Debit card fraud linked to Global Payments breach

Powered by SC Magazine

Fraudsters hit school cafe.

Debit cards affected by the Global Payments incident have reportedly been used by fraudsters.

Connecticut-based Union Savings Bank told blogger Brian Krebs it had seen an unusual pattern of fraud on a dozen debit cards it had issued, noting that most of the cards had also been used in a café at a nearby school.

When the bank determined that the school was a customer of Global Payments, Union Savings Bank's chief risk officer, Doug Fuller, contacted Visa to alert it of a possible breach at the Atlanta-based processor.

This led to Tony Higgins, then a fraud investigator at a grocery chain in Southern California and Nevada, to detect that fraudsters were buying low-denomination pre-paid cards from the stores and encoding debit card accounts issued by Union Savings Bank onto their magnetic strips.

Those cards were then used to purchase additional pre-paid cards with much higher values, which were then used to buy electronics and other high-priced goods from retailers.

Higgins told Union Savings Bank that the fraud was located mostly in Las Vegas, with other activity in neighbouring states.

Fuller said Visa has alerted Union Savings Bank that around 1000 debit accounts it issued were compromised in the Global Payments breach, including the accounts that initially prompted Union Savings Bank to investigate.

Officials at the bank said it has suffered approximately $US75,000 in fraudulent charges and had spent close to $US10,000 in reissuing customer cards.

Higgins also reported fraud against the Bank of Oklahoma and Fulton Bank of New Jersey to the tune of about 1000 stolen card accounts a week.

Global Payments said the breach could have persisted for eight months and was believed to have originally impacted around 1.4 million cards.

Earlier this month, Global Payments confirmed that it was revalidating its PCI-DSS status after "some card brands" removed it from their lists of PCI-compliant processors.

Initially, Global Payments claimed that only Track 2 data was taken, not including cardholder names, addresses and other data, but Krebs said the Union Savings Bank experience shows that Track 2 data alone is enough for fraudsters to encode the card number and expiration date onto magnetic strips.

These cards can then be used at any merchant that accepts transactions that do not require the cardholder to enter their PIN.

This article originally appeared at

Copyright © SC Magazine, UK edition

Debit card fraud linked to Global Payments breach
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx