Debit Breach Hits Ohio Accounts

Fraudulent Signature Debit Transactions Hit Nearly 24 Institutions Jeffrey Roman (gen_sec) • June 21, 2011

June 21 Update: The recent breaches that affected dozens of Northeast Ohio banks and credit unions were most likely caused by the interception of CVV2 card security codes, says Mike Urban, senior director of fraud product management at FICO.

"It's not a skimming situation," Urban says of the breaches which started in April. "Likely, it was related to one or several attacks on a card-not-present merchant."

The fraudsters, using stolen debit details, hit accounts with fraudulent signature-based transactions used for online and over-the-phone purchases.

Based on the number of organizations hit, tens of thousands of accounts may have been exposed.

The affected banks include Keybank, Dollar Bank, Fifth Third, PNC, Huntington, Charter One, Ohio Savings and FirstMerit. At least six credit unions also were reportedly hit, including Century Federal Credit Union, Ohio First Class Credit Union [formerly the Postal Employees Credit Union], the Firefighters Credit Union, PSE Credit Union and Best Reward Credit Union.

Fraudulent purchases, some of which neared $4,000, at Walmart, AutoZone and CVS were reported. Other transactions were initiated overseas, including some in Germany and the Philippines.

The Electronic Crimes Task Force, a unit of the U.S. Secret Service, is in charge of the investigation.

CVV data can be captured when a magnetic stripe is skimmed. CVV2 data, on the other hand, is used for authenticating online or over-the-phone purchases. "[The CVV2] number is not on a magnetic stripe," Urban says. "When you're skimming, you can compromise the CVV stripe. But you don't get the CVV2, which is on the signature bar."

The breach could also have been related to a phishing scheme, through which attackers gathered card information directly from consumers. A connection among all the compromised debit accounts is probable, says George Tubin, senior research director for TowerGroup's Delivery Channels and Financial Information Security research.

"I'd be interested in knowing what the connection, besides location, these CUs [and banks] have with each other," he says "Shared ATM network or processor? There must be a single point of compromise, versus a fraudster just focusing on CUs in a particular location."

Institutions affected by the breach should work to identify the accounts that were attacked and monitor for testing transactions, "when the criminals do low-amount transactions before they go in with a high transaction," Urban says.

The breach comes in the wake of other noteworthy attacks, namely the hack of Citi's online banking platform, which led to the exposure of account details on more than 360,000 Citi cards. [See Citi Breach: 360K Accounts Affected]

Editor's Note: Managing Editor Tracy Kitten contributed to this story.