The Fraud Blog with Tracy Kitten

Internal Crimes at BofA, Card Fraud Post-Michaels

Incidents Highlight Need for Better Fraud Detection and Prevention

Two stories stand out when I look back on the month of May: the POS PIN pad swap scheme that hit Michaels crafts stores in more than 20 states and the insider job at Bank of America that led to $10 million being stolen from some 300 customer accounts.

In the Michaels case, questions are now being raised about bank and merchant liability after a breach. Attorney Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP, says the liability lines are often blurred after a breach. Despite that card fraud usually occurs outside banking institutions' control, banks and credit unions, as the card issuers, usually absorb losses and expenses associated with breach recovery.

"There is a lot of entanglement in the credit card industry," Sabett says. "It all goes back to the contract. It's often hard to pin anything down in the contract. But the way most of these contracts are written, the retailers aren't liable."

That's a problem for banks, as the card issuers. But until they update their contracts, which in some cases are decades old, banks will continue to suffer from losses they can't recoup.

The Michaels incident raises interesting questions. But I find the breach at BofA to be even more telling.

A former BofA employee, who obviously had access to accountholder information, allegedly leaked personally identifiable information such as Social Security numbers and PINs to a ring of criminals. With that information, fraudsters hijacked e-mail addresses, cell phone numbers and possibly more, the Secret Service and internal BofA investigators believe. So far, 95 suspects linked to the breach and the ring have been arrested.

BofA says "keeping customer information secure and confidential is one of our most important responsibilities." But privacy experts like Kirk Nahra say the whole incident is one "big, scary story."

"Money was missing, so there should have been some trigger just identifying that there was a problem," Nahra says. "It's just weird that the problem wasn't picked up on sooner."

Maybe the "problem" was picked up on sooner and BofA just needed time to work with law enforcement and complete its internal investigation, as analyst Julie McNelley suggests.

Or, maybe the fraud was detected in some areas and not others.

Here's what I don't understand: How could money disappear from BofA accounts without customers being notified of a breach? Did BofA just keep refunding these customers when losses were reported? Surely BofA knew something was up. Did it just decide to keep the breadth of the fraud under wraps until it knew more?

Until more unfolds, we can only speculate - but too much speculation, especially when it comes to breaches, is never a good idea.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.