Debit card fraud linked to Global Payments breach

Powered by SC Magazine
 

Fraudsters hit school cafe.

Debit cards affected by the Global Payments incident have reportedly been used by fraudsters.

Connecticut-based Union Savings Bank told blogger Brian Krebs it had seen an unusual pattern of fraud on a dozen debit cards it had issued, noting that most of the cards had also been used in a café at a nearby school.

When the bank determined that the school was a customer of Global Payments, Union Savings Bank's chief risk officer, Doug Fuller, contacted Visa to alert it of a possible breach at the Atlanta-based processor.

This led to Tony Higgins, then a fraud investigator at a grocery chain in Southern California and Nevada, to detect that fraudsters were buying low-denomination pre-paid cards from the stores and encoding debit card accounts issued by Union Savings Bank onto their magnetic strips.

Those cards were then used to purchase additional pre-paid cards with much higher values, which were then used to buy electronics and other high-priced goods from retailers.

Higgins told Union Savings Bank that the fraud was located mostly in Las Vegas, with other activity in neighbouring states.

Fuller said Visa has alerted Union Savings Bank that around 1000 debit accounts it issued were compromised in the Global Payments breach, including the accounts that initially prompted Union Savings Bank to investigate.

Officials at the bank said it has suffered approximately $US75,000 in fraudulent charges and had spent close to $US10,000 in reissuing customer cards.

Higgins also reported fraud against the Bank of Oklahoma and Fulton Bank of New Jersey to the tune of about 1000 stolen card accounts a week.

Global Payments said the breach could have persisted for eight months and was believed to have originally impacted around 1.4 million cards.

Earlier this month, Global Payments confirmed that it was revalidating its PCI-DSS status after "some card brands" removed it from their lists of PCI-compliant processors.

Initially, Global Payments claimed that only Track 2 data was taken, not including cardholder names, addresses and other data, but Krebs said the Union Savings Bank experience shows that Track 2 data alone is enough for fraudsters to encode the card number and expiration date onto magnetic strips.

These cards can then be used at any merchant that accepts transactions that do not require the cardholder to enter their PIN.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Debit card fraud linked to Global Payments breach
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 435

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 209

Vote