MADISON, Wis. – Right now, as you read this, do you know how secure your credit union's credit and debit card programs are? If the pace of retail credit and debit card security breaches continues unabated and if credit unions continue to suffer fraud stemming from them, the losses could reach a point that they threaten the ability of credit unions to purchase the insurance coverage necessary to keep issuing the cards. That is one of the points Jeff Post, CEO of CUNA Mutual, made last week as he went about the business of raising credit unions' awareness about both the existing breach problem and the possibility that the problem will only increase with time. "I am afraid that what we are seeing here is the crest of a wave, a wave that is eventually going to hit all financial institutions but which will hit credit unions first," Post said. "Eventually every financial institution is going to get hit if things don't change," he added, "but because credit unions are smaller and have smaller card programs they are closer to the water than the others." CUNA Mutual says it covers the credit and debit programs of about 5,500 credit unions nationwide and that only between 700 and 1,000 of the CUs covered have been hit by the card breaches. But even so, the losses have grown significantly. In 2002, the insurer reported that insured credit unions had $39 million in losses incurred in credit and debit card breaches. By 2005, the figure had climbed to $100 million. Looking at the data by numbers of CUs hit, it might be reasonable to suppose that it is only credit unions with inefficient or poorly established card security programs that have been vulnerable to the thieves. But Post said that CUNA Mutual's research had not found this to be case. Instead, when it examined the fraud protection programs of CUs that experienced significant fraud losses and compared them with those of CUs that had not, it did not find any significant difference. This lack of difference means that the card losses are not being caused by a few credit unions that cannot put a good fraud prevention program into place, but by thieves not getting around to other CUs yet. The situation becomes even more serious when the losses are put against CUNA Mutual's ability to sustain them. Post pointed out that insurance works through the mechanism of having the fortunate majority cover losses experienced by the unfortunate minority. But if the roles are reversed and there become more unfortunate credit unions hit by thieves than fortunate ones that have not, there will be nothing CUNA Mutual can do but raise the costs of the premiums for card coverage, perhaps pricing it out of the range most CUs will be able to pay. The current level of losses from card fraud is simply not sustainable, Post said, explaining that in 2005 the insurer paid out roughly $2 in losses for every $1 in premium received. "We need to have more credit unions and CEOs of credit unions aware of this problem on the horizon and get prepared to address it," he said. Although Post said it was still too soon for him to make specific recommendations for what individual credit unions or credit union leagues can do to counter the problem, he said CUNA Mutual staff was hard at work on different ideas and on collecting data which can be used to develop proposals for action. Every credit union whose card program CUNA Mutual covers will receive a visit from the insurer in the next two months, Post said, in order to see if the credit union has the most current set of "best practices" procedures and processes in place to counter fraud. That data, in turn, will go into a recommendation for what CUs can do on their end to help alleviate the situation, CUNA Mutual said. But solving the frustrating problem will need more than one segment of the industry putting the best practices for card fraud into place, law enforcement and card experts pointed out. "I am not a specialist on cards or anything, but I think that these credit unions really don't have many options for how to prevent this 100%," said Lt. Thomas Cooney, an investigator with the Hudson County District Attorney's office who has helped prosecute one of the breaches and who described the investigation to be much like peeling an onion since each new layer of information uncovered others. "Once these guys get the card numbers and the other information, I am not sure there is anything we can do." The case actually began in 2004 as an investigation of identity theft which, as it progressed, grew to include an investigation into credit and debit card fraud, Cooney reported. He related how investigators followed members of a criminal enterprise from the place where they counterfeited the credit and debit cards on shopping trips they made around Jersey City, New Jersey, where the gang was headquartered to states as far away as Florida, Virginia and North Carolina. "They would only use each card once," Cooney said, "and they always bought the same things, high-end digital cameras, laptops, other technology they could sell on eBay." The trips to North Carolina were investigations of how the card breaches came home since many of the counterfeited card accounts came from the $13 billion State Employees Credit Union, headquartered in Raleigh, North Carolina. Cooney said the credit union had been very cooperative with the investigation but that it had not yet been able to answer the question of how the criminals got a hold of the card information in the first place. "That's the part of the puzzle we don't have yet," Cooney said. He speculated that the card numbers may have been obtained from a high-tech skimming technique, where a thief sits in a car nearby a wireless ATM and simply collected the data as it was transmitted over a poorly protected wireless network. He also noted that the thieves would sometimes send counterfeited cards to other thieves in other states who would use them and kick back some of their loot or, in some cases, the cards were sent overseas where they could be used. The Secret Service is involved in that case, he said. Cooney didn't think that this case necessarily overlapped with the a case on the West Coast which media reports have widely linked to Office Max, although a spokesman for the retailer denied that the firm had any knowledge of a card breach. Cooney estimated that there are likely overlapping card breaches around the country and he agreed with Post's observation that the problem is getting worse – and may continue to do so. In a front-page story in the March 8 Wall Street Journal, Visa USA said that only 17% of 231 large merchants with which it does business have fully complied with card industry security guidelines. Visa would not identify the retailers and did not characterize how the brand arrived at the data. The brand also reported that 75% of the 231 merchants had reported working toward compliance but that 8% had not reported their security compliance status at all. The story also quoted a Visa spokesman to the effect that the current situation is an improvement over last year when the spokesman said only 2% of the retailers were in compliance with the security guidelines. No Silver Bullet There is clearly a need to have all parties involved – credit unions, banks, processors and merchants – to fight fraud, said Frank Astalosh, senior vice president of OnPoint Community Credit Union in Portland, Ore. The $2 billion former Portland Teachers Credit Union thinks credit unions and banks need to cooperate when it comes to slowing the flow of credit and debit cards which are being compromised at merchants. Astalosh confirmed that roughly 50 of its 170,000 members had recently found fraudulent charges on their cards and the credit union has called for that sort of cooperation after an initial spate of media reports blamed the credit union for the compromise of the member data. Like Post, Ashtalosh refrained from laying out any specific strategy that might be adopted but mentioned several legislative efforts which are currently being advanced to address the problem, an approach CUNA has supported as well. In a March. 1 letter to Reps. Michael Oxley (R-Ohio) and Barney Frank (D-Mass), CUNA CEO Dan Mica reaffirmed the association's support for H.R. 3997, an act which supporters hope will help ensure the safety of consumers' payment cards. Oxley and Frank are the chairman and ranking member of the House Financial Services Committee. "CUNA does not object to merchants acquiring non-sensitive information from consumers to aid in the conduct of business and customer relations," Mica wrote. "CUNA supports legislation that would prohibit the retention of sensitive, identifying information by merchants and certain non-financial companies from plastic card magnetic strips that could be obtained in connection with financial transactions, including imposition of fines for failure to comply." Mica also urged that the legislation have language that requires merchants to notify financial institutions when breaches occur since, currently, they are not doing so. [email protected]