Heartland Aftershocks: Still at Risk?

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Earlier this week, First National Bank of Durango, CO came forward to reveal that as many as 5,000 of its customers were at risk because of new fraudulent transactions tied to the Heartland Payment Systems data breach.

The incident begs the question: Are banking institutions and customers still at risk of similar aftershocks from this historic case?

Fraud Scenario: 'Lie Low and Wait'

What happened to First National Bank of Durango is not unusual, says Avivah Litan, Gartner distinguished analyst. "Typically the crooks will use stolen cards right after a heist until the looting is discovered and publicized in the media," she says. "At that point, the crooks will lie low and not use them because of heightened alerts that will flag and stop their use (e.g. because the cards are on watchlists)."

Then when time passes and the heat is off, "The crooks will rear their ugly heads and start using them again, as has happened here," Litan says.

Debra Geister, Senior Director, AML and Compliance Services at LexisNexis Risk Solutions, says this scenario is really no different from a sleeper scam, where the fraudsters sit back and wait until an opportune time to strike. "Keep in mind, in the fraudster's world, this [credit card] data is their asset. It is how they generate income."

Who's at Risk?

At least one fraud and security expert is surprised that the criminals were able to use payment card accounts that were compromised a year and a half to two years ago.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"It's standard practice for the card companies to immediately block accounts when they're known (or even suspected) to be compromised," says Tom Wills, Security, Fraud & Compliance Senior Analyst at Javelin Strategy and Research. "If they didn't do so, I'm guessing that's because of the large number of accounts (and associated expense) involved - but it was clearly a mistake in this case."

Should other institutions be on alert for additional Heartland-related fraud? "Absolutely there is going to be more fraud," says Dave Shackleford, Risk and Compliance Director at Sword & Shield Enterprise Security, Inc. "There's definitely going to be more fallout from a breach that large. For example, some of those cards will be in use with institutional customers, or others who may have had larger limits on the accounts."

Geister also sees fraud loss continuing. "Once a card number is compromised, even though a small percentage typically suffer loss, I think you need to consider the card exposed and act accordingly," she says. "Fraudsters will continue to hold and manage the data to try to extract value from it."

Recover Future Fraud Losses?

Should institutions see further fraud due to the Heartland compromised cards, Litan says, she imagines that there was money set aside for future "unrealized" costs. She doubts that this is the last such fraud the industry will see as a result of the Heartland breach.

Shackleford says it is tough to say whether institutions will be able to recover fraud losses now. "Visa and the other card brands can't anticipate all the fallout from these breaches, so I'm not sure whether they're likely to extend settlements or not," he says. "I don't know what recourse the banks may have for now, though - I hate to say they might just end up 'eating it' if they've already settled, but time will tell."