25
Feb 14

Card Backlog Extends Pain from Target Breach

facebooktwittergoogle_plusredditpinterestlinkedinmail

Last week’s story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions.

carddominoesTurns out, while the crooks responsible for monetizing the Target breach seem to have had little trouble counterfeiting stolen cards, the process by which banks obtain legitimate replacement cards for their customers is not always quite so speedy.

I recently spoke with a gentleman who heads up security at a small federal credit union, and this individual said his institution ended up printing their own cards in-house after being told by their financial services provider that their order for some 2,000 new customer cards compromised in the Target breach would have to get behind a backlog of more than 2 million existing orders from other banks.

The credit union in question issues Visa-branded cards to its customers, but the actual physical cards are produced by Fiserv, a Brookfield, Wisc. financial services firm that also handles the online banking portals for a huge number of small to mid-sized financial institutions nationwide. In addition to servicing this credit union, Fiserv also prints cards for some of the biggest banks in the world, including Bank of America and Chase.

Shortly after the holidays, the credit union began alerting affected customers, notifying them that the institution would soon be reissuing cards. But when it actually went to place the order for the new cards, the institution was told it would have to get in line.

“They informed us that there was a backlog of 2 million cards, and said basically, ‘We’ll get to you when we get to you’,” the credit union source told KrebsOnSecurity.

Murray Walton, chief risk officer at Fiserv, acknowledged that the company has experienced extraordinarily high demand for new cards in the wake of the Target breach, but that Fiserv is quickly whittling down its existing backlog of orders.

“A large breach injects additional demand into a system that is already operating at near-peak capacity at year-end,” Walton said. “As a result, producers face the challenge of juggling existing contractual commitments with this incremental demand, and turn to mandatory overtime and staff augmentation to get the most out of their equipment and infrastructure.   We believe we are managing this situation as well as possible, and are beginning to see our cycle times (order to delivery) diminish compared to a few weeks ago.  Meanwhile, we note that fraud prevention is a multi-faceted challenge, and card reissue is only one arrow in the quiver.  Alert consumers and behind-the-scenes fraud management programs are also essential.”

Faced with mounting customer service requests from account holders who’d been told to expect new cards, the credit union decided to take matters into its own hands.

“We have the capability to print out the cards ourselves at a local branch, so some of our software developers wrote some scripts to export the customer data and we had two people who ended up burning the midnight oil for several days making these cards by hand.”

56 comments

  1. I don’t know which is worse these days. Breaking out the checks and writing one, in hopes no one uses those numbers for a direct tap to your account or, waiting in line for a new card.

    So far I have dodged the bullet on cards and have only had one replaced in the past 5+ years, and didn’t lose a penny.

    I am sure the business has to ensure Quality Control is there and that they are doing the best they can. I can imagine that this process will be in the rear view mirror soon enough – until the next large breach rears its ugly head.

  2. I can imagine that Fiserv has an interest in balancing security with profitability. Not too secure to hamper profits but secure enough to not attract too much attention from regulators. The breaches have to be a secret welcome sight to see.

  3. As a mid-sized financial institution, we were in a similar boat. Because we don’t have a branch in an area with a Target store, we only had to reissue about 750 cards– those were ordered and received in a fairly decent time frame (<3 weeks). The problem came up in ordering cards after the new year. We ordered a batch of cards due to an internal problem at the beginning of the year, and some customers were receiving cards as late as mid last week, and others still haven't recieved their cards.

    • Jacob, it’s understandable why you process through Fiserv (or any other processor, such as FIS, TSYS, FDR, etc.), but this situation is why you should consider breaking out your card manufacturing and daily personalization to a company that provides those services. Processors have to get cards from manufacturers, so why can’t a small or midsized bank do the same directly? I would strongly suggest you won’t be paying more for these services.

      • Card Personalization is a scale game. It’s very unlikely that a small player could produce cards at anywhere near the cost of the big players. Security is important too.

        • Nick, I’ve seen situations numerous times where the big guys are significantly more expensive than the smaller shops. As long as association certifications are current, there is no concern for security.

          Card processors make their money from doing just that – processing transaction data thousands upon thousands of times per day. Card personalization tends to be the red headed step child of their business (no offense to red headed step children, of course) that they have to provide to offer a turnkey environment. The bank’s savings received from processing is quickly negated by their card procurement and daily personalization, so that is why financial institutions should strip away these functions and go directly to the sources.

