May 14, 2012

Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,'” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Higgins told USB that the fraud he was seeing was mostly in Las Vegas, but that there also was some fraudulent card activity in neighboring states in the southwest.

“He had a theory that these guys came from Los Angeles and San Diego to Vegas just to make these transactions, and then went back,” Fuller said.

The fraud described by Higgins matched the unauthorized activity that they had seen stemming from accounts used at the private school cafeteria. Fuller said Visa has alerted Union Savings Bank that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate.

USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.

Other banks notified by Higgins had much higher losses, Fuller said. “Mr. Higgins told us that the thieves also hit Bank of Oklahoma and Fulton Bank of New Jersey. He said Fulton was hit very hard by these guys, to the tune of about one thousand [stolen card accounts] each week.”

Higgins could not be reached for comment. Safeway officials confirmed that he retired from the company last month, but declined to discuss Higgins’ work or the incidents that prompted him to alert USB and other financial institutions affected by the Global Payments breach. Neither the Bank of Oklahoma nor Fulton Bank responded to repeated requests for comment.

The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have some of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were not obtained by the criminals.

Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.

Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network. Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.

USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that.

“Global is saying this was self-discovered, but already knew it was them at the beginning of March, because within 48 hours of a customer telling us they were having problems, we figured out it was Global and alerted Visa,” Fuller said. “We are going to put Global on notice that we hold them accountable, because we’re bleeding here. Granted, a seventy-five thousand dollar loss isn’t the end of the world, but when you have a large institution like Global that doesn’t want to accept responsibility about what’s happened, that’s sort of annoying.”


27 thoughts on “Global Payments Breach Fueled Prepaid Card Fraud

  1. Don

    I am going to go out on a limb here and say that 95% of gift card purchases at walmart for more than $50.00 are most likely fraudulent. A customer should have to scan their drivers license mag strip to purchase more than $50 in gift cards at any store. If they do not have one, then they should go to customer service where a photo can be taken of them to make the purchase.

    1. Anonymous

      Don,

      You can’t be serious.

      We have a right to privacy. If I want to buy a $100 gift card I am entitled to being able to aquire and use that for whatever purpose I wish without giving up my ID just like I would with a $100 bill.

      The problem has to do with a payment card system that is vulnerable to fraud. Don’t try to pass on flaws in the system onto the consumer.

      1. ITSec Pro

        Yes you have a right to privacy, and a retailer has a right to protect themself against fraud. If they choose to require you to prick your finger with a needle and sign with a fingerprint in blood they have that right and you have the right to take your business elsewhere. Of course if all retailers have the same requirement you’re screwed, but you still have the right to not buy gift cards. Ain’t freedom wonderful?

        1. Relayman5C

          Not if the card has Visa or MasterCard on it. There are limits to the information that they can request for holders of those cards. You will not be allowed to accept those cards if you exceed the limits.

    2. Hristo

      How about we just stop the signature nonsense, the pre-auth nonsense, the attitude to trust the merchant to notify the bank that the bank’s customer owes them money and turn to what EU are doing – EMV, chip and pin even for credit, no ability to change the transaction after it was signed by the chip (e.g. no adding of tips after the payment), etc.. it is much more simple to require a pin and have the chip than to have to show ID (although in some EU countries you have to chip &pin AND show a photo ID).

      And also, how about immediate SMS notification on any transaction on the account, … oh I forgot, this is USA.

        1. Hristo

          That is a corner case and PIN should always be required – done deal, this vulnerability will not apply. Then we can sandblast the magstrip from the card and only leave the chip with PIN required, and card should refuse a transaction with pin not required (like mine does). You have to draw a line of what is a reasonable expectation for security of transaction and what is not. If you want really secure transactions go to a branch, withdraw money (cash) from your account and do not use cards.

          Signature and no PIN is inherently a lot more broken – it is not the protocol in this case, it is broken by design.

    3. AlphaCentauri

      Maybe you shop at my local Wal-mart. I agree, no one would wait an hour in line on a Saturday just to buy gift cards, at face value, that are available anywhere.

      But lots of busy people give gift cards as gifts instead of trying to find something appropriate for the recipient, and their local Wal-mart may be the main store in town. It would not be unusual to pick up a lot of gift cards for holiday shopping or for an employee appreciation event.

  2. evin

    Do you have any advice or know where you can check if your bank issued Visa debit card has been stolen? My wife’s bank placed a hold on her card due to purchases happening in two different states on the same time. We found there were some fraudulent purchases and immediately had the card deactivated. Nice mother’s day present huh? This has happened twice to my wife in the last year and a half, should we be considering switching banks or is this just bad luck?

    1. Steve Halvorson

      Review Brian’s articles on ATM skimmers. It is excellent information for anyone concerned with protecting their check cards. The links are on the right side of the page>>>>

  3. Jim J.

    How long and how much before banks and people eliminate the issuing and use if debit cards? Either charge or write a check.

    We have become a lazy unaccountable bubble society.

    1. Skaperen

      Banks have similar risks for both credit and debit card fraud. The major difference is that users of debit card fraud are without their money during the investigation.

      What really needs to be done is replace this broken system from the 1950’s that depends on blind trust and ignorant thieves with one that allows only you to control your own purchases. What we have now has no means to verify the purchaser is authorized. A better system allows a purchaser to authenticate securely through their own bank in an encrypted back channel through a clearinghouse during the transaction. The use of a special smart card device to authorize the transaction would be used. And it can work for both credit and debit the same way.

    2. Hristo

      This is the wrong way to go. The whole system in this country is broken.

      A bank should not work like they work here. In normal countries one cannot make a withdrawal from another’s account even knowing all account details, short for posing for the person.

      What I mean is that in the US the bank trusts the merchant, that the bank’s customer owes them that much dollars and would happily pay. In a normal world this should never happen. The only one the bank should trust should be the card holder telling the bank to wire X dollars to merchant Y, by signing the transaction with EMV, or going to a bank branch. And, yes, banks should not authorize the transaction should you not have enough money up front in your account to cover it – nice and simple debit from your account get credited to merchant’s account.

      You know, in most countries the POS terminals are actually owned by the banks, not by the merchants and are connected to the bank’s network. It is not unusual for a merchant to have 3 or 4 POS terminals from different banks, so card holders of different banks have to avoid the transaction fee if they pay trough other bank’s POS.

      It is that simple. Credit and checks have to go, banks should start moving credits (positive balance transfers like in debit cards) instead of moving debits (negative balance transfers like in checks and credit cards). No, the previous sentence is not a mistake.

    3. AlphaCentauri

      Why do you think a check is more secure? It takes no special access to your secure data to read your account and routing numbers off a check you have used to pay for something, then to create fake checks using the same information. And as any college kid knows, it’s not hard to get high quality fake photo ID’s — not nearly as hard as it is getting a legitimate photo ID to vote, it seems.

  4. rimas

    The more I read, the more I’m sure that it’s time to implement EMV in the States. Good that VISA has deadlines and there will be liability shift. From the acquirer positions I should say, that after implementing EMV fraud level droped by 93% in 6 months and losses drop 100%. The US banks should really consider “chip + PIN”.

      1. Skaperen

        Derivatives are not fraud. They are just forms of intangible gambling. Of course fraud is going on and that needs to be stopped. And derivatives are not generally good because nothing is really invested in.

        But this doesn’t explain why consumer payment systems are so broken, other than the fact that competency seems to be way too diluted in Wall Street.

  5. Gary J

    Breach or not if you do not require PIN you are asking for trouble.

    1. Seymour Butz

      Because nobody could ever get your PIN.

      Ref: skimmers

  6. Todd James

    This whole article reaks of another agenda from this card issuer and this Krebs outfit. These gift cards hang by the thousands in plain sight at these stores. What idiot would actually buy them for a couple of dollars each only to reincode it with USB’s precious debit account numbers. Don’t believe everything you read. This is a money grab by the bank and Krebs thinks it is championing data security by burning Global Payments at the stake.

    1. oleg

      james your comment reeks of someone who has found a good way to steal money is worried that media coverage of it is going to run his fun. seriously, you act like krebs has an agenda and that he’s part of conspiracy to screw global payments. fact is that global has been tight with details about this breach and is hoping people — especially the press — will just forget about this breach. i for one am glad not everyone in the media has moved on.

      1. Todd James

        thanks Oleg from eastern europeon hotbed of credit card fraud. Do you really think any legitimate store is going to sell high value gift cards to someone using a safeway card that doesn’t have an imprinted correct CVV or a matching customer name or correct card number displayed on the plastic. This is classic skimming of some rich guys at a private school as discussed by the bank representitave and the ring has also found some clerks at stores that are part of the fraud ring because they are selling gift cards with obviously fake plastics. But you keep blaming the processor.. keep up your good work and I hope you get more faceybook like clicks.

  7. FreeMoneyFrom USA

    We need rich company give free money to poor. Either by force or by force. I will steal if I have to. I has no shames.

  8. Mishail

    Usually you use it at an ATM other than a bank ATM, such as one found in a grocery store or cnnevnieoce store. Keep in mind that they are high-interest loans.I tried to use mine at a bank ATM and the teller looked at me like I was stupid, since it wasn’t a debit card You can do it at any other ATMs, though.

Comments are closed.