Virginia Credit Union Hit by ATM Skimming Breach

Incident leaves 2,000 debit cardholders vulnerable; credit union says evidence of fraud has begun to emerge.

By Roy Urrico | June 03, 2015 at 09:01 AM

The $2.7 billion, Richmond, Va.-based Virginia Credit Union is investigating card skimming incidents at several ATMs and resulting fraud. VACU is issuing new cards and making refunds following the discovery that left 2,000 debit cardholders vulnerable.

"There has been some ATM skimming that has taken place in the area; we've been a victim of that as well," Glen Birch, VACU's director of public and media information, said. "It's affected some of our members and we are issuing them new cards, giving them some tips of what they can do in the meantime, such as changing their PIN, and also providing assurance that they have zero liability."

The credit union discovered the devices during normal maintenance at on one of its branch ATMs. That led VACU to launch an investigation. The credit union discovered card skimming occurred at two full service branches at Southpark and Glenside, Va. over a limited period of time.

"To be impacted, a member would have had to insert their debit card into an affected ATM when a skimmer was in place," Birch explained. "Other members' cards are not affected." VACU disrupted an effort by criminals at a third location.

Evidence of fraud is starting to emerge.

"In the last week, we've begun to see some indications of fraud," Birch revealed, adding that no exact count is available because the situation continues to evolve. "It is a substantial number, but certainly not all of them."

The institution actively reached out with a website alert and letter to affected members.

"We have become aware that your debit card is vulnerable to potential fraud as a result of fraudsters placing a card skimming device on an ATM that you used," the letter read. "The debit card information that may be at risk includes your name, card number, expiration date and personal identification number (PIN)."

Birch explained the normal pattern in these types of incidents is for fraudsters to visit ATMs, often at night, and then install unauthorized skimming devices to collect card data. They return sometime later, after some members have used the device to collect that information. They then used data to manufacture fake cards, which they then use to make withdrawals.

The credit union's ATM machines work with cards that have mag stripes.

"Our debit cards don't have the EMV chip at this point," Birch said. "We anticipate doing that in the future, not the distant future, but the future. We do have the EMV chip on our credit cards but the mag stripe is still there [on debit cards] because retailers require it. These incidents are happening up and down the east coast, and elsewhere in the country as well."

John Zurawski, vice president of Chicago-based Authentify, a supplier of authentication services for protecting user accounts from unauthorized access, said, "The most recent study by the Federal Reserve on the use of ATMs included the statistic that American consumers made 5.8 billion ATM withdrawals totaling $687 billion in value annually. It's not surprising that criminals have targeted ATMs, in fact, the Secret Service has warned of an uptick in this type of crime. The risk of getting caught is low, the rewards are potentially high as debit cards can be used at ATMs or online."

Zurawski pointed to a 2015 study by the Federal Reserve Board on the U.S. payments systems, which cites sub-optimal security technologies and the need to "strengthen authorization and authentication of parties and devices across all payment methods (cards, ACH, wire, check) and channels (in person, remote, mobile, and online)."

"Would biometrics at the ATM or out-of-band authentication of the legitimate account holder via their phone fill that sub-optimal gap and prevent this type of crime?" he asked. "Yes it would!"

NOT FOR REPRINT

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).

1 Tennessee’s Y-12 Federal Credit Union Welcomes New CEO Dustin Millaway

2 Credit Union Loan Originations Recover: A Strong 'Rebound'

3 Cornerstone Financial Credit Union Introduces Buy Now, Pay Later Service

4 Credit Unions Push Back Against Proposed California Privacy Regulations

5 Credit Union of Texas Launches Spanish-Language Brand Todos Unidos

Insurance
Complex Claims & Litigation Forum 2025
February 24, 2025 - Las Vegas

This conference aims to help insurers and litigators better manage complex claims and litigation.
More Information
GlobeSt. Multifamily Spring 2025
April 01, 2025 - New York

Join the industry's top owners, investors, developers, brokers & financiers at THE MULTIFAMILY EVENT OF THE YEAR!
More Information
GlobeSt. Net Lease Spring 2025
April 01, 2025 - New York

This conference brings together the industry's most influential & knowledgeable real estate executives from the net lease sector.
More Information