A report out on Wednesday (March 2) put the level of fraud being felt by credit unions as far worse than the fraud suffered after the Home Depot and Target breaches, with some CU estimating that the fraud could be ten times those other retail breaches. And much of the pain is being felt at merchants who have yet made the EMV switch.
KrebsOnSecurity reported Wednesday that three different CUs in Ohio reporting higher levels of fraud. One CU president was quoted as saying “We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”
The story also noted an interesting twist, with some consumer victims repeatedly re-compromising themselves by going to different Wendy’s restaurants—some of which had apparently not yet contained the breach. The story quoted one consultant saying “A lot of them are kind of having a tough time because of they’re having trouble putting context around the exposure window because customers keep re-compromising themselves. The banks are reluctant to keep re-issuing cards if the cards are going to get re-compromised over and over because some customers just have to have their hamburgers each week.”
Todd Ablowitz, president of Double Diamond Group, said much of this pain can be mitigated by accelerating EMV migration plans.
“Payment facilitators should make sure their merchants are both EMV enabled and that they are dipping their cards. Why? If the card fraud is going up—which is what CUs are saying–then more of it can hit you as a small merchant, more often and more painfully,” Ablowitz said. “Prior to the liability shift, that pain hurt the FIs. Post liability shift, if that card is swiped, it’s the merchant that takes the hit. Plus, the fact is that counterfeit cards are always made based on the mag stripe because it’s too hard—damn near impossible—to put the card data on a chip.”