A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.
As first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.
According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.
“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”
Berger shared an email sent by one credit union CEO who asked not to be named in this story:
“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”
All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”
Wendy’s declined to comment for this story.
Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.
Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs. As I reported in September 2014, this is exactly what happened in the wake of the Home Depot breach.
Berger said NAFCU’s members are still trying to figure out whether they should just reissue cards for any customers who ate at Wendy’s anytime recently. After all, the restaurant chain hasn’t yet said how long the breach lasted — or indeed if the breach is even fully contained yet.
This brings up a fascinating phenomenon that occurs with card fraud linked to breached retailers or restaurants that customers patronize frequently. I recently spoke with a bank security consultant who was helping several financial institutions deal with the fallout from the Wendy’s breach. The consultant, who spoke on condition of anonymity, said many of his client banks had customers who re-compromised their cards several times in a month because they ate at several different Wendy’s locations throughout the month.
“A lot of them are kind of having a tough time because of they’re having trouble putting context around the exposure window, and because customers keep re-compromising themselves,” the consultant said. “The banks are reluctant to keep re-issuing cards if the cards are going to get re-compromised over and over because some customers just have to have their hamburgers each week.”
Many banks and credit unions are now issuing more secure (and more expensive to manufacture) chip-based credit and debit cards. The chip cards — combined with chip card readers at merchant cash registers — are designed to make it much harder and more expensive for thieves to counterfeit stolen cards. It’s not for certain yet but seems likely that the breached Wendy’s locations were not asking customers to dip their chip cards but instead swipe the card’s magnetic stripe.
Curious about why so many retailers have chip-enabled credit/debit card terminals and yet still ask customers to swipe? Check out The Great EMV Fakeout: No Chip For You! For a primer on why so many financial institutions in the United States are adopting chip-and-signature over chip-and-PIN, see this piece.