Skimming Case Draws Attention to a Problem That has Cost CUs over $20 Million in Last Five Years

ARLINGTON, Va. – A case of a North Carolina community bank which has lost $30,000 to a ring of thieves that compromised some of its debit card accounts has thrown more light on the U.S. growth in what has been seen as a primarily European and Asian problem. The problem is called “skimming” and a card fraud expert for CUNA Mutual estimated that it has cost U.S. credit unions at least $20 million over the last five years. “Card skimming has become one of the largest categories of card fraud,” said Ann Davidson, card fraud expert for the CUNA Mutual Group. “Lost and stolen cards are still the largest categories, but skimmed cards are right up there.” The $556 million Macon Bank has blocked all signature-based overseas transactions on its debit cards after losing an estimated $30,000 to a debit card fraud ring. “We aren’t sure why they chose our debit cards,” said Everett Stiles, “but they sure did like them. Them boys thought it was Christmas.” Police in nearby Henderson, North Carolina, have told Macon’s staff that they consider a local Mexican restaurant to be the source of the skimming ring, though they have not yet identified which sort of skimming mechanism the thieves used. In addition to the Henderson police, the bank said that the Secret Service had gotten involved as well, but no one from the Secret Service or the police was available to confirm this. Skimmers use small card swipe devices, some which can fit into the palm of a hand, to capture the data from a Visa or MasterCard branded credit card or debit card’s magnetic stripe. The data is then captured in electronic files which are sold, often over the Internet, to organized thieves across the country or overseas. The thieves then use the stolen card information to manufacture their own phony cards or even turn any card that has a magnetic stripe into an instant, live, credit or debit card. “Sometimes even those magnetic key cards that hotels use will work,” Davidson said. This type of skimming card fraud can only be conducted against credit cards and debit cards which authenticate their transactions with a signature because all of the data that the processors need to authenticate a transaction is located on the magnetic stripe that is compromised. There is no personal identification number component, which only the cardholder would know, needed to complete the transaction. This is why skimming schemes at ATMs must have a strategy for capturing the PIN number as well as the magnetic stripe information. Jacki Lacey, card manager for Macon Bank, said the first sign of trouble on the estimated 140 accounts that were compromised came in late August with a fraudulent charge from Mexico. The bank blocked signature-based charges from Mexico at that time, but then fraudulent charges began to appear from the Philippines and Hong Kong as well, so the bank blocked all overseas charges authenticated with the cardholder’s signature. “We didn’t want to inconvenience our cardholders, but we didn’t know what else to do,” Lacey said. She explained that because a card was present in the transaction, the bank will be responsible for all the fraudulent charges except for those where the bank could prove that the merchant had not followed the proper procedures for card identification, and even then she didn’t expect the bank will ever see any of its lost money. Macon has since been canceling the compromised accounts and reissuing cards. Part of the problem is that both Visa and MasterCard rules prevent the merchant from routinely asking for additional information, according to Davidson. “Even in an incidence where someone writes on the back of their card `ask for ID’ the merchant would break the rules if they did,” she explained. Only if the transaction comes back with a certain code can the merchant ask to see ID. No one was available from Visa or MasterCard to comment on their association’s rules about when merchants can or cannot ask for identification. An Ounce of Prevention Davidson explained that Macon could have probably limited its losses if it, or its card processor, had a so-called neural network in place and staff trained to detect the potential fraud. These networks, which Davidson said are increasingly common and which CUNA Mutual requires card issuing credit unions its insures to have, function like smoke alarms. Whenever a cardholder makes a transaction that is out of their usual pattern, for example in a foreign country, the network assigns a potential fraud number to the card file and flags it. If the staff has been properly trained they will be able to recognize the potential fraud and call the cardholder to ascertain if they were traveling out of the country. Lacey did not know if Macon’s processor had neural network capability but said there were signs that the thieves had tried to throw off fraud detection systems by putting fraudulent charges through in widely different amounts, ranging from hundreds of dollars to $5. But Davidson said a neural network could have picked up the small charges since any overseas charges on cards which had never been used overseas before would have triggered a flag from the network. She also said that CUNA Mutual saw the problem continuing until more card processors adopted a procedure called “name matching.” In name matching, the card processor verifies not only the security information in the card’s magnetic stripe, but the cardholder’s name as well. The name then prints out on the receipt for the transaction and can provide quick evidence, especially overseas, when a card might be compromised. “When someone compromised one of my cards and was using it overseas, they were using the name of Yong Jun,” a man, Davidson said. If her name had printed on the receipt it would have indicated that Yong Jun was not holding a correctly issued card. [email protected]