KEVIN F. KILEY
‘Upheaval’ in marketplace
When Fred Healey, president and CEO of Workers’ Credit Union in Fitchburg, recently received a letter from his debit card company saying information related to as many as 1,000 of his members’ accounts possibly had been compromised in a recent data breach, he was surprised. Data breaches have happened before, but when Workers’ has been affected it typically has involved only a handful of cards that potentially were subjected to fraudulent use.
The letter Healey received at the beginning of the month shows fraud patterns are changing and the scope of the problem, even for smaller financial institutions, is growing. “When this alert came, there were 1,000 [accounts involved]. The consensus – this fraud is big,” said Healey.
Several local banks and credit unions, primarily in the Leominster and Fitchburg area, took financial losses related to the same incident that affected Workers’ and had to replace hundreds to thousands of debit cards after being informed by Visa of a data breach at a retail store. Other than confirmation that the retailer is based in the United States, financial institutions have not been told where the breach occurred. Similar incidents have been reported in various locations through the country, and fraudulent ATM withdrawals using the compromised data from the Massachusetts accounts have occurred all over the world, including in London, Scotland, Barcelona and Zaire, according the state Division of Banks, Office of Consumer Affairs and local police.
Industry watchers are quick to label the latest data breach a major problem in its own right, but it is also the related lack of accountability on the part of retailers and credit card companies during and after such incidents that is causing frustration for bankers.
Only 17 percent of 231 large merchants fully comply with industry guidelines set by the card companies, according to VISA. However, it is an improvement from last year when only 2 percent of large merchants were deemed to be in compliance. According to VISA, 75 percent of large retailers have indicated they are working toward compliance, but that still leaves 8 percent that have not told the card company of any plans to change their policies and operations.
The VISA statement, issued in the wake of the most recent data breach, has been viewed in some circles as an attempt to shift responsibility and blame.
“I don’t think it’s fair, and VISA needs to stand up and take accountability and hold their retailers accountable,” said Healey.
A secret personal identification number – or PIN – is the main mechanism for protecting consumers debit cards from fraud and misuse. But those in the financial services industry are learning more needs to be done as they witness the rash of debit card fraud, which has rarely been subject of large-scale problems until recently.
Local bankers say they are mystified as to how the breach occurred. Not even the bank through which debit cards are issued has records of PIN numbers. So, how and why a retail operation began collecting the secret codes has raised deep concerns among industry practitioners.
“The PIN issue is clearly taking it [concerns over fraud] in a different direction. It’s creating an upheaval in the marketplace. It just shows the criminal enterprise is getting more sophisticated,” said Kevin Kiley, executive vice president of the Massachusetts Bankers Association. “We were surprised initially. Clearly, it [the collection of PIN numbers] was a direct violation of the rules.”
There is no reason for a retailer to be obtaining and storing PIN numbers, he added.
The card companies and financial institutions continue to seek ways to combat new angles introduced by fraudsters. Two weeks ago Workers’ began issue a new type of debit card that offers an extra layer of protected encryption in the magnetic strip. However, it was introduced too late to stop the criminals responsible for the recent cash withdrawals. Financial institution leaders say the damage is done, but it is more than the financial losses that seem to be bothering them.
“We can tolerate losses. My point is we shouldn’t have to,” said Healey.
Workers’ Credit Union recorded a $30,000 loss from unauthorized spending and withdrawals on 50 of its members’ cards, but 1,000 cards needed to be cancelled and reissued, and that cost money too, said Healey.
“This inconvenienced a lot of people,” Healey said. “But I am really quite concerned about the reputation loss.”
When banks and credit unions are notified of a data breach, not only are the expected to eat the costs, but not being able to tell their customers where and how the breach occurred can result in an assumption by customers that blame resides with the financial institution, said Healey.
“It [details of data breaches] can not be secret and undisclosed,” he said.
Not being able to inform customers of where or how breaches happen is a critical pitfall of the current system, said Kiley.
