Mar 16

Credit Unions Feeling Pinch in Wendy’s Breach

A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.

wendyskyAs first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.

According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.

“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

Berger shared an email sent by one credit union CEO who asked not to be named in this story:

“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”

All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”

Wendy’s declined to comment for this story.

Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.

Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs. As I reported in September 2014, this is exactly what happened in the wake of the Home Depot breach.

Berger said NAFCU’s members are still trying to figure out whether they should just reissue cards for any customers who ate at Wendy’s anytime recently. After all, the restaurant chain hasn’t yet said how long the breach lasted — or indeed if the breach is even fully contained yet.

This brings up a fascinating phenomenon that occurs with card fraud linked to breached retailers or restaurants that customers patronize frequently. I recently spoke with a bank security consultant who was helping several financial institutions deal with the fallout from the Wendy’s breach. The consultant, who spoke on condition of anonymity, said many of his client banks had customers who re-compromised their cards several times in a month because they ate at several different Wendy’s locations throughout the month.

“A lot of them are kind of having a tough time because of they’re having trouble putting context around the exposure window, and because customers keep re-compromising themselves,” the consultant said. “The banks are reluctant to keep re-issuing cards if the cards are going to get re-compromised over and over because some customers just have to have their hamburgers each week.”

Many banks and credit unions are now issuing more secure (and more expensive to manufacture) chip-based credit and debit cards. The chip cards — combined with chip card readers at merchant cash registers — are designed to make it much harder and more expensive for thieves to counterfeit stolen cards. It’s not for certain yet but seems likely that the breached Wendy’s locations were not asking customers to dip their chip cards but instead swipe the card’s magnetic stripe.

Curious about why so many retailers have chip-enabled credit/debit card terminals and yet still ask customers to swipe? Check out The Great EMV Fakeout: No Chip For You! For a primer on why so many financial institutions in the United States are adopting chip-and-signature over chip-and-PIN, see this piece.

Tags: , , , , , , , ,


  1. One more reason to not have a debit card. (Oh the fights I had with my bank over getting just an ATM card, and please stop sending me a debit card. You’re gonna jack me on the fees with the debit card, and I have no protection with one ? No thank you.).

    So who pays for this ? Does Wendy’s insurance cover the banks losses and costs ? Bank’s insurance ?

    (ok, ok, I know, the consumer ultimately pays for it. There’s some schadenfreude about banks getting hit in the pocket, given how they charge usurious fees for the most mundane things. But we all know it trickles down.)

    • Any bank can make the limits zero for the signature based transactions on your debit card, in a sense, turning in your debit card into an ATM card.

      • Zero liability on debit cards still doesn’t help with the loss of funds until the bank gets around to reimbursing the client. (and possibly bounced checks}

        • extremesanity

          ac isn’t talking about zero liability. He is talking about 0 limits.

          Regardless, any bank should be able to provide a ATM card over a debit card. If not, you are dealing with the wrong bank.

        • I have been a Banker for 17+ years, I work in debit card fraud and compliance. I can tell you that as a consumer (a personal debit card – not business) you are protected from fraud under both Visa and MasterCard rules and the Electronic Funds Transfer Act (EFTA) and the bank must reimburse you within 5 days of the date you claim fraud. Many small banks credit you back right away (we do it same day). You actually have less protection with an “ATM only” card as it’s not branded with a Visa or MC logo meaning it doesn’t have their Zero Liability, it’s only covered under the EFTA which may have some liability.

          In most cases of fraud, the bank takes the loss, almost never does a consumer take any loss and only in a few situations does the merchant. With the liability shift of EMV, it will be interesting to see how that changes. I work for a small, 1 branch community bank, a breach like this can be devastating to a small organization like the one I work for.

          • My banker (multi-branch, but small local concern) suggested a setup that works well for me: open a second checking account that pays no interest but also has no monthly fee or minimum balance requirement. Fund this account with electronic transfers from your main account as needed, and use the second account’s debit card for ATM or debit transactions. The main account handles all the usual bill payments, automatic deposits, etc., but stays insulated from skimmer and debit card mischief. I originally set this up to provide a safe, exposure-capped cash source for travel, but I now use it for all ATM withdrawals. Don’t like debit card use – very unpleasant whooshing sound when money gets sucked directly out of my checking account!

            • Clever setup

            • I’ve done that for years. My business checking account has no ATM/debit card at all.

              I have a very low balance personal free checking. I started this when traveling to Russia around 2002. Steal my personal card and you’ll only be able to drain $300-$700 (typical balance in that acct).

              I can transfer money from biz to personal online via an accounting program running in a Virtual Machine running on a UNIX box. And even then I’m never 100% comfy about it.

            • or… Use credit card for all transactions…. pay statement off every month with electronic funds transfers. Much easier.

              • Exactly. Use a credit card and pay it off each month.

                • Yes, of course. I push as many expenses as possible through credit cards. The setup I mentioned above is for “walking-around” money for little stuff, and I set it up originally to draw Euros/Pounds/etc. from ATMs cheaply and safely (i.e., capped exposure, no impact to main account).

            • Robert.Walter

              Set up all family member’s accounts like this years ago.

              Since then we do almost all transactions on Amex and if necessary Visa. If possible using Pay

              Use almost no cash and write almost no checks compared to how we did things about 6 years ago.

              • Robert.Walter

                Note: all cards are paid off in full each month. Card companies do monthly auto pay pull directly from checking account via ACH.

          • Almost spewed coffee on that one. But, let’s put it this way. The merchants also, the same as banks and credit unions, have a bad check charge. Usually a cool twienty to thirty dollars fail charge that the consumer has to pay. No one credits that back, the consumer still has the black mark on their credit report, and a additional charge to pay, the credit card company does not absorb it, the credit report changes your credit worthiness, higher rates, just because was allowed to steal your ID., who says there is customer protection? After all, what is the customer for? To abuse?

            • Then you need to find a new bank, I would recommend a small / medium, local / regional bank, or a credit union. My bank has never had an issue returning ALL fees associated with fraudulent transactions, and in most cases it doesn’t even get to that point. Nor has my bank EVER reported ANYTHING on my credit report. The only time a bank should be reporting something on your credit report would be if you have a loan with them, or if you totally default on an overdrawn account and refuse to pay it back to zero.

              I use a regional bank, and it is amazing the differences. They know your name when you come in, and they will bend over backwards for you, etc. In fact, just last week I had to do a wire transfer, which usually costs me $5, which I don’t mind. They called me an hour later to tell me the wire service had been down all day, and due to it being Friday, they wouldnt be able to send it until Monday, and they were going to go ahead and credit my account the $5 charge. Which means nothing to me monetarily, but everything to me in principle.

              • You misunderstand. There are two fees:

                1. Charged by your bank due to your check (or ACH) not clearing.
                2. Charged by your merchant, landlord, etc, due to your check (or ACH or debit card recurring payment) bouncing.

                #1 gets reimbursed. . . .for some, but definitely not all bank customers. #2 gets reimbursed likely only for a really large or very well known customer. So most people get screwed here. The fee in question is of the #2 variety.

                Swapping banks when you get screwed by #1 seems fine, until you think about how much of a hassle that is. You need to find a new bank, which hopefully you can decipher their fee structure and determine that they won’t screw you in the same manner. You need to change your direct deposit, which likely takes a few pay cycles. You need to change everywhere you currently make recurring ACH or debit payments. And you may need to order new checks. So, if you’re living paycheck to paycheck, you probably just accept being screwed as par for the course and nothing actually changes.

                Swapping merchants when #2 happens is even less likely. If you’re paying them via recurring ACH or debit card, they’re likely a landlord, utility, phone, or other service provider where you are locked in for a long term, or don’t really have a choice.

                If you’ve got enough disposable cash or time to execute these actions, you’re likely a big enough or important enough customer for the merchant to actually take action in your favor. Talk about personal finance catch-22!

          • I call BS on the zero-fraud liability for debit cards. I stopped into my local credit union a while back to deposit some money in the account. The clerk was courteous, but started bugging me about using my debit card instead of a credit card at merchants. I asked if the credit union provided zero-fraud liability. The clerk said that the limit of my liability is $50 IF I reported the suspicious activity within 2 days (i.e. I had to be actively monitoring my account every day to spot it), otherwise my liability limit is $500. I politely declined and said I was going to continue using my Discover card, because of their zero-fraud liability policy.

            IOW don’t ever, EVER use debit cards at point-of-sale or online purchases. Use a credit card instead.

            • The financial institutions like the debit card because they get a kickback on them. Just use a credit card. You’ve got a lot more time to file a fraud complaint before you’re out any money. ANY zero liability guarantee comes with a hitch – credit or debit card. However, it takes a LOT longer to get burned with a credit card.

    • I don’t use my debit card anywhere except the ATM except in an emergency. I use a designated credit card that I use for day-to-day purchases that I pay off every month. This way, my exposure isn’t directly into my bank account, and the temporary inconvenience is just the credit limit of that card.

      I also tell people that if they are using their debit card, use it as a credit card and not a debit card. Different banks have seemingly different policies for how they handle debit card fraud, and I remember some having a ‘deductible’ so to speak, at least a while ago. Whereas, if you use as a Visa or MasterCard, those standardized protections kick in.

      But, is it bad that every time I use a card, I assume that it can potentially be breached? One of the times where I had an issue, I called the fraud line for the issuer back (after confirming that the number was actually theirs). While I was on the phone talking about one fraudulent transaction, another was going through while we were talking from a Walmart 800 miles away from me, and 100o miles from the original fraudulent transaction that occurred about an hour before. Needless to say, I didn’t need to convince the fraud manager that the transactions weren’t mine at that point. That card was cancelled and a new one was shipped out the same day.

      • How you use the card (credit/debit) doesn’t protect the card from having its information compromised, nor does it control how criminals make future transactions against the account.

        And as @Brian notes here, someone can use an automated system to reset the pin.

        In short: never use a debit card.

    • Kelly, you are right on. I too am a banker of 17+ years. Branded debit cards afford the user the same protections as that of a branded credit cards in the consumer arena.

      extremesanity, not all banks issue ATM cards. I don’t. At the seven banks I have worked at over my career we either did not issue ATM cards or discontinued them.

      The problem for banks is that the old revenue sharing established with the branded cards did not anticipate the level of fraud that is now occurring.

      The use of credit/debit cards is a service, people should be paid for the service provided. It is time for banks to stand up against branded cards for good and proper revenue sharing and against incompetent retailers in this new fraud environment.

      • Again, I call BS on this. Please read my comment in response to Kelly above. My credit union has never promised zero-fraud liability no matter whether the card was used as credit or debit. Furthermore, during a recent trip to California, Discover automatically flagged my purchases as suspicious and declined them until I called them and notified that I was there on holiday. Now, that’s being proactive to protect the customer.

        • Sorry, Isma’il. I have 18 years in the payment card and Credit Union industry. Visa/MC branded debit cards all carry zero liability; even on Visa/MC network ATM transactions, which was not always the case. Misinformation surrounding the use of debit cards can be frustrating, especially when it comes from Bank/CU employees themselves. Any Bank or CU which places it’s members and customers first (and there are plenty of them) will always go out of their way to reimburse unauthorized debit card charges IN FULL on the SAME DAY they are reported because they understand the damage fraud can do to a checking account as well as the damage fraud does to the perception of debit card usage as a whole.

          • Then why is it that the CU “professionals” I queried, specifically, about zero liability denied that they could offer me that with my VISA debit card? Why did they say my minimum liability was $50 only if I reported it within 48 hours, otherwise $500?

            Either they don’t know what they’re talking about or you don’t.

            Either way, it’s a moot point because Discover actually has demonstrated PROACTIVE protection.

            • Oh, and one more thing: With Discover, I don’t have to worry about some rogue element draining my checking account without my knowledge and then having to fight my CU to have it restored, all the while with bills coming in without money to pay them.

              Credit cards FTW!!

        • A few years ago, I filled up my vehicle at a Costco in town that I had never used before. Before I could pull out of the parking lot, I received a text message from my credit union asking if I had purchased fuel at that Costco.

        • You may think it is great your transactions were turned down, but not all customers feel that same way. When their legit transactions they are making are turned down because they match a fraud rule, some get very upset, after all it was then making the transaction. They don’t care that we have no way of knowing it is them (or not) across the country buying an $800 t.v. at Wal-Mart.

      • Both you and Kelly have 17 years in the business? Before you go telling people there’s no difference between a debit and a credit card, check your facts. Fact 1: Debit card fraud immediately affects your bank account. The money is gone! This doesn’ t happen with a credit card. 2: The protections provided under law are DIFFERENT. Credit cards are billed monthly. That’s when the time limits on alerting the financial institution to fraud starts ticking down before you’re on the hook. It’s days for debit cards. And, the fine print shows that you can lose all of the money in your account if you let it for too long. If either of you don’t understand that, please let me know where you both work so that I can avoid depositing money into your respective financial institutions!

        • Jimbo,

          First, I didn’t say there was no difference, yes a debit card accesses your checking account right away, but a Visa or MC branded card offers you ZERO liability in the event of fraud and Regulation E offers another line of protection against unauthorized transactions. Debit cards also have limits, depending on the bank or credit union which is another line of defense so that in cases of fraud once the transaction hits the limit ($1,500 -$2,000 is common) the transaction will be denied. Also, the timing on the credit cards vs. debit cards is extremely similar, you have 60 days from the date of the statement (just like a credit card protection under Regulation Z) to report unauthorized transactions. (note that in the event you loose your card, you have 2 days from the date you realized your card was lost to limit your liability). No bank or credit union in the US can change these, all of us have to abide by both Visa and MC rules as well as Regulation Z. I am an expert in consumer compliance regulations and I can tell you in my bank, you will be reimbursed the same day you make the claim. This is true for most community banks. Unfortunately, there is so much miscommunication out there with both bank/credit union employees and the public that people don’t understand their protections. Bottom line, if you are a consumer and use a VISA/MC branded card, you are somewhat diligent in looking at your account (meaning within the 60 days of the statement date) you are not going to suffer a loss due to a breach of your card data.

  2. When are ATMs going to be chip enabled so they can’t accept counterfeit cards to drain accounts?

  3. I would only need my debit card to be compromised once at a Wendy’s and the next time I ate there, I would either pay with cash or use a real credit card to pay for my food.

    • Or just don’t eat there. :)

    • Is anyone publicly tagging Wendy’s as the source of the breach? Note that the Credit Union CEO who talked to Brian did so anonymously. I’d guess that there are strong indications, but no proof that Wendy’s is the source…or at least no proof solid enough to risk a slander suit from Wendy’s.

      • From the link Brian provided (http://ir.wendys.com/phoenix.zhtml?c=67548&p=irol-newsArticle&ID=2136634), Wendy’s publicly tagged themselves:

        Update on Investigation into Unusual Credit Card Activity
        As reported in the news media in late January, the Company has engaged cybersecurity experts to conduct a comprehensive investigation into unusual credit card activity related to certain Wendy’s restaurants. Out of the locations investigated to date, some have been found by the cybersecurity experts to have malware on their systems. The investigation is ongoing, and the Company is continuing to work closely with cybersecurity experts and law enforcement officials.

    • That’s great. But you’d need to know your card was compromised first. And that can take time. In the meantime, you could be compromising several cards by eating at Wendy’s. After all, one account getting compromised doesn’t stop you from having to eat.

  4. Does anyone know an estimated window of exposure?

    • Our data looks like mid November for the exposure, mid December for the uptick in activity. Hard to tell when it ends, if it has. We also have a strong signal for a second tier burger chain, which complicates the analysis. Plenty of cardholders eat fast food several times a week, and they aren’t loyal to just one burger.

  5. I want to know who the consultant is that has a problem with people who like hamburgers.

    • That’s what I say! Who cares if customers eat more hamburgers and compromise the new card(s) and that the issuers take more losses. It is not the customer’s fault. I say fix your crappy credit card system and\or force the retailers to eat the losses. We have to eat their crappy fat filled hamburgers that should be enough punishment for the customer.

      • The customer is the problem when they demand the burger joint accept credit cards and debit cards.

        • Robert.Walter

          Yes, please blame the victim. (Go home, you’re drunk.)

        • Maybe the burger joint should not accept credit and debit cards if they are unwilling to manage the security of their POS systems. The customer is not the problem. POS hacks are not uncommon at this point in time. Any retailer who is not locking down their POS systems should be held liable for the resulting fraud.

          • Except that in many cases, the banks won’t support further security for the retailer’s transactions, or they want to charge an outrageous fee to do so.

            The problem is systemic, in the way the credit card systems were built, back before anyone worried about security because authorizations were not done at the transaction, phoned in, or done over a phone line, with no chance to compromise the transaction. Until the liability model changes, not much will change. Right now the consumer pays for it all…..

        • The customers didn’t demand anything of the sort. It’s the businesses that are cash averse. Are you a Repugnican?

        • Go ahead, blame it on the customer/victim. If someone were to break into your house and do harm to your spouse, would you then blame your spouse? I think not!

          Customers are rightly asking and getting electronic payment options because the smart ones realise that most pickpockets prefer cash, and then ditch the wallet with the cards somewhere else. Even if the cards are taken too, it’s far easier to cancel/reissue a card than it is to get your cash back, now isn’t it?

  6. Not sure what David Litman means by “Adblock Pro means no money for Krebs.” There is no other reference to AdBlock on this page, so far, so please tell a noobie what that means.
    As for donating to Krebs … I use PayPal.

    • It means that he is using AdBlock Pro to block all the advertising on this website, thus denying Brian whatever revenue he would have received if David Litman had viewed the ads.

  7. I never use debit cards and never maintain a credit card balance. My main reasons are points, float (time value of money from Accounting 102 class in college),and relatively less pain when the card is compromised. I’ve kind of lost track, but I have at least 6 or 7 card reissued.

    I use the debit card but only as an ATM card.

  8. Nothereanymore

    Looks like there is already a class-action suit against Wendys


  9. Actually, I think we need legislation that forbids card issuers (credit Unions, banks, VISA, etc.) or service providers (Wendys, gas stations, Target, etc.) from allowing fraud losses to be accounted for in any way other than as a minus from their profit, not as a normal expense. This will ensure two things: card security will be enhanced pretty quickly, card readers will be upgraded quickly, and the poor schmoes (you and I) at the end of the line won’t have to pay for fraud by getting dinged with higher prices. Although I grant you that the schmoes who have stock in these companies would take it in the shorts. I guess there’s no way around it for us schmoes.

    • You realize the only reason why MC/Visa are pushing for the chip enabled cards is because the amount of fraud outstripped what replacing the cards would cost.

      Replacing the cards eats profits. New terminals eat profits. When all eyes are on the bottom line, you take the path of least resistance.

      Do you think Target would have chip based all of their stores by now if they had not had that incident? I have major grocery chains in my town that have had the terminals installed since last summer and have yet to activate them (2 chains).

      And whomever said 10/2017 for the gas pumps is correct. Had to look that up last summer.

      • Robert.Walter

        Meijer takes NFC/Pay at the pump.

        • Our local grocery store has cash registers with floppy disk drives and single color monitors with the non-typeface type. I near had a conniption in the aisle when my father used his debit card with PIN at them.

          • Robert.Walter

            Sounds seriously antiquated.

            What’s their method of refrigeration, block ice?

      • “Me” in alot of ways you are correct.

        But its good to point out the transition to Chip was planned / scheduled long before Target was hit. It was just coincidence it all happened at the same time and then the Card issuers could play it off as if they were trying to strengthen security because of what was going on – when in reality they were already doing it as the last major country in the world to finally make this hamfisted transition (but without the security of the PIN as part of the transaction).

    • Huh? Take an accounting class. Business expense = deduction from profit. Or, to generalize, Profit = revenue – expense.

      • Generally yes, but, I think he meant that it shouldn’t be counted as an expense for the purposes of IRS reporting.

        The IRS can (albeit possibly requiring additional acts of Congress) declare something to be deductible or not.

        Fwiw, I would like to see this too. Negligence shouldn’t be a tax deduction.

        Nor should fees/fines/losses/settlements due to court cases.

  10. It is shocking that retailers still aren’t protecting their data. It’s sickening and there are more huge fish out there that just don’t and won’t.

  11. I think the vendors should take the heat until they stop doing stupid things with our credit card information.
    Example: Received a “free” photo offer from Sam’s Club. Went through all the moves and got to payment. Entered the coupon code for free photo. Charges were cleared out and everything was zeroed out. Went to billing and it insisted that I enter all my credit card information on a zero balance transaction. Said “OK,” will pick it up in the store. Message comes up stating that all “free” photos must be paid with a credit card.” I don’t need this needless exposure. I use PayPal as much as I can just to prevent everyone having card info. Yet some add useless exposure by doing stupid things such as this.

    • Paypal allows 2o7.net to observe every transaction you make with them. 2o7.net also watches and follows the online newspapers you read, big names. I wouldn’t speak to a bank teller with a large goon breathing down my neck and copying down what I do and say there at the window. I’m not going to do it online. This does not meet my definition of confidentiality, much less do I believe it secure.

