- Member reports receiving fraudulent text message about Alabama Credit Union card (March 13, 2009). On Thursday, March 12, we received news from a member that she had received a fraudulent text message to her cell phone, as follows: "Card Services CUAlert: Your card has been deactivated. Please contact this number to reactivate. xxx-xxx-xxxx." The text message provided a phone number in its sender ID (shown above as xxx-xxx-xxxx), but that number is being answered by a "voice mailbox is full" message. This, of course, is becoming a common scamand members should not respond with their confidential information. Members are encouraged to provide the sender's phone number to law enforcement authorities.
Members' VISA ATM/Debit cards blocked due to unknown vendor's data breach
(Updated March 1, 2009) We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor's location. VISA has declined to name the vendor or processor. The fraudulent transactions usually occur in $100 increments. For that reason, we have limited purchases on these VISA ATM/Debit Cards to $99 per day. Replacement cards have been ordered for every card that is being blocked, and should arrive at the cardholders' addresses in 5 - 10 days. Cardholders will still be able to conduct PIN-based ATM transactions, up to $500 per day or the limit permitted by ATM machines, however.
As soon as you receive your replacement debit card, please contact us to activate the new card and block the old card. All of the cards on the list will be blocked as soon as your replacement card has had time to arrive to you -- probably by March 10.
If you need to make daily purchases of more than $99.00 before your new card arrives, and you live or work near one of our branch offices with instant-issue card capability (see locations), replacing your card will take only moments and you may choose your new PIN while you're at the branch. In either case, please remember to update transactions that you have authorized to be automatically charged to your VISA ATM/Debit Card.
To ensure that members are notified promptly, we have employed the services of CUNA Mutual's LoanLink Center, a company with strong security controls that also handles Alabama Credit Union's online loan applications and after-hours incoming calls. If your debit card is being blocked and reissued, you will receive a phone call or voice mail, as well as a letter and FAQ sheet in the mail. For further assistance, please phone (205) 348-5944 or (888) 817-2002.
Members' VISA credit cards blocked due to unknown vendor's data breach
(Feb. 17, 2009) Alabama Credit Union has been notified by VISA that some members' VISA credit card information may have been discovered during a breach at a card processor's site. VISA has not named the card processor. To prevent fraudulent transactions on these card accounts, we are immediately deactivating the card(s) assigned to the account numbers that were discovered. We understand the unfortunate consequence -- that members will be inconvenienced when their Alabama Credit Union VISA credit card transactions are declined for an unknown reason -- and apologize. Approximately 250 cards are on this list; watch this site for a list of card numbers that have been deactivated (no names will be published; only deactivated card numbers will be published, in numerical order). If your VISA credit card has been blocked, it will be promptly reissued via mail. When your new card arrives, please be sure to activate it using the instructions on the label on the new card, and update any transactions that you have authorized to automatically be charged to your VISA credit card. We again apologize for the inconvenience as we work quickly to protect your account against fraudulent transactions. For further assistance, please phone (205) 348-5944 or (888) 817-2002.
(Feb. 9, 2009) A current rash of scams has credit union members and non-members wondering if their credit union is contacting them to obtain credit card or account information.
In fact, we will never contact you to obtain your confidential information -- regardless of the caller ID code, sender's text messaging number or name, or sender's e-mail address.
If you've provided info to any message of this type, please contact us immediately at (205) 348-5944 or (888) 817-2002 so that we can take further action to protect your account.
Heartland Payment Systems card breach results in millions of card numbers revealed
Heartland Payment Systems, a national card processor for clients such as pay-at-the-pump stores, has announced a data breach that occurred within their systems in 2008. Potentially, more than 100 million cards have been affected, according to media sources. If your VISA credit or debit card number has been revealed, you will receive a letter from Alabama Credit Union, informing you that we are ordering a new debit or credit card for you. We also ask you to examine your account statement and notify us of any incorrect card transactions. When your new card has arrived to you, we will deactivate your existing card. You must activate your new card by following the instructions printed on the replacement card. If you wish to change the PIN on your VISA ATM/Debit card, please drop by any Alabama Credit Union office to do so. Thank you for your patience as we go through the time-consuming process of blocking and reissuing credit and debit cards for many members. If you have questions, please contact us at (205) 348-5944 or (888) 817-2002.
New phone scams hit CUs in Alabama and Virginia
MADISON, Wis. (8/22/08)--Add Alabama and Virginia credit unions to the growing list of credit unions throughout the nation whose members are being hit with vishing (voice phishing).
Heritage South CU, Sylacauga, Ala., warned Talladega County residents earlier this week of a phone scam in which an automated system asks for credit and debit card information (The Daily Home, Aug. 20). The scam began Monday evening.
The $66 million asset credit union told the newspaper it received an equal number of calls from members and nonmembers contacted by an automated system claiming to be Heritage South and saying their card had expired. The recipients were asked to call a long distance number to reactivate the card and the bogus "Heritage South Security Center" would ask for the card number, PIN and the card's expiration date.
Few members gave out the information, said the credit union, whose member database was not compromised. The credit union said it would never contact members asking for information it already has.
Members of Martinsville Dupont Employees CU (MDCU), Martinsville, Va., received similar calls, the credit union said Thursday in a press release. "Someone has obtained a list of phone numbers in the Martinsville and Henry County area and is calling individuals" with a similar ruse, said Darrell L. Minniear, president/CEO of MDCU.
"MDCU will never contact you by phone or e-mail and ask you for personal information such as your Social Security number, account number, or credit card number," Minniear said.
Meanwhile, the Ohio Credit Union League said Wednesday "thousands of Ohioans" received messages via text, e-mail and voicemail, stating that their services at their credit union had been suspended. (News Now Aug. 21).
Thursday the league said five unique phishing scams purported to be from credit unions in the previous two days. "Information at credit unions has not been compromised and this is not a data theft. This is an attempt to contact people directly and prompt them to give their personal information," said Paul Mercer, president of the Ohio league in a press release.
"We want to make sure Ohioans are aware of this attempt and encourage them to call their financial institution if they get a message to help us thwart future phishing attacks," he said.
The league asked its member credit unions to communicate directly with their members and post notifications on their websites. It also alerted the Ohio Attorney General's Office, the FBI, the Federal Communications Commission, and the Federal Trade Commission.
Special Agent Harry Trombitas of the Federal Bureau of Investigation (FBI) said people receiving the messages should report the information directly to the FBI at www.ic3.gov for investigation.
Anyone who provided their personal information to the fraudsters should go immediately to the Federal Trade Commission (FTC) website at www.ftc.gov/idtheft and follow the steps provided to minimize their losses and protect their credit, he said in the league's press release.
Last week, Commonwealth CU, Frankfort, Ky., reported a second round within three weeks of vishing to thousands of Kentuckians. Florida CU, Gainesville, also reported similar attacks (News Now, Aug. 18). Several credit unions in Wisconsin were hit earlier, and at least one, Bull's Eye FCU, experienced two waves of the attacks.
In July, credit unions in seven states -- Pennsylvania, New York, Connecticut, Wisconsin, Indiana, Texas and Illinois -- reported vish attempts.
- VISA warns consumers about Voice Over IP (VoIP) "vishing" attacks (Dec. 28, 2007)
(Oct. 23, 2006) From the Better Business Bureau: Sweepstakes Scam Cheated Unsuspecting Consumers, FTC Says
During the Spring & Summer of 2006, the BBB of North Alabama handled tons of telephone calls on a sweepstakes, prize promotion company called Las Vegas Actionable Awards Program (LVAAP). Here is an update on how the FTC has cracked down on the company for their fraudulent business practices.
Payments to Collect Prize Money Brought Nothing in Return
The millions of dollars that consumers were promised were only a dream, but the consequences confronting the swindlers who tricked them are real, now that the Federal Trade Commission has charged them in federal court. According to a complaint filed by the FTC, a fraudulent sweepstakes operation has violated federal law by sending personalized mail to millions of consumers nationwide, falsely telling them that they have won a substantial cash prize, often said to be worth more than $3 million, even though no prizes were awarded.
Urging consumers to respond immediately by sending $20 in order to receive their prize, some of the mailers described an as-yet “uncollected” but “confirmed prize” in the consumer’s name; some mailers represented that “unawarded money” has been “located and documented” in their name; and other mailers mentioned “Authorization to Disburse” and referred to a “guaranteed cash/prize amount” in the seven-figure range, according to the complaint. The complaint also alleges that the mailers sometimes contained small print that vaguely referred to a “newsletter” produced by the defendants, but not expressly informing the recipients that they had not won a prize. Instead of prizes, some consumers received information about how to enter sweepstakes, and some consumers received more mailers soliciting more money and suggesting that the consumers had won other prizes. Defendants named in the complaint, all Nevada-based, are National Prize Information Group Corp. (NPIGC), d/b/a Las Vegas Actionable Awards Program, Prize Search Express, Department of Unclaimed Awards, United States Sweepstakes Advisory, United States of America Patriotism Awards, National Bureau of Prize Information, Lapham Vargas and Cornell, Director’s Office, and John Rincon, individually, and as an NPIGC officer. The FTC charged them with violating Section 5 of the FTC Act, seeking a temporary restraining order, a preliminary injunction, and a freeze of their assets. The action was brought with extensive assistance from the Las Vegas office of the United States Postal Inspection Service and the Better Business Bureau of Southern Nevada. The Commission vote to authorize staff to file the complaint was 5-0. The complaint was filed in the U.S. District Court for the District of Nevada.
- (Sept. 4, 2006; edited Oct. 10, 2006) Think you've won the lottery? Think again. Consumers are frequently scammed when they believe the "too good to be true" news that lands in their e-mail box. Some clues: If you haven't entered a legal lottery, you haven't won one; if you have won a lottery, you're likely not to be notified by e-mail; if, at any time, they ask for your financial account information or for you to send them money for any purpose, you're being scammed. Here's an example of the "trust building" phase of a lottery scam. What usually follows next is your receipt of an official looking "cashier's" check (that is counterfeit), and your agreement to wire or send back to the sender (whose identity is disguised) your own money. Then, the counterfeit check is returned to the financial institution at which your account is held, and charged back to your account. You've then lost the amount of the bogus check plus the amount you sent to the scammers. Solution: ignore the "too good to be true" news and do not communicate with scammers.
Here is a link to Federal Trade Commission information on International Lottery Scams: http://www.ftc.gov/bcp/conline/pubs/alerts/intlalrt.pdf
To file a complaint with the Federal Trade Commission, call 877-382-4357 or visit www.ftc.gov To file a complaint with the State of Alabama Consumer Affairs, call 800-392-5658. This is for not only online lotteries, but lottery scams being conducted by phone or mail.
- Here is a link to Federal Trade Commission information on International Lottery Scams: http://www.ftc.gov/bcp/conline/pubs/alerts/intlalrt.pdf
- (Aug. 7, 2006) This scam is one in which a person receives an e-mail designed to look like a notice from EFTPS, the IRS's on-line site for paying payroll taxes.
(July 25, 2006) Are you ready for "vishing"? Vishing scams use phones instead of fake Web sites
In a new twist, identity thieves are sending spam that warns victims that their credit union/bank account or PayPal accounts were supposedly compromised. However, unlike typical phishing emails, there is no website address in these phishing messages. Instead, the victim is urged to call a phone number to verify account details. The automated voice message says: "Welcome to account verification. Please type your 16-digit card number." The goal is to get the victim to enter their credit card number. In these reported scams, no mention of the credit union, bank or PayPal is made. Security experts tracking this scam and other instances of "vishing" , short for "voice phishing", say the frauds are particularly despicable because they imitate the legitimate ways people interact with financial institutions. In fact, some vishing attacks don't begin with an e-mail. Some come as calls out of the blue, in which the caller already knows the recipient's credit card number. This increases the perception of legitimacy, the caller ask for the valuable three-digit security code on the back of the card. Vishing appears to be prospering with the help of Voice over Internet Protocol, or VoIP, the technology that enables cheap and anonymous Internet calling, as well as the ease with which caller ID boxes can be tricked into displaying erroneous information.
LOSS PREVENTION RECOMMENDATIONS :
- Never call a number you receive from a spam e-mail, and certainly don't enter in any private information if you make a mistake and do call. If you want to call your credit union, use the normal phone number you regularly use, not the phone number you get in an e-mail.
- Never click on the link provided in an e-mail you believe is fraudulent.
- Do not open an attachment to an unsolicited e-mail unless you have verified the source.
- Do not be intimidated by an e-mail or caller who suggest dire consequences if you do not immediately provide or verify information.
- If you believe the contact is legitimate, go to the company’s Web site by typing in the site address directly or using a page you have previously book marked, instead of a link provided in the e-mail.
(June 6, 2006) Thanks to the consumer who received this scam in his email box and passed it along to us. It is fraudulent.
Dear Credit Union member,
You have been chosen by the Credit Union online department to take part in our quick and easy 5 question survey. In return we will credit $50 to your account - Just for your time! Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of changes to improve and expand our online services.
We kindly ask you to spare two minutes of your time in taking part with this unique offer!
Confirm Now your $50 Reward Survey with Credit Union® Reward services.
The information you provide us is all non-sensitive and anonymous
(May 19, 2006) Thanks to the consumer who received this scam in his e-mail box and passed along the news to us. Of course, it’s fraudulent — but asking for copies of photo IDs is a new wrinkle to an old scam:
“Got home yesterday and found in the mail ... my ticket to millions! I received a beautifully done letter advising me that I'm a winner in the Euromillones International Lottery. It appears to have been mailed from Madrid, Spain. Of course, it advises me to keep this in the strictest confidence until I receive my winnings. Not only do they want my name, address, phone #'s, marital status, occupation etc. — but they want me to attach a copy of my passport or driver's license. Yikes! Has anyone seen this latest scam? I'm really afraid that there will be many attempting to take advantage of this. This is very well done."
- An old phishing scam is being revisited by criminals who pretend to be from the NCUA (National Credit Union Administration). There are several characteristics that reveal this scam. We won't reveal them all here because we don't want to educate the fraudsters. If you'd like to become better informed about how to spot a scam in your e-mailbox, please call us -- and remember: Alabama Credit Union will NEVER send you an e-mail asking for your confidential information!
VISA transactions blocked in countries where fraud identified:
ALL debit card transactions have been blocked in Romania, Russia, Saudi Arabia, and Singapore, due to high levels of fraud originating in these countries. No transactions of any kind can be made on debit cards in these countries.
Countries blocked due to fraud risk (only pinned ATM withdrawals can be made in these countries): Australia, Brazil, China, Ecuador, France, Guatemala, Hong Kong, India, Indonesia, Ireland, Israel, Italy, Japan, South Korea, Malaysia, Mexico, Netherlands Ant., Nigeria, Phillipines, Spain, Taiwan, Thailand, United Kingdom, Venezuela.
Countries blocked due to fraud risk (only pinned ATM advances can be made in these countries): Japan, North and South Korea, France, Spain, Italy, Hong Kong, Singapore, Romaniaa. South Africa and Saudi Arabia are blocked for all transactions, including ATM advances. Please note: Point of sale transactions in France, Spain, and Italy are limited to $500.00 per day.
The following applies to both VISA Debit and VISA Credit Cards:
- (June 30, 2008) Transactions to/from WesternUnion.com are now blocked by Alabama Credit Union, due to an extraordinary occurrence of fraud. For assistance in transferring funds using safer methods, please contact our Member Care Center at (205) 348-5944 or (888) 817-2002.
- Due to US Sanctions, ALL card transactions (debit and credit) will be blocked in Bosnia, Bulgaria, Myanmar (Burma), Croatia, Cuba, Herzegovina, Iran, Iraq, Liberia, Lybia, North Korea, Slovenia, Sudan, Syria, Zimbabwe.
Credit card fraud has been a common part of news broadcasts in recent months. This type of fraud is, unfortunately, becoming a bigger issue each year. Fighting the battle against plastics fraud of all kinds (debit, credit, or pre-paid) is a constant struggle. At Alabama Credit Union, we are committed to protecting you, our VISA cardholder, from this kind of fraud, and have preventative measures and technological safeguards in place at every level. However, from time to time, all financial institutions can be victimized by this type of fraud. In many cases, plastics fraud is originated from outside the United States. If we become aware of such fraud, we may have no alternative but to block a particular country altogether, thereby denying any VISA transactions submitted from that country.
In other cases, we may have to block credit or debit cards that have been compromised. In every case, we will make every attempt to contact you, our cardholder, before blocking the card — but, because we are committed to protecting you and your assets from these criminals, we may have to take immediate action to do so. We will strive to minimize any inconvenience to you when dealing with these issues.
What can you do to help? Let us know when you plan to travel abroad. Make sure to keep your address and phone numbers updated with the credit union so that we can contact you quickly. When traveling abroad, NEVER let your credit or debit card out of your sight when conducting transactions, and take great precautions to safeguard your cards when not in use.
Rest assured that we will aggressively implement all new technologies and anti-fraud measures as they become available.
IRS Phishing Emails - Tax Refunds
The Internal Revenue Service and the Internet Crime Complaint Center have issued consumer alerts about an Internet scam in which consumers receive an e-mail informing them of a tax refund. One e-mail, which claims to be from the IRS, tells the recipient that they are eligible to receive a tax refund for a given amount. It then directs the consumer to a link that requests personal information, such as Social Security number and credit card information.
Another e-mail titled "Refund Notice" claims to provide information to recipients regarding the status of their IRS Tax Refunds. The e-mail contains a link, which mirrors the true IRS web site. This site purportedly allows recipients to check the status of their IRS tax refund after providing the following information:
• First and last name
• The IRS has seen numerous attempts over the years to defraud the public and the federal government through a variety of schemes, including abusive tax avoidance transactions, identity theft, claims for slavery reparations, frivolous arguments and more. More information on these schemes may be found on the criminal enforcement page at www.ic3.gov.
The IRS does not ask for personal identifying or financial information via unsolicited e-mail.
LOSS PREVENTION RECOMMENDATIONS :
• If you receive an unsolicited e-mail alleging to be from the IRS, take the following steps:
- A new phishing attempt pretends to be an authorized eBay message from a seller to a purchaser. As always, do not click on the links and report phishing attempts involving eBay's name to http://pages.ebay.com/securitycenter/?ssPageName=f:f:US (Jan. 19, 2006)
Newest phish attempt uses .coop address
Phishers continue to get creative with their attempts to steal account information and passcodes from consumers. The latest pretends to be from a credit union and uses a .coop Web domain name. It uses the name “CUNA Customer Support Center” and even includes a JPG image of the ID Theft Coach application that many credit unions use to assist members in managing their risk of ID theft (the JPG is easily copied from many credit unions' Web sites). The phishing attempt exploits that many credit unions use .coop instead of, or in addition to, .com, .net, or .org. Here's a link to a copy of the e-mail. It's the same tactic, though -- and it's fraudulent. Please do not respond!
Internet browser hole may lead to ID theft, says CU
SEATTLE (12/2/05) – An information technology expert at Seattle Metropolitan CU is warning about a threat that capitalizes on a vulnerability in the Microsoft Internet Explorer browser that could lead to identity theft.
The "hole" allows the owner of a malicious website to gain full control over a user's PC and create a page that will download and run programs on the user's computer, says Lester Warby III of the $422.6 million asset credit union's data processing unit. All the user has to do to trigger the download: view the malicious page.
That means it's doubly important for credit unions to keep educating members to not use the link when a phishing expedition posing as legitimate financial institutions and other organizations tries to lure them to the fake sites.
The malicious software can steal personal information from the user's computer--including the user's ID, passwords, online banking information and all data stored or communicated to and from the compromised computer. "For this reason alone, it is a far greater risk than the Sober worm," says Warby.
The Sober worm can be detected and stopped with good firewall policies, anti-virus software andanti-spyware software, he says. However, the Internet Explorer hole "is undetectable; there is no patch available for it and the only work-around is either to stop using the Microsoft Internet Explorer browser or disable all active scripting, which essentially makes the browser useless," says Warby.
Warby said that Symantec, the maker of Norton Anti-Virus, "now has a signature to protect against the exploit, but unless the users are running Norton Anti-Virus and have their signatures up to date, they are still at risk."
You can temporarily discontinue using it and use another browser, such as FireFox until Microsoft can issue a patch, he said.
New phish asks for NCUA ‘security' renewal
WASHINGTON –The National Credit Union Administration (NCUA) is the target of yet another phishing scam--this time attempting to scam people into "activating" an online account.
The phishing e-mail is addressed to "Dear CU holder account," and says that "your Credit Union bank has joined our Federal Credit Union (FCU) network." There is no such network.
The e-mail's subject line reads "Confirm Your NCUA Identity" and uses graphics and text similar to the regulator's website. It claims to be from the "NCUA Account Review Department."
It also tries to draw in recipients with the claim "Please understand that this is a security measure intended to protect you and your account."
"NCUA does not ask credit unions members for such personal information. Anyone who receives an e-mail that purports to be from NCUA and asks for account information should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail," the agency advises. (9/20/05)
- PayPal or eBay phishing. This newer "PayPal" phishing attempt is much better worded than earlier versions, but is nonetheless as fraudulent. It's easy to recognize as a phishing attempt if you don't have a PayPal account -- but if you do have a PayPal account, remember to never, ever respond to an e-mail or phone or mail request from anyone that asks for your account information. A feature that distinguishes this phishing scam is the supposed assignment of a Case ID Number, designed to entice even those without a PayPal account into believing one has been set up, is being abused, and needs the victim’s confirmation to prevent further abuse from occurring. Forward e-mails such as these to email@example.com and visit PayPal Security Spoof. Phishing attempts fraudulently using eBay’s name are also frequently received; forward those to spoof@eBay.com and visit eBay's e-Commerce Safety Guide PDF. (Sept. 19, 2005)
- Lottery or Internet sales scams. Even though they aren’t technically considered ID Theft, a large number of scams occur each week involving consumers, including those who are members of Alabama Credit Union. We sadly watch as members fall prey to criminals who create counterfeit checks, money orders, and schemes to defraud people of their money. In recent weeks, several Alabama Credit Union members have lost thousands of dollars because they accepted counterfeit checks or money orders they received in the mail from persons they did not know, and, in return, wired or sent certified checks back to the criminals. In one case, the criminals convinced a member that she had won a lottery, and that she should send several thousand dollars back to them immediately. There was, of course, no lottery; lotteries are not legal in Alabama, and the member had not entered a lottery. In another, more common, crime, a member advertised an item for sale on the Internet. Someone using an assumed name and address sent several counterfeit U.S. Postal Service money orders to the seller, and requested that the overpayment be wired back to them promptly. Of course, the money orders were charged back to the member’s account because they were returned to us as counterfeit, and the member’s funds were lost; what confuses many people is that the criminals continue to focus on the item advertised for sale, even though they have no intention of receiving the merchandise. It’s increasingly difficult and risky to depend on the verification of checks or money orders these days; we have no way of knowing when an item clears successfully, but know only when it is returned to us unpaid and we must charge it back to your account(s) at Alabama Credit Union. We strongly encourage you to reject the offer of funds for any “winnings” if you are not completely familiar with the circumstances and the people making the offer. And, if you do business via Internet, never release any of your own funds or merchandise, nor spend the “funds” sent to you until 30 days have expired because, unfortunately, many of these counterfeit items are returned to us unpaid even after any allowable check hold period has expired. (Sept. 19, 2005)
- This phishing attempt looks more realistic than some -- and has a credit union twist. It uses the banner of CUNA, the Credit Union National Association, and refers to a generic credit union throughout the message. It, of course, is just as fraudulent as any other phishing attempt. Thank you to several Alabama Credit Union members who forwarded this to us (Sept. 12, 2005).
Now comes phishers attemping to take advantage of the global security credit card breach caused by CardSystems. This e-mail has been forwarded to us by members who were rightfully suspicious. We repeat: Alabama Credit Union will never phone or e-mail you to request that you provide us with your confidential account information. (July 14)
has affected up to 40 million credit and debit cardholders. Up to 1,600 cards held by Alabama Credit Union members were potentially affected; late in the day on June 24, 2005, we learned which cards were affected, and immediately "killed" four cards which had been tested by hackers, and contacted the cardholders. Other card numbers showed no immediate signs of receiving unauthorized transactions. This letter is being sent to affected Alabama Credit Union cardholders; although the actual risk of fraudulent transactions appears to be low, if your card was included in this massive security breach, we'll be phoning and/or mailing you to inform you that your card is being deactivated and a new one ordered for you. If you have upcoming travel or other plans and need to find out if your card was affected, please phone our Member Care Center at (888) 817-2002. We'll make arrangements to provide an emergency replacement. (June 27).
