Security Breach at C-Store Chain Leads to Debit Card Reissue
MUSKEGON, Mich. -- Several banks in the area, including Fifth Third Bancorp, have begun reissuing scores of debit and credit cards, as the chance of fraud linked to use at Wesco, Inc.'s chain stores increases, Computerworld.com reported.
Fifth Third is the fifth financial institution to take measures against fraud due to Wesco's security breach. The bank confirmed last week that it is reissuing a "limited number" of cards to Michigan customers because of fraud concerns. Letters to affected customers began delivery last week, the report stated.
The action was precautionary, not in response to an actual incidence of fraud, according to company spokeswoman Stephanie Honan. "We were notified by MasterCard of a number of cards being potentially compromised," said Honan. "We put those cards through our monitoring system, and we felt that we should reissue them. We were not forced to reissue them."
Although Honan did not disclose to the Web site the actual number of cards that were being blocked and reissued, a local media report cited by Computerworld.com noted that the number was in the "thousands." Honan also could not disclose whether the potential fraud was linked to Wesco stations. "The timing may make it seem that way, but we were not told," by MasterCard, she said.
Fifth Third follows actions by numerous banks in the area responding to fraud concerns that appear to be related to security breaches at Wesco stations between July 25 and Sept. 7, the report stated. Other financial institutions that are taking action include Community Shores Bank, which asked approximately 550 members to destroy the debit and credit cards after the credit union found that many of its cards had been used in fraudulent transactions.
At that bank, fraudulent purchases made with its cards began around Nov. 9 and quickly escalated, according to Sherri Campbell, vice president of deposit operations at the bank. She added that forged cards were used to purchase amounts more than $1,000, with a few transactions totaling $2,000.
"Most of the fraud we have seen is coming out of Georgia, Arizona and California," Campbell told Computerworld.com. Several cards made purchases as far away as Spain and France, she added. "We do know that [the perpetrators] are re-creating plastic, because these were all signature-based 'card present' transactions," she noted.
Another bank, Family Financial Credit Union, based here, replaced almost 1,000 debit and credit cards due to fraud concerns, the Web site stated. President of the bank, Thomas Curtis, did not provide additional information about the fraud, but confirmed the details of a Muskegon Chronicle report that said cards were cancelled as a precautionary measure after some members were victimized by fraudulent purchases, the report stated.
It also noted that executives at Community Schools Credit Union and Muskegon Commerce Bank have taken similar actions in response to fraud concerns. Representatives from both banks did not respond to Computerworld's request for comment.
Although Wesco does not currently offer an explanation for the security breach, these incidents occur often at point of sale (POS) systems, according to Avivah Litan, analyst at Stamford, Conn.-based Gartner, Inc. "Four out of five data breaches are happening at the point of sale systems," Litan told Computerworld.com. Particularly at risk are systems at convenience and grocery stores, she added.
The increased risk is due to new technology, as retailers unhook their POS systems from existing dial-up networks and implement them into IP-based networks. By doing this, the new systems often store the cards' data and are used with default passwords that are easily hackable, she noted.
Storing this data is prohibited by the Payment Card Industry data security standards, set by companies such as Visa and MasterCard, the report stated. However, many retailers do just that, Litan said. In addition, many POS software systems used today store the data by default, Litan told the Web site.
"Crooks figure out which brands are storing magnetic stripe data and determine which companies to target simply by looking at the list of customers on the terminal manufacturer's Web site," she said.
The U.S. Secret Service and the U.S. attorney's office are investigating incidents of fraud at Wesco's stations, according to the company's Web site. Wesco, headquartered in North Muskegon, Mich., owns more than 50 gas stations throughout Michigan.
Fifth Third is the fifth financial institution to take measures against fraud due to Wesco's security breach. The bank confirmed last week that it is reissuing a "limited number" of cards to Michigan customers because of fraud concerns. Letters to affected customers began delivery last week, the report stated.
The action was precautionary, not in response to an actual incidence of fraud, according to company spokeswoman Stephanie Honan. "We were notified by MasterCard of a number of cards being potentially compromised," said Honan. "We put those cards through our monitoring system, and we felt that we should reissue them. We were not forced to reissue them."
Although Honan did not disclose to the Web site the actual number of cards that were being blocked and reissued, a local media report cited by Computerworld.com noted that the number was in the "thousands." Honan also could not disclose whether the potential fraud was linked to Wesco stations. "The timing may make it seem that way, but we were not told," by MasterCard, she said.
Fifth Third follows actions by numerous banks in the area responding to fraud concerns that appear to be related to security breaches at Wesco stations between July 25 and Sept. 7, the report stated. Other financial institutions that are taking action include Community Shores Bank, which asked approximately 550 members to destroy the debit and credit cards after the credit union found that many of its cards had been used in fraudulent transactions.
At that bank, fraudulent purchases made with its cards began around Nov. 9 and quickly escalated, according to Sherri Campbell, vice president of deposit operations at the bank. She added that forged cards were used to purchase amounts more than $1,000, with a few transactions totaling $2,000.
"Most of the fraud we have seen is coming out of Georgia, Arizona and California," Campbell told Computerworld.com. Several cards made purchases as far away as Spain and France, she added. "We do know that [the perpetrators] are re-creating plastic, because these were all signature-based 'card present' transactions," she noted.
Another bank, Family Financial Credit Union, based here, replaced almost 1,000 debit and credit cards due to fraud concerns, the Web site stated. President of the bank, Thomas Curtis, did not provide additional information about the fraud, but confirmed the details of a Muskegon Chronicle report that said cards were cancelled as a precautionary measure after some members were victimized by fraudulent purchases, the report stated.
It also noted that executives at Community Schools Credit Union and Muskegon Commerce Bank have taken similar actions in response to fraud concerns. Representatives from both banks did not respond to Computerworld's request for comment.
Although Wesco does not currently offer an explanation for the security breach, these incidents occur often at point of sale (POS) systems, according to Avivah Litan, analyst at Stamford, Conn.-based Gartner, Inc. "Four out of five data breaches are happening at the point of sale systems," Litan told Computerworld.com. Particularly at risk are systems at convenience and grocery stores, she added.
The increased risk is due to new technology, as retailers unhook their POS systems from existing dial-up networks and implement them into IP-based networks. By doing this, the new systems often store the cards' data and are used with default passwords that are easily hackable, she noted.
Storing this data is prohibited by the Payment Card Industry data security standards, set by companies such as Visa and MasterCard, the report stated. However, many retailers do just that, Litan said. In addition, many POS software systems used today store the data by default, Litan told the Web site.
"Crooks figure out which brands are storing magnetic stripe data and determine which companies to target simply by looking at the list of customers on the terminal manufacturer's Web site," she said.
The U.S. Secret Service and the U.S. attorney's office are investigating incidents of fraud at Wesco's stations, according to the company's Web site. Wesco, headquartered in North Muskegon, Mich., owns more than 50 gas stations throughout Michigan.