MADISON, Wis. – CUNA Mutual Group, the insurer for 95% of credit unions in the U.S., and other card security experts have begun to warn credit unions that a long standing card activation procedure has been compromised and needs to be changed or scrapped. Most credit union card issuers require new cardholders or cardholders whose cards have been renewed to call a toll free telephone number from their home phone or phone number of record on the account in order to activate new or renewed card accounts. But most credit unions have also had a procedure whereby cardholders have been able to call from other phones, perhaps because they have been traveling or have a cell phone, and activate their cards from the other phone line using the last four digits of their social security number. This procedure, in particular, is the one card security experts say has been compromised. In late October, CUNA Mutual issued an alert to credit unions warning them that during the past 60 days, large shipments of plastic cards involving 20 or more credit unions have been stolen. The cards were being sent via the mail in an inactive state that required the card to be activated. In previous years this procedure would have been adequate to prevent fraud, but CUNA Mutual said thieves have grown savvy enough to circumvent these procedures and to have defrauded the credit unions. "This is really not a new problem," said Anne Davidson, product expert in the insurer's card security group "because it starts with the postal theft of cards and that has been with us for a while. What's different now is that the thieves have figured out how to circumvent the procedures we put into place to foil them the first time." In this particular case, once the cards have been activated, the thieves used the cards to generate cash advances at other banks or credit unions. Davidson didn't have precise loss numbers from this incident and said that it appears to still be going on as fraud and attempted fraud reports kept coming in. "We found out about this because credit unions began experiencing fraud and alerted us to it," Davidson said. The U.S. Postal Service is investigating the theft and would not comment on their ongoing investigation other than to note that increasing numbers of these thefts have ultimately involved international rings which have sold the stolen cards overseas. One card consultant who did not want to speak for the record noted that he strongly advised credit unions not to send out any promotional or mass card mailings at all in the months of December or January, a time when many customary postal workers are on vacation. In the past, temporary or new postal workers have been implicated in a number of thefts, he explained. But Davidson emphasized that the facts of this individual case should spur all credit unions to look more closely at their activation procedures and to consider changing or scrapping their alternate activation procedures. "We are really trying to get credit unions to pay attention to the procedures they or their processors use for card activation," Davidson said. Certegy, the card processor for over 2,000 credit unions, uses the home phone card activation procedure as a default but allows credit unions to set up additional activation procedures if they choose, according to Sue Chrzan, spokeswoman for Card Services for Credit Unions, the association for credit unions that process with Certegy. Davidson urged that credit unions just consider scrapping the alternate activation procedure even as she acknowledged that doing so might create customer service issues for some credit unions. "We think credit union members who are traveling or need to activate their cards using another phone line can be asked to call the credit union where more security information can be taken," Davidson said. But Barry Smith, a card security consultant headquartered in Phoenix, Arizona, agreed that the social security numbers have been compromised in a large degree and that it is hard to know just how much. "I think the extent to which social security numbers have been compromised is a matter for debate since they have started trying to be a lot more careful with them," Smith said, "but most folks recognize that social security numbers are not nearly as secure as they need to be." But rather than scrap having an alternative activation procedure entirely because the social security number is compromised, Smith recommends that credit unions allow cardholders to activate their cards from other phone lines using their old card's three digit CVV number. The CVV number is found on the back of the card usually to the right side above the signature line. Using this number, Smith noted, would both help certify the cardholder's identity in a way that is unlikely to be compromised anytime soon. -

[email protected]