          • There are several red-headed step-children of the turn-key card issuance processing business. i.e. Print/Mail, Remittance, Customer Service. Card personalization is most definitely not one of them. It’s a complex business and the big players are making good margins. EMV is a revenue gift to the big players.

  4. I wonder if that’s one reason why my bank (a regional credit union) is switching from VISA to MC.

  5. 2 questions:
    I’ve read that EMV will be mandatory in US by the end of 2015 (later for gas stations POS). I was wondering which percentage of cards that are (re)issued now have the chip on it ? I guess it won’t help much if by October 2015 merchants have EMV capavle POS installed if only a small fraction of cards have the chip on them. Does the regulation also mandates cards issuers to make sure all their customers have a EMV enabled card or it only refers to merchants ?
    The second question: I live in Western Europe. My wife and children will spend a big part of the summer holiday at relatives on US East Coast. What could I do to minimize the risk of our cards being defrauded ? Should she exchange US dollars and use cache transactions whenever possible ? Or should I make a another credit card with a lower limit (1150 Euro seems to be minimum possible according to my bank – an odd amount) so that if it happens the damage is limited. I realize in case of fraud reported quickly as private persons we should be refunded but this often takes time. Or should I use a prepaid credit card (no protection anti fraud but much lover ammounts).

    • Actually the probability is very low that your credit cards would be compromised during a stay of part of the summer. I would not be very concerned.

      “I realize in case of fraud reported quickly as private persons we should be refunded but this often takes time.”
      The situation is better than that.

      The charge(s) against your card is immediately suspended and once they validate that it was fraud permanently removed.

      I was in Europe last fall when someone made a large purchase (almost $4K) on one of my cards. When they attempted another large purchase the next day the bank got suspicious and tried to call me. Of course they could not reach me. So they suspended the card.
      Then a few days later I tried to use the card in Europe and it did not work.
      I called the bank (in the U.S.) and learned of the story.
      The false charge was immediately suspended from my account. They offered to have a new card (new acct. #) delivered to me (in Europe) within one business day. I told them to wait until I got home (U.S.).

    • George, the issue will be whether merchants will be ready with POS terminals, not whether banks will have them issued by October 2015. The number of EMV cards issued in the US to date is infinetesimal and mostly for “travelers programs”, or those whose portfolios suggest they travel to Europe and other EMV centric areas. However, a groundswell to issue EMV cards to all customers in the US by October 2015 is in the embryonic stages of happening. There will be a mad dash to the end, but with liability shifting to merchants you can rest assured it will happen by that date.

      As it refers to your question regarding your stay in the States this summer, first, thank you for coming and playing in the water on the left side of the Atlantic. But secondly, if you are very concerned about fraud and dealing with replacing cards if it happens, a reloadable prepaid card with a low dollar amount is likely your best option. In the unlikely event your card is stolen or misplaced, you won’t be out much and you can simply get another one quickly.

    • george, I agree with others that the probability is very low that you will be a victim of fraud. You can help keep that probability low by engaging in some safe practices. I would suggest not handing your card to anyone, especially if they have to walk to a place where you can’t see them in order to ring you up. The vast majority of merchants have readers right at the checkout counter and you swipe the card yourself. Set up some alerts in advance, you might be able to set one up to let you know each time your card is used, or let you know when there is a transaction over a certain amount, or when your balance exceeds a certain amount.

  6. TheOreganoRouter.onion

    This is another good example why we need to employ more people in this country verses exporting jobs overseas.

    • My father was a pioneer in the bank credit card industry. In the 60s and 70s, he convinced a number of large east coast retailers to switch from in-house credit account processing to merchant accounts managed by his bank.

      The retailers gave up sovereignty for expediency. Accepting bank-issued credit cards allowed the retailers to reduce risk and expand sales.

      Once, when I was ten years old, I accompanied my dad to work on a Sunday afternoon.

      In a secure area of the card processing center, a very large machine made by a company called Data Card was being repaired. The technician created a blank white credit card for me with my name and social security number on it.

      The machine was large and expensive and required a small group of employees to operate and manage it.

      I imagine that somewhere along the way, “someone” decided it would be better to outsource the task of creating and mailing credit cards.

      Everytime we outsource another job, an investment banker gets his wings, but a home is foreclosed.

      “Maximizing shareholder value” indeed.