Two years ago, a data breach at BJ’s Wholesale Club affected numerous local financial institutions. Shortly after that the New England Debit Card Task Force was formed. The task force hopes to put pressure on legislators and the credit card companies to change the way reporting of data breaches is handled.
Kiley said many local bank executives fear their intuitions’ reputation could take a beating regardless of the circumstances related to a data breach. Kiley says he would like to see credit card companies change some of their policies, although recommendations made by his association have so far not been adopted.
“I would not say they [credit card companies] are not moving at a pace as quickly as we would like,” he said.
‘Reputation Risk’
Jim Blake, president and CEO of Brockton-based HarborOne Credit Union, is involved in a class-action lawsuit against BJ’s related to the incident two years ago in which his credit union sustained a loss of about $100,000. He said he would rather see the laws change to prevent breaches than more lawsuits seeking to recoup damages.
He said proper notification that specifically informs financial institutions where the breach has occurred needs to become part of the response process. He also wants to see merchants pay the costs incurred by financial institutions if a breach occurred due to their lack of security.
“You then add the reputation risks we suffer. Consumers question the integrity of the financial institution,” he said. “They think we are trying to hide information. How do you measure reputation risk?”
In the latest data breach at an undisclosed retailer, HarborOne also got a letter from VISA listing accounts that might have been compromised. Blake said even his own debit card was included on the roster. All the cards were cancelled before any unauthorized activity took place, he said.
“The problem that is happening is that this is becoming a common occurrence,” said Blake. “The bulk of the breaches are caused by the lack of security by retailers.”
Blake is urging frustrated members of his credit union to contact state and federal lawmakers, hoping that will add pressure to reexamine and change the reporting system.
On Thursday, a bill related to identity theft was advanced by lawmakers in on Beacon Hill after receiving approval from the Consumer Protection and Professional Licensure Committee. Among other measures aimed at preventing identity theft, it would require companies to notify consumers if there has been a security breach. The House is expected to debate the bill in April.
The Massachusetts Bankers Association has not yet taken an official stance on the new legislation, but according to David Floreen, the association’s senior vice president of government affairs and trust services, there are some initial concerns with the bill. Floreen said extensive discussions are also taking place in Washington and a federal bill related to data theft is expected to be released soon.
As new laws and policies are considered, law enforcement is working to track down the people who stole the PIN and account data and reproduced the debit cards in the recent incident. However, chasing down the debit card crooks is proving to be quite a challenge as withdrawals pop up around the world, said Detective Scott Wolferseder of the Leominster Police Department.
Wolferseder said calls reporting unauthorized ATM withdrawals started coming in on Feb. 28 and have not stopped. He said already about 50 residents in his town have reported money illegally drawn from their accounts. Most people had $300 to $1,000 drawn from their accounts, but he has seen fraudulent withdrawals totaling as much as $2,900 on single accounts.
Wolferseder said accounts at several local credit unions and banks in the Leominster and Fitchburg area were affected.
“I am working with the Secret Service [on the case]. Hopefully we can find that common thread,” he said.
So far, law enforcement has noticed the stolen card and PIN numbers are first used somewhere on the West Coast. Hours later, ATM withdrawals are reportedly taking place at overseas locations.
While cracking such a sophisticated crime can prove difficult, a debit card theft ring was busted in December. According to Lt. Thomas Cooney with the Hudson County, N.J., Prosecutors Special Investigation Unit, he recently worked on a case very similar to the current one.
“The MO [modus operandi] is exactly the same,” said Cooney.
In the case Cooney worked on 14 people were arrested in December after millions of dollars in fraudulent credit card purchases were made in more than 30 different states, as well as fraudulent withdrawals from ATMs that were made with counterfeit debit cards.
The investigation that began in June 2005 first targeted a credit card fraud ring. It was not until late last year that law enforcement officials realized fraudulent debit cards also were being reproduced and used.
“It’s a new type of fraud. It’s a new scam, and it’s out there,” he said. “I just hope someone comes up with a way to stop it. I am sure there are other [criminal] groups out there.”