      • Transactions made in incognito windows will have no 2o7.net tracking. You could also read on-line newspapers in different incognito windows. Incognito windows do not have access to cookies used in Chrome browsing. Incognito mode is a great way to get an empty browser which provides a clean slate.

        • Incognito mode isn’t bad, but I’d suggest having a PayPal profile instead.

          Chrome allows multiple accounts (and concurrently).
          (Firefox does too, but its UX wasn’t great when I worked on it.)

  12. I had a Visa debit card and I had to get a chip enabled MasterCard or do without. I only use my card at ATMs and I study the ATM to my satisfaction to see if there’s any added BS doesn’t look right before I insert my card. I haven’t found any here in my corner of the woods (south central Indiana). If I do, I’ll let the bank know – ASAP! If somebody relies on the plastic for burgers, that’s their choice. Beware! There’s a lot of ways to get scammed and I thank you, Mr. Bob, for letting us know about the ones you find.

    • Like at Target, this would have been impossible for you to notice, unless it printed it on the receipt. This sound like a software hack. But, on the receipt, would anyone notice?

  13. TD Bank has mailed out notices, dated 2/29/16, to 270,000 customers saying “a merchant” (they won’t say which merchant, when, where or how) account compromised TD’s debit cards. Does this have anything to do with the Wendy’s breach, or is it a separate breach? Got the letter 3/3/16 in SE Pa.

  14. Robert.Walter

    Spoke with one of the managers at my family’s long used CU regarding Pay.

    They planned it for 2015 but put on hold, I suspect due to fees.

    The CU only just rolled out chip sign credit cards. I asked when similar debit cards would be available. The manager said they had so many problems with the cc roll out that they had no immediate plans for a DC roll out.

    So they don’t plan chip intro for the card that touches your acct directly and won’t make the step up to the even more secure Pay system. Rather poor security and customer convenience strategy.

  15. Petepall, last I checked expenses were a minus from profits.

  16. My household was hit with debit card fraud. It was through our bank, not a credit union.

    The number and PIN were captured by a skimmer at a gas pump at a Gulf filling station near Fenway Park in Boston.

    Before we got skimmed, we thought we were being fraud-smart, by keeping most of the funds in our account in a savings account. But it’s not so. Our bank (Toronto Dominion Bank North) has it set up to accept savings -> checking transfers by phone voice-response. Call up, give the amount of a recent transaction and the debit card number, and you’re authorized.

    So, the scam works like this:

    (1) skim the card and PIN.

    (2) use the card online in a card-not-present transaction to buy a gift-card to a retailer worth a memorable number (in our case, Old Navy, $200)

    (3) sit tight for a couple of days waiting for that transaction to get into the bank’s records.

    (4) start buying stuff on the card.

    (5) call the savings-to-checking transfer voice response service, and do a trial transfer.

    (6) buy more stuff.

    (7) rinse, repeat.

    Take home lesson? Tell your bank to disallow phone voice response access to your account.

    TD Bank made good our loss. But it was a hassle.

  17. Sounds like the banks need to get Wendy’s to un-compromise their systems. Noticed that I see both Wendy’s and Chipotle both only have swipe’s done by the person ringing you up at their stores – not that Chip would have necessarily protected Wendy’s here (since it wouldn’t have protected Target).

  18. “The banks are reluctant to keep re-issuing cards if the cards are going to get re-compromised over and over because some customers just have to have their hamburgers each week.”

    The banks don’t provide enough information for customers to know the source of compromise. I’ve never gotten a replacement card with a direct attribution to a specific merchant. Sometimes I can guess, but you can’t avoid the compromised merchant unless they are identified.

  19. I was searching for a blank card to change my life for the best but it all turn out to be a nightmare after being scammed by several fake hackers. I was more in deep debts that i could have ever imagine, that i cant put food on my kids table. One Sunday morning, i was in Facebook chatting with my niece and i cam across different people making comment on this email{atmhackersworldwide.creditcard@gmail.com} stating how they got the card from them, so i tried to google the email and i saw different comments of his grate work of giving out a blank card so i didn’t hesitate i gave them a last try by contacting them and they told me what to do and how much to pay for the card, i decline because i have been scammed many times but they guaranteed me that if i don’t get my card that the fee will be refunded and to greatest surprise ever and still seems like a dream is when i got the blank card delivered to me and soon i shall be getting a home for my self after i withdrawn the total amount of $17 Million United State Dollars. Stop contacting scammers they cant help you, rather contact this world hackers for your card and they are real.{atmhackersworldwide.creditcard@gmail.com}

    • Sounds legit. Your grammar is very fluid and doesn’t cause any reason for concern. I will check this out, thank you very much.