      Paraphrasing Walt Kelly: “I have met the shareholder, and he is us…”

      • B.Brodie, if I may, card issuance is not outsourced overseas. Secure card manufacturing and daily card issuance is all performed in the United States by Visa/MasterCard/AMEX/Discover certified, highly secure companies.

        As it refers to the DataCard machines, they are still the embossing/encoding workhorses of the industry, albeit far smaller than you may remember with many more options to speed card issuance to a financial institution’s customer.

      • Outsourcing is great until your business is on the line because of something like this breach. When will companies learn?

  7. It’s funny. The card industry should really start thinking about issuing more secure cards instead of building huge backlog or even acquiring new card printing equipment. When they found those newly printed or acquired again breached, that’s bad.

    • While its not ideal for consumers in the short term, I think this is exactly the feedback mechanism we need to spur change. We need the cost of doing the status quo to meet or exceed the cost of switching to EMV Chip and PIN (not a pancea), updating POS terminals, and improving fraud detection techniques.

      I see stories like this as a good thing as it causes someone to foot the bill. Target, VISA, MC, banks (just think of the number of CSR calls) have all had to pay the costs of the breach in some form. The result? Target is switching to EMV cards in a year, and card issuers are putting the pressure on merchants to switch to the technology as well.

      • I think you’re seeing another reason we’re getting movement on this issue from the banks and cc companies, finally – and its that the credit card breaches are getting high profile enough in the media that people are starting to or are close to backing off on using credit cards – that is the threat that the industry actually responds too (and must not let happen).

        The banks themselves have gotten the federal laws written so that they can deduct half their losses from credit card theft directly from their tax liabilities and the other half can be passed on to consumers – this is why they’ve just sat around as this has all gotten worse and worse over the last decades – i.e. because the larger losses don’t really affect them much.

  8. How has Civilization managed to grow from grunting rock and spear throwers during all of these centuries – up to and through the Industrial Revolution – without these damned electronic Credit cards?

    Where was Babylonian – Alexandrian -Athenian – Roman “Credit” before plastic cards? Even the Federal Reserve did very well without plastic insert slots. World War Two was somehow financed without plastic cards being inserted here and there.

    We need some perspective. We now have nano-attention spans.

  9. I have no sympathy at all for these companies. This is preventable by way of chip and pin, but the companies do not want to spend the money.

  10. As an ISO at a community-based bank as well as a Fiserv customer, the cards of our clients were replaced quickly. With Brian breaking the news of the Target breach prior to mainstream media, we were able to get on it right away. Fiserv did a good job. It is extremely rare I ever give Fiserv praise as they are continually on my s**t list.

    • “With Brian breaking the news of the Target breach prior to mainstream media, we were able to get on it right away.” We all should change our morning routine to: 1. Get to office. 2. Get coffee. 3. Read Brian. 4. Read emails from boss. 5. If necessary, tell boss to read Brian.

  11. I had 2 cards that were affected. The first, a major label CC, took about 3 weeks to get replaced, it came with an EMV “chip.”

    The second, a debit linked to a local credit union, although I confirmed that it had been used at Target during the “troubles,” the credit union wasn’t automatically offering to replace my card. They adopted the secret plan “Do nothing.” I had to go into the bank, tell them I knew it was compromised, and have a teller stamp out a new one for me. Many smaller banks may be taking this on a case by case basis.

  12. Last week a local small-city newspaper ran an article about 2 local folks who’d had their CC compromised in the Target breach. One person had used his card once during the breach period, at a city about 200 miles away.

    The article came complete with surveillance pictures of a man and woman each using a different stolen card while shopping at the local Target, in the same small city as the stolen card’s account holder. The pair were clearly together, they had come into the parking area together but then separated to enter/shop/purchase.

    Is this a usual pattern in breaches, is there a “phase” where the stolen card distribution reaches the “local” level, i.e. CC numbers are used within the account holder’s geographic area/zip code and used by a “shopping mule” at a retail store in the same area?

    • One of the distinctive traits of this (Target) breach was the sale of Zip code information. The thieves knew which store any particular CC was used in. They certainly used that information as a “value add” to lure prospective buyers.

      That they (the thieves) knew which store generated the card data tells you (me at least) that they had a pretty good handle on how Targets internal network was setup. It might have been as simple as 10.x.x.135 where .135 is the store number. Maybe not. Time will tell.

