WASHINGTON–The data breach reported by Wendy’s has led to “unusually high levels” of debit card fraud at credit unions, according to fraud expert Krebs on Security and NAFCU.
Brian Krebs, who first reported that Wendy’s was investigating a pattern of unusual card activity at some of its stores in January on his blog at www.krebsonsecurity.com, cited Dan Berger, CEO of NAFCU, as saying that many CUs were reporting a “huge increase” in debit card fraud in the few weeks before the Wendy’s breach became public. Berger said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.
Many of the CUs reporting Wendy’s-related fraud issues are based in Ohio, which is also where the restaurant chain is headquartered. Berger was quoted by Krebs as saying that the thieves appear to be a “sophisticated group” in specifically targeting and draining high-balance accounts.
According to Krebs, Berger shared an email sent by one credit union CEO who asked not to be named in this story:
“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”
All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”
Krebs noted that even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let consumers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date. Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs.