MADISON, Wis. (12/23/13)--As the Credit Union National Association works with other entities in the industry to monitor new developments in the widespread Target stores data breach and provide up-to-date information to help mitigate the risks to credit unions, new information has shed light on what credit unions will need to do--both for themselves and their members.
Target announced Wednesday that it had suffered a breach that compromised 40 million credit and debit cards used at its U.S. stores between Nov. 27 and Dec. 15.
Thieves already are flooding the black market with the stolen information, along with city, location and ZIP code of the store where the card was used, according to Brian Krebs, the security expert who revealed the breach Wednesday (Minneapolis Star Tribune Dec. 20 and Wisconsin State Journal Dec. 21). Krebs said in a column on his KrebsonSecurity.com website (Dec.19) that the information is being sold in batches of one million cards for $20 to $100 per card.
The city, state and ZIP code information ups the ante for credit unions and other financial institutions because it removes one of the red flags they typically use to monitor suspicious activity: out of state transactions, said Krebs.
Credit unions already were getting reports of fraudulent transactions and fielding questions from members who had made purchases at the stores during that period. (See related News Now story, CUs at Forefront in Advice to Consumers about Target Breach).
CUNA is working with CO-OP Financial Services, CUNA Mutual Group, PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, as well as the Electronic Payments Coalition and NACHA-the Electronic Payments Association, among others, to get information about the breach's impact on credit unions.
An alert from CO-OP Financial Service Wednesday said that for credit unions participating in fraud monitoring through Falcon Fraud Manager by CO-OP, heightened strategies are in place to identify signature fraud attempts for the cards potentially linked to this compromise. "Related fraud linked to this data compromise is varied within many various states as well as other countries," said the alert. "For the U.S. fraud, we are also seeing a trend where confirmed fraud occurring locally to the cardholders within their own spending footprint."
CO-OP's alert said that, so far no fraud involving ATM withdrawals had been tied to the compromise. Credit unions can take many approaches upon receiving a card-compromise notice, and CO-OP recommended that credit unions review the list of suggested best practices to consider when determining what action to take.
MasterCard sent out to its credit and debit card issuers a list of compromised card numbers in its Account Data Compromise alerts No. 1904 and 1924 Friday. Alert 1904 indicates that the Target breach is the 1,904th breach since the beginning of 2013, to its credit and debit card issuers, said Ann Davidson, senior consultant, risk management at CUNA Mutual Group. Visa began sending its alerts Saturday and was still sending these out today, Davidson said. Its alert is US-2013-1335 and its updates have a, b, c, and so forth to added as new compromised card numbers are reported.
Discover also sent out an alert, DCA-U.S. 2013-1085. Visa's list contained more than 24 million debit and credit card numbers.
Davidson said she has talked to many individuals at credit unions about the breach. One credit union has blocked 19,000 Visa debit cards and 5,000 credit cards after it used its in-house system to search the dates involved and who shopped at Target.
Credit unions will see several challenges, including what to do during the holidays, said Davidson. Card associations have recommended blocking cards until after Dec. 25--during the key consumer spending season.
She pointed out a particular problem if credit unions block non-PIN-related transactions and instead require a signature on the cards. "The fraud will go away, but it would violate Visa's and MasterCard's processing rules." Credit unions should seek exceptions from the card associations if they decide to go this route, she said.
In merchant third-party losses, credit unions must report their fraud to Visa and MasterCard and specify that the transaction is related to "magnetic stripe fraud," not lost or stolen cards. "If the fraud is not reported properly, credit unions would miss out on the recovery," Davidson said.
Target's branded debit card, Target Red, is at low risk, because as a store-branded card, only the number of the card is contained on the magnetic security stripe. If someone duplicated that information, it would go through Target's processing system through the card association, not through the automated clearinghouse (ACH) network.
However, cautioned Davidson, branded cards can include the consumer's financial institution routing number and the checking account number, which means customers are at risk from debits from their checking account from these cards. "Credit unions need to stay on top of ACH reports and advise members to watch their statements for any [unauthorized] deductions from the checking accounts," Davidson told News Now.
Expect the compromised card information to also be used to buy up prepaid gift cards in bulk. "Prepaid gift cards will be a hot commodity," she said, noting that in New York, two million gift cards have already been purchased at Target stores.
Credit unions also can expect to see a spike in phishing attempts through texts, e-mails and phone calls as a result of the breach, and at least one credit union is worried about running out of plastic replacement cards, she added.
CUNA Mutual Group issued information to its bond policyholders indicating risk mitigation steps credit unions can take in response to the breach. They include:
CUNA, CUNA Mutual Group and the groups they are working with will continue to monitor the situation. CUNA Mutual Group said it would notify credit unions of any new information that becomes available.