Here are follow-ups to the CardSystems security breach:
TUCSON, Ariz. -- After a security breach that affected nearly 40 million credit card accounts, including those of thousands of credit union members, CardSystems Solutions is working to comply with card industry security standards.
The security breach occurred seven months ago and was made public on June 18. The third-party card processor admitted it had improperly stored data, which violates Visa and MasterCard security policies (The New York Times July 8).
The data thieves took personal data of about 200,000 cardholders. The software used in the theft had been installed months earlier. (NOTE FROM ALABAMA CREDIT UNION: We have received no notice from VISA that any cards held by Alabama Credit Union members were included.)
More than 100 credit unions reported that the breach affected their card accounts, according to CUNA Mutual Group (News Now June 30).
Since December 2003, CardSystems has been trying to improve its security, beginning with a security audit to comply with Visa rules. Visa said it was compliant between June 2004 and May of this year; MasterCard said the company was never certified to meet its rules.
MasterCard hired a forensic investigator and discovered the breach in mid-May. (July 11)
AmEx and VISA drop CardSystems
American Express announced Wednesday that it will terminate its relationship with payment-processing company CardSystems Solutions, the Arizona-based firm that recently experienced a huge data breach that left 40 million credit- and debit-card accounts vulnerable to hackers. The announcement followed one by Visa USA on Tuesday that it would cut its ties with CardSystems. However, MasterCard International said it would continue to let CardSystems handle its cardholder data provided that the company upgrades its security systems. CardSystems, which processes more than $15 billion in payments each year, has been in business for more than 15 years (The New York Times and Associated Press via The Wall Street Journal Online July 20) ...
- Here are follow-ups to the CardSystems security breach:
Criminals continue to spoof Web sites of credit union organizations: CUNA warns of yet another phish scam
MADISON, Wis. (6/2/05)--The Credit Union National Association's (CUNA) website is the target of yet another phishing scam, CUNA announced Wednesday afternoon. This time the www.creditunion.coop page is the target, says Dorothy Steffens, CUNA's vice president of web services. The phishers have copied the page and replicated it exactly as it appears on CUNA's site. However, they also manipulated CUNA's "FRAUD ALERT" language to say that, "In order to protect your information against unauthorized access, identity theft and account fraud we earnestly ask you to update your profile." Of course, CUNA wouldn't ask readers to do that. CUNA does not keep account information and would never e-mail someone and ask them to update a profile. CUNA is working with a service provider to take down the phish, which was located on a server in Beijing, China. The site was shut down earlier this week but now has moved to a new location, Steffens said. CUNA has received fewer than 15 e-mails about the phishing scam, which Steffens attributed to the "greater awareness on the part of individuals regarding ID theft today."
- An old but recurring credit card scam works like this: A caller identifying himself or herself as being from the "Security and Fraud Department at VISA" says: "My Badge number is 12460 (or some other number). Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by (name of financial institution.) Did you purchase an Anti-Telemarketing Device for $497.99 from a Marketing company based in Arizona?" When you reply, "No," the caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (your address); is that correct?" You reply, "Yes." The caller continues: "I will be starting a fraud investigation. If you have any questions, you should call the 1-800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this control number." The caller then gives you a six-digit number. "Do you need me to read it again?" Here's the important part about how the scam works: The caller then says, "I need to verify you are in possession of your card." He'll ask you to "Turn your card over and look for some numbers." The caller will ask you to read the last three numbers to him or her. After you tell the caller the three numbers, he'll say, "That is correct. I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?" The caller enocourages you to call back if you have questions, and hangs up. Recipients of similar calls say that you're actually asked to say very little, and the caller never asks for or repeats your credit card number. This scam is aided by persons who capture your credit card number when you use it for purchases; the information about your card number, address, or even your phone number NEVER come from Alabama Credit Union. Never give your confidential information to anyone who phones you, and be aware that anyone from Alabama Credit Union who contacts you about a pattern of activity on your credit card already knows your card information and would never ask you to repeat it. (May 21, 2005)
- Recently, there have been multiple e-mail fraud phishing attempts that were sent to both the general public and to some credit union members and appeared to be from the National Credit Union Administration (NCUA), the federal regulator for many credit unions and the administrator of the National Credit Union Share Insurance Fund. This false e-mail asked for the recipient to click on a link to verify their credit union account registration. If the recipient proceeded to do so, the link directed them to a false Web site and asked for their credit union account number and PIN, along with other personal information. NCUA does not ask credit union members for such personal information. Anyone who receives an e-mail that purports to be from NCUA and asks for account information should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail. If you responded to such an e-mail and provided any confidential account information, please notify your credit union immediately of the scheme. You should also change your account's PIN, and take any additional action recommended by your credit union to protect your account. For more information, including how to file a report of this crime, go to http://www.cybercrime.gov . You may also contact the NCUA Fraud Hotline at 1-800-827-9650 (May 16, 2005).
