Fraud Spree Strikes SeattleCard Fraud Incidents Investigated; Skimming 'Unlikely'
During the last week of October, credit and debit cardholders in the Capitol Hill neighborhood of Seattle began discovering fraudulent charges made against their cards. The charges appeared to come from locations in other states and, in some cases, locations in other countries, such as England, South Africa, the Dominican Republic and South America. Seattle authorities and the Seattle division of the Electronic Crimes Task Force, an arm of the Secret Service arm, started looking for the fraud's source. Authorities say they have identified multiple points of compromise, and the businesses involved have upgraded their anti-virus software to stop breaches.
"The Secret Service is the lead investigating agency in these cases and the Seattle Police Department is providing assistance," the Seattle Police Department stated in a prepared release this week. "At this early point in the investigation, it does not appear that a fraudulent credit-card access or 'skimming' device was used."
Security experts speculate that this spree might have resulted from a point of sale attack orchestrated by organized crime.
Credit Union Assists InvestigationThe task force has help from local banks and credit unions, including the fraud response team at Boeing Employees Credit Union, an $8.6 billion institution based in Washington. According to John Snodgrass, security risk manager at BECU, the fraudulent charges were spotted immediately by the credit union's fraud-monitoring system and information was quickly turned over to authorities to help pinpoint where the criminals were collecting card data.
Approximately 100 BECU members had their credit or debit cards blocked and replaced because of fraudulent charges that cropped up after card use at Capitol Hill merchant locations. BECU would not put a monetary value on the fraudulent charges but says losses suffered by the credit union and its affected members were minimal, thanks to the credit union's fraud-monitoring solution, which detected the compromises early.
Other institutions in the Seattle area also have reported fraud incidents, with the bulk of compromised cards having been used in the Capitol Hill area just before the unauthorized charges began appearing, Snodgrass says.
Typical Card Fraud?While banks and credit unions in the Seattle area continue to clean up from the rash of fraud, Jasbir Anand, senior solutions consultant at ACI Worldwide, says the Capitol Hill card fraud has the earmarks of a typical counterfeit fraud attack, despite the possibility that no skimmers were used.
"Although skimmers have been the primary means to compromise cardholders magnetic stripes, the technology to compromise cards continues to evolve," Anand says. Skimming devices have evolved from hand-held devices to those that can be embedded on or in ATMs and POS systems. The newest skimming devices also allow data to be captured and transmitted electronically, usually via radio frequency or Bluetooth."
Device-level compromises can be detected using point-of-sale compromise analysis, he says. Mass data compromises, on the other hand, are not easily detected, Anand says. "When large amounts of data are stolen for a data breach at a location that stores card data (merchants, acquirers, processors, issuers and networks), the breach is much harder to detect, because it may not be localized to geography or a time period." It is also common to use stolen card data overseas in blitz attacks -- much like the one that hit RBS WorldPay cardholders in February 2009.
Skimming 'Unlikely'One security expert says fraudster gangs are very often based in a certain city and target merchants in their own backyards, usually in collusion with an employee who skims the cards.
"What's unusual here is that multiple merchants were compromised, meaning that collusion is unlikely, and, therefore, skimming is also unlikely," says Tom Wills, a senior fraud analyst at Javelin Research. While details are still not known, Wills speculates that a local Seattle-based gang may have performed a "Gonzalez-style" point-of-sale hack, referring to Albert Gonzalez, the masterminded behind the Heartland Payment Systems breach (among others).
Branden Williams, director of the Security Consulting Practice at RSA, the security division of EMC, says it appears this fraud is "indicative of the smash-and-grab-type mentality," during which the objective is to net the largest amount of money in the quickest timeframe, "and get out before you leave too many clues about who you are."
"Mistakes are common in large, coordinated efforts," Williams says. He speculates that this was perpetrated by an organized crime syndicate, rather than a "run of the mill" individual, based on the number of merchants affected. He also wonders if the cause could be located "upstream" in the card transaction process.
Stopping Card FraudSecurity experts say there are a number of actions that can be taken to detect and prevent this kind of fraud. Among the recommendations:
- Implement an alert system that sends an e-mail or SMS/text message to the cardholder when unusual activity is detected.
- Vigorously educate customers about checking their monthly statements and account balances; advise them to sign up for alerts and keep close eyes on their cards when they're out shopping or taking cash from ATMs.
- Tokenize or encrypt card data as its transmitted from the POS to the acquirer host. Several vendors -- RSA, VeriFone, CyberSource, Voltage Security and others -- now have products to help with this, which they brought to market in the wake of the Heartland breach.
- Deploy a data-loss-prevention system within the network.
- Implement sound security principles, deploying controls in layers so that you're not relying on a single control.
- Put a high priority on security around card acceptance -- not only security of payment card data, but also account reconciliation; use dual controls and background checks on employees who have access to POS equipment, both at the cash register and in the back-office.
- Focus on the "people problem" of payment acceptance. The more retail employees that can spot a fraudulent credit card, the more these incidents decrease. Basic inspection by retailers will prevent most attacks.
- Check statements and immediately report any suspicious activity.
- Bank with financial institutions that deliver good fraud detection and self-service fraud alerts.