MCLEAN, Va. – Credit card fraud is almost impossible to prevent but its damages can be significantly limited, according to two security consultants hired by PSCU Financial Services to help in a recent card case. “Credit card fraud its almost entirely a crime of opportunity,” explained Barry Smith, partner in the security firm BFS. “I was in London recently and found a wallet. I was able to use the hotel key in the wallet to get it back to its owner. But if the guy behind me had found it he might have decided to have a party instead,” Smith said. PSCU, the card services firm for over 500 credit unions who process their cards with Denver based First Data Corporation, brought in Smith and his partner, Allan Trosclair, to help track down an employee who had become part of an ongoing credit card fraud ring. The ring, made up primarily of Nigerians, worked out of the Miami area. Altogether the criminals eventually compromised accounts from 96 PSCU member credit unions and eventually cost 66 of those institutions $1.6 million. In the wake of the theft the cooperative, based in St. Petersburg, Florida, has sent staff members along with Smith and Trosclair to present “Security Summits” to credit union card executives and managers around the country, explaining what happened and reiterating recommendations to credit unions of what strategies they can adopt to prevent similar thefts from happening to them. The employee who finally confessed to her part in the scheme had met her contact in the ring at a local nightclub, Smith explained to the November 21 Summit which was held in McLean, Virginia, outside of Washington D.C. Smith added that the employee had experienced divorce and bankruptcy in her life prior to meeting the ring's contact and he explained to a reporter later that the thieves might have sought to assuage her conscience by not paying her directly for the information. “They didn't really pay her for the data,” Smith said. “They took care of car payments for her, helped pay some other bills. That way she could tell herself she really wasn't selling the data, he was just giving her gifts,” Smith said Smith told the roughly 50 attendees of the Summit that because credit card fraud is almost entirely a crime of opportunity, it is almost impossible to predict. There is no way to tell what might be going on in someone's life that might lead them to take advantage of an opportunity for theft that they might not have taken when they were hired and background checks were made, he explained. Instead, credit unions must act to limit employees' opportunities to engage in crime and put into place systems to catch security breaches quickly when they happen. Smith, Trosclair and Mary Rosenberger, a Senior Risk Management official with CUNA Mutual Group advised the Summit attendees that handling card information carefully and limiting who has access to it are among their best first lines of defense against fraud. Rosenberger, who identified herself as from California, told the Summit that at one time California had among the highest card fraud rates in the nation and that credit unions in that state had to change their procedures to counter it. She told of visiting credit unions in the wake of fraud events and finding stacks of card related reports and other documents in open view and in unlocked rooms. She also described credit unions storing their card information in the same place as their general account information, where any employee could see it, and told of one noted incident in which a compact disc containing a portion of a credit union's file of VISA Gold card accounts disappeared. “Every employee doesn't have to see everything,” Rosenberger said. “Limit the number of employees who have access to your card information.” She also suggested that too many credit unions are careless with their security procedures. Employee passwords are not changed frequently enough in too many cases, and she urged credit unions to change them every 30-45 days. Smith and Trosclair both mentioned the importance of using so-called “footprints” technology which allows system administrators to track the employees that view or change account information. PSCU brought such technology into the hunt for the employee who helped the card ring and has said it will leave the software in place, as well as extend it to monitor data connections to First Data and to its member credit unions. Yatros also told the meeting that PSCU had also begun negotiations with the software manufacturer to provide the software at a reduced cost to its member credit unions. He declined, however, to identify the company. “Using footprints technology is an essential tool if you have to track down where a security breach has occurred,” Smith said. “With footprints you can see everybody who so much as looked at an account screen.” Although incidents in which the cardholder loses their card or has it stolen still represents the greatest percentage of fraud, the experts told the Summit that the incidence of fraud in which a thief or ring of thieves hijacks a card account is growing. Smith in particular told the audience that he suspects that some so-called `account takeover fraud' is being lost in the incidence of the more general so called `card not present' fraud. This category accounts for most of the card fraud that takes place over the Internet and takes place when thieves get account information and other personal data but do not have to get the actual card. In some account takeover cases, thieves steal cardholder information out of the mail, sometimes by doing something as simple as going from house to house and opening mailboxes on the pretense of leaving marketing information. But in others, as in the PSCU case, thieves get a hold of cardholders' account information from a source inside the credit union or by some other means. They then change the account's address and ask the institution to reissue the card to the new address, sometimes knowing enough to wait past the 45-day safeguard PSCU and some other card issuers place on issuing new cards when an account's address has been changed. In the PSCU case, Yantros reported, every incident of fraud in which the credit union actually lost money involved a credit union that had reissued a card to a new address that turned out to be fraudulent in under the 45-day turnaround. The most effective means credit unions have to combat this type of fraud is to send letters to both the old and new address after an address change, the security experts said. The letter could simply advise the member that as part of a security procedure the credit union was checking to make sure the member really had moved. If they had not moved the letter would advise the member to call the credit union immediately. “In our experience sending additional letters or making extra calls in the name of keeping a member's account secure are always viewed favorably by the cardholder,” Smith said. Trosclair also drove home to the attendees the importance of educating their members about safeguarding their own information generally, not just financial information like account numbers and other information. He reminded attendees to tell their members that credit card offers, balance transfer checks, or anything like that should ideally be shredded or at least torn up before being thrown out. He also urged more credit unions to adopt different sorts of security questions that the traditional last four digits of a social security number or mother's maiden name. These questions have become too widely compromised, he explained. [email protected]