First American Bank in Illinois is urging residents and tourists alike to avoid paying for cab rides in Chicago with credit or debit cards, warning that an ongoing data breach seems to be connected with card processing systems used by a large number of taxis in the Windy City.
In an unusually blunt and public statement sent to customers on Friday, Elk Grove, Ill.-based First American Bank said, “We are advising you not to use your First American Bank debit cards (or any other cards) in local taxis.” The message, penned by the bank’s chairman Tom Wells, continued:
“We have become aware of a data breach that occurs when a card is used in Chicago taxis, including American United, Checker, Yellow, and Blue Diamond and others that utilize Taxi Affiliation Services and Dispatch Taxi to process card transactions.”
“We have reported the breach to MasterCard® and have kept them apprised of details as they’ve developed. We have also made repeated attempts to deal directly with Banc of America Merchant Services and Bank of America, the payment processors for the taxis, to discontinue payment processing for the companies suffering this compromise until its source is discovered and remediated. These companies have not shared information about their actions and appear to not have stopped the breach.”
Bank of America, in a written statement, declined to discuss the matter, saying BofA “cannot discuss specific client matters.” Neither Taxi Affiliation Services nor Dispatch Taxi returned messages seeking comment.
Christi Childers, associate general counsel and compliance officer at First American Bank, said the bank made the decision to issue the warning about 18 days after being alerted to a pattern of fraud on cards that were all previously used at taxis in Chicago. The bank, which only issues MasterCard debit cards, has begun canceling cards used in Chicago taxis, and has already reissued 220 cards related to the fraud pattern. So far, the bank has seen more than 466 suspicious charges totaling more than $62,000 subsequent to those cards being used in Chicago taxis.
“We got calls from several customers, looked at their transactions and triangulated what was common here,” Childers said. “We’ve been complaining to Bank of America, saying, ‘Hey, do something about this.’ They said they couldn’t give us any information and that we need to talk to MasterCard.”
James Issokson, a spokesman for MasterCard, said in a brief emailed statement that MasterCard is “aware of and investigating reports of a potential breach affecting taxi cabs in Chicago.”
According to First American Bank and at least one bank based in the Midwestern United States, the fraud related to the affected taxis shows up on cards as “Chi Taxi,” and has been going on since at least early December 2013.
Avivah Litan, a fraud analyst with Gartner Inc., said the move by First American to publicize the incident suggests that many banks are feeling fatigued over the sheer volume of intrusions involving customer card data.
“I’m shocked, and it’s pretty amazing that they put that out there publicly, because everyone is usually so scared that they’re going to piss off Visa and MasterCard,” Litan said. “I’ve never seen any bank speak up like that. They’re probably just fed up.”
If banks are experiencing breach fatigue, it’s a good bet that consumers are feeling it as well. Over the weekend, I spent several hours contacting more than two dozen online merchants — including two relatively small credit card processors — whose Web stores were apparently compromised late last year by card-stealing malware. If you weren’t fatigued by the breaches yet, just wait until the end of this week. Stay tuned.