Debit Card Fraud Wave Hits Small Ohio Credit Union

A small credit union in Ohio that has been hit by a flurry of hacks to member debit cards said it is part of a “massive” wave of similar attacks worldwide.

Sandra Hollenberg, president/CEO of YS Federal Credit Union of Yellow Springs, Ohio ($27.3 million in assets), said Friday that 166 of its 2,014 members had been affected as of Thursday. The hackers had made attempts for $36,682 in purchases. The credit union blocked most of the attempts, charging them back to the merchants, but $15,137 got posted to member accounts.

Hollenberg said no one’s personal information has been compromised, and members are being made whole with credits to their accounts.

The credit union put up a banner on its website warning members that an “industry, world-wide, massive MasterCard debit card fraud” had affected some members.

“YSCU is doing everything possible to reduce additional fraudulent postings from not-yet-affected cards,” it said. “This did not result from anything YSCU’s product or staff failed to protect or do.”

The fraudulent purchases began in early September and the amount of attempts had reached about $35,400 on 161 accounts as of Monday when it was first reported by The Yellow Springs News.

“It has been slowing down,” Hollenberg said.

Hollenberg said experts from the credit union’s vendors have told her that they were able to confirm attacks came from Russia, but some attacks could have come from other countries.

Her vendors did not say how many other financial institutions had been affected. “They used the word ‘massive,’” she said. “It’s not just nationwide; it’s globally.”

CU Times sought a response from the U.S. Federal Trade Commission, but had not yet received a response as of Friday afternoon.

Hollenberg said the method was a “brute force attack” in which the hacker used the credit union’s BIN number and guessed at the member’s debit card numbers to make small purchases. When it found a match, it would then make larger purchases.

The FTC’s website compares brute force attacks to beating odds by employing an “infinite number of monkeys at an infinite number of typewriters.”

“Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password,” according to the FTC’s “Start with Security: A Guide for Business.”

In this case, the fix would be at the merchant’s end: Stopping transactions after a certain number of attempts to provide payment information.

For the credit union, Hollenberg said the issue can’t be noticed until a member spots an unrecognized charge.

Hollenberg said the credit union depends on members spotting suspicious charges and notifying the credit union immediately. In turn, the five-employee credit union is making credits to accounts “before we go home for the day.”

“We have no way of knowing unless they let us know,” she said.

The credit union has closed affected debit cards, and offered to transfer money to gift cards for the members to use while they wait for their new cards to arrive.

The credit union has blocked posts from Russia, and has been told it might need to block other sources as they are identified.

“We’re trying to do everything we can,” she said.

“Nobody that offers debit cards, credit cards — plastic — can prevent themselves from being attacked,” she said. “It’s the same risk any financial institution has that offers debit cards.”