Complain about a product or service

Michigan Credit Card Mystery Deepens

Is It the Newest "Worst Hack Ever?"

By Martin H. Bosworth
ConsumerAffairs.com

November 23, 2006

Data Theft • GPS Not Foolproof • Countrywide Warns Millions of Data Breach • Thieves Steal AT&T Laptop with Employee Data • Report: Data Breach Disclosure Laws Don't Affect Identity Theft • Patient Information Exposed in Data Breach at Walter Reed • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

The story quietly appeared in local Michigan newspapers earlier this month: Wesco, a statewide gas station chain, was urging customers to contact their financial institutions to correct any inaccurate or fraudulent transactions, raising fears of a new wave of credit card fraud.

The Muskegon-based company warned that transactions that took place between July 25th and September 7th of this year might have been affected, and said it was working with local and federal authorities to determine what happened.

Wesco said it was made aware of the fraud not by irate customers, but by the banks themselves. Financial institutions had contacted Wesco to point out irregularities that might indicate fraud.

That would have been the end of it, normally, but numerous banks and credit unions are now canceling and reissuing cards to their customers as a result of fraud -- and those incidents may be linked to the still-unsolved breach at Wesco.

Financial institutions in the Muskegon area, such as the Community Shores Bank and the Family Financial Credit Union, have issued new cards to a combined total of over 1,500 customers after several incidents of card fraud were reported beginning Nov. 9th.

Reports indicated that the fraudulent transactions were carried out with physical cards, rather than online transactions that just process a card number.

Cincinnati-based Fifth Third Bancorp disclosed on Nov. 16th that it, too, was reissuing cards to a number of its customers based on unspecified instances of fraud. The bank received notification from MasterCard of the problem, but the card issuer refused to disclose details of the breach even to the bank itself.

The most MasterCard would do was admit that the breach was centered around an unidentified "Michigan retailer."

Both card issuers and Wesco have remained silent on details of the gas retailer's involvement in the fraud, how many customers might have been affected, and why it took so long for anything to be done about it.

Deja Vu

The Wesco mystery bears a strong resemblance to the security breach that forced Citibank to shut down thousands of its cards and reissue them. The bank claimed the shutdown was a result of a breach in its system.

Further investigation indicated that hackers might have stolen cardholders' PIN data from a third-party payment processor, and used the data to encode "clone" cards with which they could drain their targets' checking accounts at will.

Visa finally admitted that a problem with a contracted processing company contributed to the breach after yet another recall incident, but refused to identify the company or explain why it waited so long to inform the public.

The lack of information surrounding debit and credit card fraud incidents is partially due to the desire to avoid bad publicity. No retailer or payment company wants to be known as the next CardSystems, and the market power of card issuers such as Visa and MasterCard means they can act with relative impunity when it comes to hiding the truth about security breaches.

Numerous incidents involving breaches of bank security also demonstrate that there are major vulnerabilities at every level of a plastic transaction, from withdrawing money to buying goods online.

Smart fraudsters will often wait weeks or months before utilizing stolen credit card data, usually long after a business ceases to be concerned about an incident.

Many will use the data in ways that can't be easily detected, such as encoding hotel keys with stolen credit card info, and using the "clone cards" for small transactions that wouldn't indicate fraud.

What You Can Do

• Use credit cards, not debit cards, for plastic purchases. Federal law limits cardholder liability for fraudulent transactions to $50 for credit cards. Although there are moves being made to extend this protection to debit cards, it's still safer to restrict your debit card usage to taking money out of an ATM.

• Use cash for small, everyday transactions. The best way to avoid being dinged by credit card fraud is to keep the plastic in your wallet. Use cash to buy gas or small goods, and reserve the cards for big-ticket items.

• Check your statements regularly for fraud or unexplained transactions, and contact your bank immediately if you find any inaccuracies. Most financial institutions will reverse fraudulent charges on a credit card on the spot, and many are now doing so for debit cards as well.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |