kohn, Vice Chairman Board of Governors of the Federal Reserve System
• The Honorable Shelia C. Bair, Chairman, Federal Deposit Insurance Corporation
• John E. Bowman, Chief Counsel, Office of Thrift Supervision
• Erik R. Sirri, Director, Market Regulation, Securities and Exchange Commission
• G. Edward Leary, Commissioner, Department of Financial Institutions, State of Utah

Panel Two:

• Michael J. Wilson, International Vice President Director, Legislative and Political Action Department, United Food and Commercial Workers International Union
• Mark Macomber President and CEO, Litchfield Bancorp, Litchfield, Connecticut, On behalf of America’s Community Bankers
• Jim Ghiglieri, President, Alpha Community Bank, Toluca, IL, On behalf of Independent Community Bankers of America
• Earl McVicker, Chairman & CEO, Central Bank & Trust Co., Hutchinson, KS, On behalf of American Bankers Association
• John L. Douglas, Alston & Bird LLP, Atlanta, GA, On behalf of American Financial Services Association
• Mr. Marc Lackritz, Co-CEO, Securities Industry and Financial Markets Association

The Folly of the New Presidential Dollar Coins

Today's Washington Post contains an interesting and amusing story questioning why the U.S. Mint is issuing new dollar coins when the world is moving away from cash to electronic forms of money.

Sit down in the handsome office of Edmund C. Moy, the director of the Mint. Ask him to comment on the quote attributed to Albert Einstein: "Insanity is doing the same thing over and over again, expecting different results."

Point out that the future of money is relentlessly shifting away from physical cash. Ask him if he has lost his blooming mind. The Congress made me do it, he replies.

Moy is referring to the Presidential Dollar Coin Act of 2005 which requires the mint to issue new dollar coins featuring the images of U.S. Presidents.

Post staff writer Joel Garreau reports that percentage of transactions made in cash versus check or debit or credit cards has declined from 21% in 2003 to an estimated 15.7% in 2008. Use of electronic payment methods, on the other hand, is expected to grow to 65% with checks taking the remaining share of the payments market.

Cash is increasingly reduced to three arenas, [cultural anthropologist Jack] Weatherford says. It is used for transactions performed by poor people -- "the unbanked population," as they are picturesquely known; anybody's small purchases -- like an ice cream cone; and for illicit activities like tax evasion, extramarital trysts and drug scores -- for which anonymity is at a premium.

Garreau notes that the transformation of money from cash to computers has occurred in a short span of time.

Computerized money produces the world we live in today. It may be hard to remember, but at the beginning of the 1990s, only 5 percent of grocery stores accepted credit cards. Now, you sign for your pomegranates. Similarly, travelers to distant lands no longer stock up on exotic cash. They are confident their money cards will meet their every need the instant they land, wherever that might be.

The next frontier is to delete even the plastic from our "plastic," says Tim Attinger, who describes himself as being in charge of ridding the United States of cash and checks. He is the senior vice president of product innovation and development for Visa USA. "I dream of a day when kids on the corner selling lemonade will take Visa payments," he says. "Not next year, but it can happen."

In Asia, it is already common to pay for things by simply waving your chip-equipped cellphone at a point-of-sale terminal, moving money with a beep as quickly as commuters sail through the Dulles Toll Road with an EZ Pass. Devices are being deployed in the United States that allow you to pay simply by pressing your fingertip to a scanner.

At that point, our bodies become our money.

His last line may be a bit too Orwellian, but his point is well taken.

And what about the initial question of why the government would start a long term dollar coin program when prior similar coins have failed and people are moving away from cash anyway? The answer is "seniorage."

Because it costs the Mint 20 cents to make the new dollar coin, and people pay a dollar for it, the margin on each one is 80 cents. If people proceed to squirrel the coin away, and not put it in circulation, this is wonderful. The government gets to keep that 80 cents forever.

The economics of minting coins may be a bit more complicated than that analysis, but it's true that the point of the new dollar coins, just like the 50 state quarters and Lewis and Clark nickels, is to make money off of coin collectors.