Some financial institutions last week canceled thousands of credit and debit cards in Michigan due to fraud alarms related to an possible data compromise at a convenience store chain, stressing the wide effect that retail security breaches can have.
Fifth Third Bancorp, a large Cincinnati-based banking company, said it was reissuing debit cards to “a limited number” of customers in Michigan after being notified by Master Card International Inc. of probable compromises. Two Muskegon, Mich.-based institutions, Community Shores Bank Corp. and Family Financial Credit Union, said they also reinstated some of their cards after seeing proof of fraudulent transactions.
The problems appear to have resulted from a security breach at Wesco, a Muskegon-based gas station and convenience store chain with 51 locations in Michigan. Wesco didn’t respond to requirements for comment. But in a note on its Web site, the company declared it is “investigating the possibility of credit card fraud associated with card use at our facilities.”
Analysis Launched
According to the note, credit card transactions operated between July 25 and Sept. 7 may have been compromised. Wesco said the U.S. attorney’s office in Grand Rapids, Mich., and the U.S. Secret Service have launched an investigation in an effort “to understand the scope of the problem.”
Both MasterCard and Visa USA Inc. confirmed that they were investigating a data breach in the Muskegon area, but neither wanted to identify the retailer that was involved.
Sherri Campbell, vice president of deposit operations at Community Shores Bank, said she has spoken with some workers on Visa USA’s fraud team about the possibility of Wesco being the source of the data compromise. But, she said, “nobody will admit to that yet. So it’s up to everybody to infer what they want.”
It also wasn’t clear how the data might have been compromised. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.
Much of the disclosure results from merchants connecting their POS terminals to IP-based networks, Litan said. Frequently, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.
The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.
Community Shores Bank asked about 550 customers to destroy their debit and credit cards after it noticed some of its cards being used to carry out fraudulent transactions, Campbell said. The fraud began two weeks ago and then started “rapidly increasing,” she said.
A spokeswoman for Fifth Third said its resolution to reissue cards to some customers was a preventive measure. She refused to disclose how many debit cards were being blocked and reissued.
The problems in Michigan follow a worldwide wave of debit card fraud in February and March that also stemmed from a retail breach and forced financial institutions such as Bank of America Corp. and Citibank to cancel and reissue tens of thousands of cards.
|