- We have received word that a skimming device was placed on a bank-owned ATM in Robertsdale (April 29, 2005), and we received a notice from Fair Isaacs that an active ATM skimming operation has been discovered in Atlanta (Feb. 27, 2005). ATM skimmers are memory devices which are mounted on the front of an ATM machine for the purpose of recording the magnetic stripe data when the cardholder puts the card into the machine. They are very small and normally fit right over the card slot in such a way as to be completely unnoticeable to the people using the machine. If you should notice any kind of adhesive around the card slot of an ATM, it could be due to one of these skimmers being placed on the machine. Please immediately contact the ATM owner/operator and the police. Here are photos of some typical skimming devices -- but be aware that these devices could become less obvious as thieves use advanced technology to accomplish their crimes: http://www.snopes.com/crime/warnings/atmcamera.asp (Please note that we include this link only for the value of the ATM skimming-device photos, and do not endorse any other info found at the site.)
- eBay, PayPal, and AOL's sites and security measures continue to be spoofed by phishers (May 15, 2005). You do not have to be a user of eBay or PayPal to receive these phishing attempts. Here's a response from eBay's fraud response group; note the instructions for forwarding the phishing attempt for further investigation.
- PULSE — the electronic funds transfer/ATM network — has become aware of fraudulent, unsolicited e-mails involving a phishing attack directed at consumers. The e-mails direct the recipients to a spoofed (fraudulently duplicated) PULSE Web site, and request that the recipients submit their debit card number, expiration date, and ATM PIN. The fraudulent site looks nearly identical to PULSE's Web site, with the exception that the login box requests the recipient's debit card number, expiration date, and ATM PIN. PULSE has reported this incident to law enforcement authorities adn will take appropriate actions as necessary. At this time, it is not known who may have received any fraudulent e-mails, but as a precautionary measure, PULSE has notified all network participants of this incident. Reminder: Yous hould never provide your debit or credit card number or PIN — or any other non-public personal information — to PULSE or any other entity in response to an unsolicted e-mail or request. (March 24, 2005)
- Alabama Credit Union has been contacted by recipients in Eutaw, Alabama, and Gordo, Alabama, who received counterfeit checks with Alabama Credit Union's name on them. If you have received one of these checks, please contact your local police department. (first notice: March 24, 2005)
- We have received a large number of fraudulent credit card charges that originated in Singapore. The volume of items is so large that we have no alternative but to block all transactions originating in Singapore on our VISA credit cards until further notice. If you will be traveling in Singapore, please contact us immediately to discuss alternative plans for access to your account. Since Singapore is also on our list of "high risk" countries which have been blocked for point of sale transactions on debit transactions, debit cards will not work there either, with one exception: your Alabama CU ATM/Debit card should work for PIN-based transactions. (March 15, 2005)
- A new phishing scam targets credit union members. Attached is a sample of an e-mail being sent to e-mail recipients. It suggests that all credit union members (of any credit union) must visit a Web site to enter their information, or they will be forced to wait in long lines while they provide the same information at their credit union or bank. This, of course, is incredible. The e-mail includes standard credit union branding logos which are easily copied from credit unions' own Web sites. As with most phishing e-mails, the grammar is poor, the premise that all credit union members must join one online banking network is far-fetched, and -- as we continue to point out — we would never contact you to ask you to provide us with your confidential information. (March 9, 2005)
- We have received a notice from Fair Isaacs that an active ATM skimming operation has been discovered in Atlanta. ATM skimmers are memory devices which are mounted on the front of an ATM machine for the purpose of recording the magnetic stripe data when the cardholder puts the card into the machine. They are very small and normally fit right over the card slot in such a way as to be completely unnoticeable to the people using the machine. If you should notice any kind of adhesive around the card slot of an ATM, it could be due to one of these skimmers being placed on the machine. Please immediately contact the ATM owner/operator and the police (Feb. 27, 2005).
- A new phishing scam has arrived via e-mail, and targets users of a credit union's online banking system. Here's the language from one reported to us today (Jan. 27, 2005), that fraudulently claims to be from Forum Credit Union:
Dear User, 'Forum' Credit Union, is committed to maintaining a secure environment for our clients. To guard the safety of your account access, employs some of the most progressive safety online systems in the world and our anti-fraud groups hourly scan the Bank system for fraud activity. Banking Service are remind you that our Online Review Team identified some uncommon activity in your account. In accordance with Forum CU's Client Agreement and to assure that your online account has not been compromised, internet access to your account was limited. Your account access will remain blocked until this issue has been resolved. Online Support recommend you to sign on and perform the steps requisite to give back your account access immediatelly. If your account access to remain limited for an extended period of time may result in further restrictions on the use of your bank account and possible account closure.
