Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.
At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.
That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.
According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.
“Higgins said, ‘You have a problem,'” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”
Higgins told USB that the fraud he was seeing was mostly in Las Vegas, but that there also was some fraudulent card activity in neighboring states in the southwest.
“He had a theory that these guys came from Los Angeles and San Diego to Vegas just to make these transactions, and then went back,” Fuller said.
The fraud described by Higgins matched the unauthorized activity that they had seen stemming from accounts used at the private school cafeteria. Fuller said Visa has alerted Union Savings Bank that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate.
USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.
Other banks notified by Higgins had much higher losses, Fuller said. “Mr. Higgins told us that the thieves also hit Bank of Oklahoma and Fulton Bank of New Jersey. He said Fulton was hit very hard by these guys, to the tune of about one thousand [stolen card accounts] each week.”
Higgins could not be reached for comment. Safeway officials confirmed that he retired from the company last month, but declined to discuss Higgins’ work or the incidents that prompted him to alert USB and other financial institutions affected by the Global Payments breach. Neither the Bank of Oklahoma nor Fulton Bank responded to repeated requests for comment.
The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have some of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were not obtained by the criminals.
Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.
Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network. Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.
USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that.
“Global is saying this was self-discovered, but already knew it was them at the beginning of March, because within 48 hours of a customer telling us they were having problems, we figured out it was Global and alerted Visa,” Fuller said. “We are going to put Global on notice that we hold them accountable, because we’re bleeding here. Granted, a seventy-five thousand dollar loss isn’t the end of the world, but when you have a large institution like Global that doesn’t want to accept responsibility about what’s happened, that’s sort of annoying.”