Ohio Debit Breach: Damage ControlInstitutions Begin Outreach, Seek Clues to Origin of Hack
Fraudsters, using stolen debit details, hit accounts with signature-based transactions used for online and over-the-phone purchases. Fraudulent purchases, some of which neared $4,000, at Walmart, AutoZone and CVS were reported. Other transactions were initiated overseas, including some in Germany and the Philippines.
The affected banks include Keybank, Dollar Bank, Fifth Third, PNC, Huntington, Charter One, Ohio Savings and FirstMerit. At least six credit unions also were reportedly hit, including Century Federal Credit Union, Ohio First Class Credit Union [formerly the Postal Employees Credit Union], the Firefighters Credit Union, PSE Credit Union and Best Reward Credit Union.
Not all of these institutions have publicly acknowledged the breach, but some have posted notices to customers.
"We are aware that there has been a MasterCard Debit Card account compromise that has targeted some of our members," says a notice from Century Federal Credit Union. "The fraudulent activity is isolated to debit card transactions and has affected a small portion of our members."
Best Reward Credit Union posted a message to its website on June 3, stating that two members received unsolicited "automated" phone calls requesting their 16-digit debit card number and pin number.
According to Stephen Halas, executive vice president and COO at Best Reward's Brook Park branch, no members have reported any fraudulent activity to the institution.
"There's been no impact on us, which is wonderful," Halas says. "But I think people have to learn that they need to protect their cards wherever they are, even to the point of walking to the register rather than handing it to a waiter or waitress."
In figuring out how the breach occurred, Halas offers some suggestions. "From what I understood, it may have been card information gathered at a restaurant or some place, according to the Cleveland Plain Dealer," he says. "Maybe it was a waiter, or who knows what?"
With the amount of banks and credit unions affected in a close proximity, it's possible the fraudsters could have gotten centralized access to card information, says Jerry Silva of PG Silva Consulting.
An original approximation, that tens of thousands of accounts were jeopardized, could be an understatement, he says. "If the breach came from a centralized database, the exposure could extend to millions of cards," Silva says.
Understanding the BreachDavid Small, spokesman and assistant director for public affairs at the National Credit Union Administration, acknowledged the breach and the NCUA's interest in it, but had no additional details. "All I can tell you is that we are looking into the situation," he says.
The Electronic Crimes Task Force, a unit of the U.S. Secret Service, is in charge of the investigation.
Mike Urban, senior director of fraud product management at FICO, believes this breach does not result from a skimming attack. "Likely, it was related to one or several attacks on a card-not-present merchant," he says.
CVV data can be captured when a magnetic stripe is skimmed. CVV2 data, on the other hand, is used for authenticating online or over-the-phone purchases. "[The CVV2] number is not on a magnetic stripe," Urban says. "When you're skimming, you can compromise the CVV stripe. But you don't get the CVV2, which is on the signature bar."