  20. The real victims are the credit unions/banks. They eat essentially 100% of the losses even though they had nothing to do with the cardholder information being breached.

    A lot needs to change as it relates to how the U.S. handles fraud responsibility. It’s outrageous that merchants are not responsible for 100% of the losses that come from their systems being breached.

    • What about the system vendors?

    • +1

      Merchants aren’t held accountable for their poor security measures. Since they aren’t held financially responsible, they have no incentive to make changes.

      Instead, the banks get the blame. Pitiful.

  21. I don’t suppose the banks can do an operation of deliberately seeding cards out in the environment? Dedicate an employee to shopping at particular venues with certain cards.

    Any new charges that show up on those cards, that weren’t scheduled, would be an easy sign of fraud. Added bonus – they’d be able to immediately target the affected vendor. Farm it out so that a group of banks/credit unions could pay a subscription, spreading the pain of the legitimate purchases across many but making in turn alerting all to the merchant that’s exposing them.

    Problems, of course, are the time spent on sending people out shopping. The cost of purchases, the need to hit several different locations of the same vendor (especially with franchises where one might be safe, but others not). Coordinating with a local/regional group to make sure that the same card number is used only on particular vendors.

  22. A local Wendy’s was notified of a breach in their system in August of 2013! I do not understand how companies(businesses and vendors) can get away without performing due diligence and being PCI compliant when they know they have vulnerabilities!

    • You raise a good point there you know.. but I think the main question should be how often is Wendy’s scanning their network for threats and vulnerabilities? I believe if this was done often enough, the company would not be faced with this disaster.

  23. Anonymous Cow

    In my area all the Wendy’s are franchises. So who is responsible for the POS systems: Wendys the franchisor or the local franchisee? If the franchisees are responsible for POS setups and networks one Wendy’s might be safe while the next one down the street might be at risk.

    Also to those comments about running one’s debit card as credit: WalMart’s chip devices will process chipped debit cards as debit even if you select credit, and before I got the new chipped card this was happening with swipe as well. You can hit the credit button all you want but their systems have apparently been programmed to check the type of card and process accordingly ignoring customer input.

    • Robert.Walter

      Walmart never seems to let ethics or the interests of employees, customers or society stand in the way of increasing its profits. The Walton children should be ashamed for what they did with their dad’s company.

  24. Banks are complaining about fraud but when we have good leads on the law enforcement side on some of the actors of skimming they are refusing to help.

    As soon as the victim is reimbursed by the bank, the bank usually refuses to make a statement to become the victim of the loss. At the same time for every piece of information that we need to make a good case, banks are requiring subpoenas that took months to get answered, and usually with only part of the information that was requested. They are also charging law enforcement for their paper even if it to solve the fraud they have been victim of.

    It is frustrating to work this kind of case as nobody seems to care about it, and the bank is basically telling us that we are wasting our time. Why should we waste hours and hours of work and public money to investigate these cases if at the end of the road there will be no arrest?

  25. What has long puzzled me is, why is any business keeping a database of our card information?

    Remember, back in the day, when you returned an item to the store and they needed your card to process the credit?

    Then, at some point, the businesses didn’t need your card to process a return anymore because someone somewhere decided they would just keep your card information “on file”.

    That’s where this whole problem started.

    Oh, for the good old days!

  26. I wonder if Wendy is yet to do a compromise assessment on the network to uncover the extent of the breach. It alarming to see that customers are getting re-compromised as a result of their frequent visit for a burger fix.

  27. thank so considerably for your internet site it aids a lot.|

  28. I’m here to testify about Mr Steven blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no job.I saw so many testimony about how Steven send them the ATM blank card and use it to collect money in any ATM Micheline and become rich. I email him also and he sent me the blank card. I have use it to get 155.000USD dollars for 32 days. withdraw the maximum of $5000 daily. Steven is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email edwardhackersworld55@gmail.com on how to get it. Him will gives out the card to anybody email edwardhackersworld55@gmail.com day and become rich edwardhackersworld55@gmail.com