  13. If the thieves are so much faster at creating debit/credit cards than our legitimate financial institutions, what is their secret? This slowness is an unacceptable bottleneck in our fast paced global society.

    • Scale. The thieves can choose to make 10,000 cards and use 100% of them. The banks need millions of cards to cover all of them.

      The balance is always in favor of the thieves in these situations. They only need to find a single breach. The institution under attack must seal every single one.

      Not to imply I think that the banks and retailers are doing a good enough job – they’re not – but it’s a difficult situation any way you slice it.

  14. Am I the only one who winced when I read this?

    “We have the capability to print out the cards ourselves at a local branch, so some of our software developers wrote some scripts to export the customer data and we had two people who ended up burning the midnight oil for several days making these cards by hand.”

    Sure.. What’s the worst that could happen there, right?

    • Yes, I winced, too, when I read this.

      I don’t know exactly what this “local branch” was doing, but writing scripts and exporting data to make a card just isn’t kosher. The card association (i.e., Visa/MC), in conjunction with the financial institution, has to generate a completely new card account number before a new card can be issued as lost or stolen. Perhaps this branch had newly generated account numbers and was using a secure desktop embossing machine (many banks do this to get debit cards in customer’s hands as soon as they apply and get approved for a card at a branch, known as “instant issuance”), but it is still a highly structured, highly authenticated, secure process. The bank wasn’t actually “making” the cards, but likely they were simply embossing and encoding them.

      To hear how it was described otherwise was awfully scary.

    • I was wondering the same thing. Scripts hacked together at midnight by some in-house developers scrambling to transfer customer data. I’d put the odds that security or accuracy got compromised at roughly 100%.

      • CustomerSatisfier

        The point is that the risks are manageable at the local level, and any issues can be dealt with locally and quickly. The bank does transfer the risk from the customer to themselves, but at that scale, it was apparently an acceptable risk.

      • There is no way the branch did this. If they did, they would lose their charter. The brand association (V/MC, etc.) has to provide a new account number to the bank in case a card is lost or stolen, so the branch can’t go back into their instant issuance stock of cards and re-make them with the same numbers. There are simply too many checks and balances, with dual authentication of inventory and reporting of stock reports the most basic of checks.

        The bank likely received new account numbers from the association, pulled inventory from their vault, and provided new cards from their desktop instant issuance printers. The two employees who were assigned the task likely were working for a while on it, but I can’t see doing this for days on end. The machines aren’t made to take those types of volumes and the bank surely didn’t have enough of the specially made black ink to do so.

        • Visa & MC issues BINs and ICAs. Beyond that the bank (and most likely the issuing processor) assigns card numbers within the range. So Visa/MC have nothing to do with a lost-stolen reissue. The only constraint would be the issuance on the system.

          • What the bank was probably doing by writing a script was to automate a terminal based command to issue a new card on their processors system which would send an instance issuance data packet to an in-branch machine. The issuance of the card would require crypto work to generate CVV/CVCs (on the magstripe) and CVV/CVC2s (printed on the sig panel) this crypto work would require use of the appropriate keys and an HSM…It’s unlikely that this equipment would be in a branch.

  15. I lived in Switzerland a few years ago. Their system seemed incredibly convenient. It started with opening an account, which required that I get an “introduction” from an existing customer (generally a secure message to the banker from his/her account), and then an-in person meeting with a banker to set up whatever accounts I needed. I ended up with a checking account, a debit/cash card (it contained some cash in the card, for use in parking meters and the like where no internet connection was needed), a credit card, and an escrow account for the security deposit on my apartment.
    Most transaction infrastructure seemed to avoid caching much data at the selling organization and the resultant risk.
    Aside from the lack of confidence in U.S. banking institutions, is there any reason this model wouldn’t work here?

    • You think requiring an “introduction” and meeting in person with an account manager is convenient? I don’t. I also don’t think those cards are any more secure than the ones you get through signing up online.

  16. I had to get new cards last month. The credit cards came quickly enough, with Amex getting my replacement card to me by FedEx in three days (incl. weekend.) The bank debit card, however, took 4 weeks. Now I know why!

    • I don’t have a debit card, how does it work when you have one replaced? Does the old one get shut off and you have no debit card until you receive the new one?

      • Thta’s exactly what happened to me…they cancelled the original and reissued another one. Normally it takes 5-7 days, this time it wool 5 weeks.

