Skimmers Troll Credit Unions
In the latest in a string of credit union card fraud cases, hundreds of $467 million Quincy Credit Union members became casualties in a skimming attack affecting ATM/debit card access.
The Massachusetts-based financial institution temporarily suspended its customers’ ATM cards Sunday after multiple accountholders reported via social media of fraudulent charges, missing funds and malfunctioning cards.
Quincy President Stewart Steele told Boston’s WBZ-TV officials learned of the breach when hundreds of notifications started coming in from fraud detection services regarding unusual activity on debit cards. The card fraud affected an estimated 670 accounts but the dollar amount remained unclear.
He said the shutdown, as well as a separate breakdown that limited online account access, began around lunchtime and lasted several hours.
Steele said credit union officials believed hackers put the device on a machine in early December. The thieves then created duplicate cards to withdraw cash at ATMs throughout New York City during the weekend.
The credit union posted to its Facebook page Sunday saying it was aware of the suspected breach and was investigating. Dozens of Quincy Credit Union's customers lined up to get new cards Monday.
Steele did not respond to a CU Times request for comment.
The credit union, with more than 30,000 members, has full branches in Quincy and Weymouth and two ATM locations.
Skimming devices at credit union ATMs are an ongoing threat. One pattern in these types of incidents is for fraudsters to visit ATMs, often at night, to install unauthorized skimming devices and cameras to collect card data. They return later, after some members have used the device, to collect information including PINs. They then use data to manufacture fake cards to make withdrawals or purchases.
Other recent skimming incidents include skimming device found on ATMs belonging to $976 million Eugene, Ore.-based Northwest Community Credit Union and $88 million Wilkes-Barre, Penn. Choice One Community Credit Union.
In November, debit card fraud rise in California created enough concern among credit unions that at least one, the $933 million El Segundo, Calif.-based Xceed Financial Credit Union, took the unprecedented step of blocking cards used at 7-Eleven and Wells Fargo terminals.
In August, the $679 million, Merritt Island, Fla.-based Launch Federal Credit Union restricted PIN-less transactions totaling less than $50 following the discovery of fraud involving some of the credit union’s debit cards.
In June, The $2.7 billion, Richmond, Va.-based Virginia Credit Union discovered card-skimming incidents at several ATMs and resulting fraud that left 2,000 debit cardholders vulnerable.
Skimming is not only affecting financial institutions. In Michigan, out-of-state gangs covertly attached card readers and small cameras inside gas pumps, according to Mlive.com. The scams ran from early July to September this year.
“All forms of magnetic stripe fraud are experiencing an uptick, particularly skimming, as the fraudsters make a push before full EMV implementation. Credit unions, banks, retailers and ATM ISOs are all being hit,” Rancho Cucamonga, Calif.-based CO-OP Financial Services Senior Manager, Public Relations and Corporate Communications Bill Prichard told CU Times in an email earlier this month.
“Part of the training of bank and credit union personnel is physical security training that covers the premises and ATMs. If employees are not trained sufficiently they may overlook skimmers left on ATMs and incidents like this happen easily as skimmers are getting more sophisticated by the month,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based cybersecurity company KnowBe4, stated.
San Jose, Calif.-based card management firm Ondot EVP Rachna Ahlawat said putting control directly into the hands of the cardholders is one way to minimize such breaches.
"Empowering cardholders to have control to immediately turn off their payment cards after withdrawing cash is an effective way to minimize loss due to skimming attacks," she explained. "It removes any guess work out of when your own customers (i.e. legitimate cardholder) may be trying to use the card. It really puts the cardholder in the driver's seat."
The Houston-based Cardtronics has been proactively strengthening physical security at thousands of ATMs nationwide. Specifically, the organization is installing counter measures as PIN pad covers, designed to defeat the cameras/video devices criminals use to capture cardholder PINs as part of their ATM skimming scheme.