Sign on to Online Account
Please understand that this is a safety measure meant to help protect you and your account. Thank you for your attention to this problem. Customer Support apologize for any inconvenience.
- First of all, Alabama Credit Union -- nor any other credit union -- would ever ask you to enter confidential information in this manner. As you know, our online account system ACUiBranch requires several layers of identity authentication before we activate your access to the system. We will never contact you via phone or e-mail or mail to ask you to tell us your user name/password or credit card number with Alabama Credit Union.
- The language used in the above e-mail text indicates it was written by someone who doesn't understand the nature of credit union membership. Certain words and phrases stand out as very non-credit union-like; we think you'll recognize them.
- The grammar used indicates the message was created by someone who had a limited knowledge of the English language.
Even the largest financial institutions in the U.S. have been targeted by these scams, and it is probable that this sort of activity will only increase. It's too easy for scammers to reproduce a likeness of a financial institution's Web page or logo or even a print brochure, and forward e-mail responses to a Web site that appears to be hosted by the financial institution. You'll see here that Forum Credit Union — a legitimate credit union — is aware and attempting to combat the problem: http://www.forumcu.com/
If you receive an e-mail of this type, it has nothing to do with your membership in Alabama Credit Union or your participation with our secure ACUiBranch online account system. E-mail addresses are easily purchased by scammers or "guessed" by programs the scammers use; however, you can be assured that disclosure of your e-mail address did not come from Alabama Credit Union.
- Fraud occurs several ways, but one of the most potentially dangerous things which can occur to a credit or debit card is skimming. Skimming is a process where a person's card stripe is swiped through a memory device and stored so that the stripe can be reproduced later on a counterfeit card. This copies even the CVV data (security code that's also printed on the back of the card), so not only does the criminal have access to the entire credit limit on the card, the fraudulent charges are all 'swiped' charges, which means that it is virtually impossible for the credit union to recover the funds and we end up with a loss.
- Avoid skimming by not letting your card out of your sight when traveling in foreign countries.
- Please advise us when you will be using your VISA debit or credit card outside the United States so that we can more quickly respond to neural network detection alerts as they arrive to us.
- And, be aware of card fraud alerts issued by VISA for these countries or regions: Spain, Italy, Great Britain, Canada, Australia, France, Turkey, Mexico, Malaysia, and the Middle East.
- For more information about avoiding international card fraud, phone us at (888) 817-2002. (Posted Jan. 3, 2005)
- VISA has recently identified a phishing scam that uses e-mail to request Verified by VISA account information. The thieves send out official-looking messages and ask for personal information including card number, passwords, user names, etc. Most of these messages warn that there has been potential fraud and contain a link to a fake Web site to make them more convincing. Please know that VISA nor your credit union would ever send an e-mail requesting this kind of information. VISA is very active in combating this kind of thing. If you think you have been a victim of phishing can file an on-line complaint at http://www.ic3.gov.
- Callers impersonate VISA officer as part of new card scam:A new credit card scam has been reported to us, and is flourishing in some parts of the United States. Here's how it works:
- The cardholder receives a call from someone purporting to be from VISA; the caller often provides a "badge number." The caller asks to verify a transaction on the cardholder's credit card, and asks if the cardholder used the card at a (name) location in the amount of (amount given). Some cardholders have reported that the fictitious purchase was for an Anti-Telemarketing Device from a "marketing company in Arizona" for $497.99.
- The cardholder replies that he or she did not use the card as described.
- The caller claims that the merchant has been on VISA's "watch list" and that VISA suspected the transaction was fraudulent. (In doing so, the caller attempts to gain the cardholder's confidence.)
- The caller then asks the cardholder for information (the three-digit number) on the back of the VISA card (supposedly to "verify that you have the card in your possession"), may or may not ask to verify the number on the front of the card, and confirms the cardholder's address. (The caller may or may not have had the card number to begin with. But now, the caller has obtained all of the information needed to complete a fraudulent transaction.) Some cardholders report that the caller asked for only the three-digit number on the back of the card.
- The caller provides the cardholder with a bogus "control number" and a telephone number ("1-800-VISA" and instructs you to ask to speak to "Security") in case of further questions. (The cardholder, now relieved, is usually convinced he or she has spoken with someone at VISA.)
- Soon, fraudulent transactions appear on the cardholder's VISA credit card account, or, if a debit card number was obtained, on the cardholder's checking account statement. The case number and phone number, of course, are fictitious.
- Dear User, 'Forum' Credit Union, is committed to maintaining a secure environment for our clients. To guard the safety of your account access, employs some of the most progressive safety online systems in the world and our anti-fraud groups hourly scan the Bank system for fraud activity. Banking Service are remind you that our Online Review Team identified some uncommon activity in your account. In accordance with Forum CU's Client Agreement and to assure that your online account has not been compromised, internet access to your account was limited. Your account access will remain blocked until this issue has been resolved. Online Support recommend you to sign on and perform the steps requisite to give back your account access immediatelly. If your account access to remain limited for an extended period of time may result in further restrictions on the use of your bank account and possible account closure.