  17. Not sure how to ask a question other than on an existing post.

    Thoughts about the Hold announcement that over 360 million accounts with email addresses and passwords are suddenly for sale? I can only think of a few online merchants with a customer set that large, who also use your email address as your login name… They say “multiple breaches” but not whether those multiple events were all at a single company.

  18. I was unfortunately a Target shopper during the breach. As soon as I read on Brian’s Twitter account about it, I canceled my debit card from my bank and ordered a new one. It came at the worst possible time, during that Holiday shopping period. I was told at the bank that it would take 7 days to get the new card issued. It took 5 weeks, now I know why as my bank couldn’t explain it. I was not a happy camper.

    Oh and the best part was a Customer Service agent at my bank told me that I really didn’t need to cancel the card, the bank was monitoring the accounts. LOL

  19. It seems that the hackers can have their way with people in the digital age … we are all just cows just waiting to be milked…!

  20. Normally the cards will be dead over time. We already see a lot of failed attempts for paying with credit cards. Seems they are getting exhausted.

  21. Is EMV the panacea? Does anyone know of the occur ace of breaches in countries that have implemented EMV? I mean reading the above it would seem like all you have to do is implement EMV and breaches are a thing of the past. Is it possible that the criminals will still be able to steal encrypted data and either decrypt or create fraudulent EMV cards.

    • Is EMV the panacea?
      > of course not, but it helps A LOT.

      Does anyone know of the occur ace of breaches in countries that have implemented EMV? I mean reading the above it would seem like all you have to do is implement EMV and breaches are a thing of the past.
      > even after EMV in place, breaches are not ‘thing of the past’ but thieves will get ‘only’ the magstripe data (plus of course personal information etc.) at maximum

      Is it possible that the criminals will still be able to steal encrypted data and either decrypt or create fraudulent EMV cards.
      > ‘create fraudulent EMV cards’ i.e. skimming&cloning is currently not possible,
      (yes, I know about existence of some academic whitepapers trying to ‘break’ the EMV chip)

      very simplified conclusion:
      EMV helps securing transactions,
      but not prevent databreaches – for that you need to have other methods/tools/standards/etc. (like PCI as an example)

  22. Makes me thankful again to be doing business with a small credit union. They were able to print two new cards at a branch in under ten minutes two days after the Target breach was disclosed.

  23. After the Target breech story broke (thx Brian!), my bank notified me that it would be monitoring my Target debit card. I am a regular Target shopper and used my Tdc 2x during the breech period. I also check my bank account daily, a longtime habit. Last week, Target sent a letter stating that no Tdc were affected by the breech. So, so far, so good.

    However, last month, I got a phishing phone call from someone calling for an auto insurance co I never heard of. He had my name, address and phone number. A neighbor, who also shopped at Target during the breech period, got the exact same phone call on the same day. I have to think they got the info somehow from the Target breech.

  24. and so today CIO Beth Jacob resigns from Target…

  25. QUESTION: re Businessweek March 13 article on Target breach states that users of rescator.so can purchase stolen credit cards by CITY….

    how does the hacker acquire the CITY of the card holder in a breach such as Target?

    is there also an exploitable security hole in the AVS (Address Verification System) used by card companies?

  26. Very true, but times have changed.

    Economies of scale allow contracting of services to those companies that can perform the duties significantly less expensively than if they were done in house. Only the largest of banks can still maintain in house card issuance, which is nothing but a huge expense with zero ROI to any financial institution.

    Once a merchant has a security breach and cards need to be reissued, all hell breaks loose in the bank and subsequently, their suppliers (whether they be card manufacturers, personalization facilities, or both). Normal daily issuance and monthly reissues still have to be taken care of, but suddenly hundreds of thousands to millions of cards need to be ordered to boost inventories and then get them into customer’s hands. Multiply that situation by the number of banks that were affected and you understand why there are delays. Print on demand cards (printed on high speed laser printers by secure card manufacturers) could be an answer to quicken the turnaround time, but costs of those tend to be prohibitive. That is why banks offer constant monitoring after security issues, which should give some piece of mind to consumers.

    There is no easy answer, especially when banks have numerous, large portfolios to reissue. Once EMV is introduced to the market, however, breaches like the one at Target will be all but a memory for cards presented at POS terminals. The real threat after that will be for internet purchases.


Read previous post:
iOS Update Quashes Dangerous SSL Bug

Apple on Friday released a software update to fix a serious security weakness in its iOS mobile operating system that...

Close