MADISON, Wis. (12/23/13)--As the Credit Union National Association works with other entities in the industry to monitor new developments in the widespread Target stores data breach and provide up-to-date information to help mitigate the risks to credit unions, new information has shed light on what credit unions will need to do--both for themselves and their members.
Target announced Wednesday that it had suffered a breach that compromised 40 million credit and debit cards used at its U.S. stores between Nov. 27 and Dec. 15.
Thieves already are flooding the black market with the stolen information, along with city, location and ZIP code of the store where the card was used, according to Brian Krebs, the security expert who revealed the breach Wednesday (Minneapolis Star Tribune
Dec. 20 and Wisconsin State Journal
Dec. 21). Krebs said in a column on his KrebsonSecurity.com
website (Dec.19) that the information is being sold in batches of one million cards for $20 to $100 per card.
The city, state and ZIP code information ups the ante for credit unions and other financial institutions because it removes one of the red flags they typically use to monitor suspicious activity: out of state transactions, said Krebs.
Credit unions already were getting reports of fraudulent transactions and fielding questions from members who had made purchases at the stores during that period. (See related News Now
story, CUs at Forefront in Advice to Consumers about Target Breach).
CUNA is working with CO-OP Financial Services, CUNA Mutual Group, PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, as well as the Electronic Payments Coalition and NACHA-the Electronic Payments Association, among others, to get information about the breach's impact on credit unions.
An alert from CO-OP Financial Service Wednesday said that for credit unions participating in fraud monitoring through Falcon Fraud Manager by CO-OP, heightened strategies are in place to identify signature fraud attempts for the cards potentially linked to this compromise. "Related fraud linked to this data compromise is varied within many various states as well as other countries," said the alert. "For the U.S. fraud, we are also seeing a trend where confirmed fraud occurring locally to the cardholders within their own spending footprint."
CO-OP's alert said that, so far no fraud involving ATM withdrawals had been tied to the compromise. Credit unions can take many approaches upon receiving a card-compromise notice, and CO-OP recommended that credit unions review the list of suggested best practices to consider when determining what action to take.
MasterCard sent out to its credit and debit card issuers a list of compromised card numbers in its Account Data Compromise alerts No. 1904 and 1924 Friday. Alert 1904 indicates that the Target breach is the 1,904th breach since the beginning of 2013, to its credit and debit card issuers, said Ann Davidson, senior consultant, risk management at CUNA Mutual Group. Visa began sending its alerts Saturday and was still sending these out today, Davidson said. Its alert is US-2013-1335 and its updates have a, b, c, and so forth to added as new compromised card numbers are reported.
Discover also sent out an alert, DCA-U.S. 2013-1085. Visa's list contained more than 24 million debit and credit card numbers.
Davidson said she has talked to many individuals at credit unions about the breach. One credit union has blocked 19,000 Visa debit cards and 5,000 credit cards after it used its in-house system to search the dates involved and who shopped at Target.
Credit unions will see several challenges, including what to do during the holidays, said Davidson. Card associations have recommended blocking cards until after Dec. 25--during the key consumer spending season.
She pointed out a particular problem if credit unions block non-PIN-related transactions and instead require a signature on the cards. "The fraud will go away, but it would violate Visa's and MasterCard's processing rules." Credit unions should seek exceptions from the card associations if they decide to go this route, she said.
In merchant third-party losses, credit unions must report their fraud to Visa and MasterCard and specify that the transaction is related to "magnetic stripe fraud," not lost or stolen cards. "If the fraud is not reported properly, credit unions would miss out on the recovery," Davidson said.
Target's branded debit card, Target Red, is at low risk, because as a store-branded card, only the number of the card is contained on the magnetic security stripe. If someone duplicated that information, it would go through Target's processing system through the card association, not through the automated clearinghouse (ACH) network.
However, cautioned Davidson, branded cards can include the consumer's financial institution routing number and the checking account number, which means customers are at risk from debits from their checking account from these cards. "Credit unions need to stay on top of ACH reports and advise members to watch their statements for any [unauthorized] deductions from the checking accounts," Davidson told News Now
Expect the compromised card information to also be used to buy up prepaid gift cards in bulk. "Prepaid gift cards will be a hot commodity," she said, noting that in New York, two million gift cards have already been purchased at Target stores.
Credit unions also can expect to see a spike in phishing attempts through texts, e-mails and phone calls as a result of the breach, and at least one credit union is worried about running out of plastic replacement cards, she added.
CUNA Mutual Group issued information to its bond policyholders indicating risk mitigation steps credit unions can take in response to the breach. They include:
Watch for phishing fraud. Educate members not to respond to any e-mail, text message or phone calls asking for any card information including account number or PIN.
Report fraud. Educate members to frequently review their activity and immediately report any unauthorized transactions.
Determine fraud exposure. Evaluate the card number compromise information to determine if your credit union has an increased exposure for future magnetic stripe fraud.
Match names for Track 1. Confirm your credit union is using name matching to help prevent future card fraud where the fraudsters could change cardholder names on Track 1, which carries the cardholder's name.
Alert credit bureaus. Since Track 1 carries the cardholder name, the cardholder may want to place an initial fraud alert with the credit bureaus to prevent identity fraud.
Review the card associations' alerts: Visa CAMs (which was to be released last week but had not been as of press time) and MasterCard's alert ADC1904.
Review open accounts. Determine which cards contained in the alerts are still active (open).
Move up card expiration dates. Accelerate the card expiration date on active cards contained in the alert if the card number will expire in the next 30 to 180 days. Credit unions could reissue these cards now.
Review other accounts. Determine which cards contained in the alerts have been closed due to fraud as a result of the Target breach.
Work with card processor/fraud monitoring system vendor to create rules and strategies to help prevent future fraud on the compromised card accounts.
Monitor your daily card fraud to identify any changes in fraud patterns that may be the result of the Target breach.
Recovery action. Confirm the card association's available dispute action on the compromised cards, as well as any timeframes.
Ongoing monitoring. Continue to watch for any follow-up information tied to this breach and if additional action is needed.
Review accounts involved in the breach. Determine which cards on the card association alerts are still active (open).
Review other accounts. Find out which cards on the alerts are non-active and have been closed due to fraud. Identify if the fraud pattern on the closed accounts matches the fraud pattern described in the card association's alerts.
Monitor or block and reissue. Assess compromised cards to determine whether to monitor the affected cards or block and reissue the card. If opting to monitor, contact the card association (Visa or MasterCard) to determine if the credit union's action will impact future recovery efforts. Reissued cards will be encoded with new track information, which includes the new CVV/CVC values and card expiration dates.
Fraud reporting. Confirm all fraud associated with this event has been reported to the card associations and to CUNA Mutual Group. Use: Visa Fraud Reporting System (TC-40), MasterCard Safe System, or Plastic Card Customer Care Center.
CUNA, CUNA Mutual Group and the groups they are working with will continue to monitor the situation. CUNA Mutual Group said it would notify credit unions of any new information that becomes available.