BRATTLEBORO — It all started because a few Brattleboro Savings & Loan customers innocently paid for their burgers and fries by handing their debit cards to the cashier at Wendy's in Keene, N.H.
For those 38 people, their account information was used to create duplicate debit cards that, in some cases, were used to buy gift cards in Texas.
The recent security breach at the Keene Wendy's is an unavoidable - and costly - consequence of modern technology, and it illustrates the tension between the convenience of credit and debit cards and the heightened risks associated with their increasingly pervasive use.
Merchant security breaches are “much more commonplace” than they used to be, and costs for financial institutions - which under most circumstances absorb the losses - are “staggering,” said Dan Yates, the bank's president and chief executive officer, who hopes that the recent publicity about the problem will help raise public awareness among consumers in general.
“The message for people is they need to pay attention,” Yates said.
A security crisis
On the evening of Wednesday, June 29, the bank's fraud-detection analysis service started flagging a significant increase in the number of questionable transactions, said Tom Martyn, the bank's chief operating officer, chief financial officer, and senior vice president.
Normally, the bank receives two or three such warnings per day. But that evening, Martyn said that a colleague checked her phone and saw a surge of activity in the Dallas area.
The bank halted transactions, but not before fraudsters used faked customer cards to purchase $4,400 worth of Home Depot and Nordstrom's gift cards. Martyn said $4,734 of additional attempted charges were blocked.
Yates and Martyn said it didn't take bank personnel long to find a common thread in the spending patterns of the customers whose accounts were affected: they had all made debit card purchases at a Wendy's franchise in Keene.
The restaurant was one of 1,025 locations affected by what the company described as a “criminal cyberattack” via a vendor's access to the chain's point-of-sale systems starting in late fall of last year. Once in, the perpetrators installed malware that captured customer data.
Wendy's originally identified the breach in January, but Martyn characterized the malware as sophisticated enough to “hide its tracks” and lie dormant, masking the full scope of the damage.
Martyn described an underground economy where such data is collected and then sold to others, who in turn create new counterfeit debit cards with the stolen data. Using those fake cards, the next criminals in the chain purchase big-box-store gift cards, which can then be sold on the street at a discount for cash.
The bank began the process of issuing new debit cards to 136 customers who had purchased food at Wendy's as far back as Oct. 1, 2015, at any of the affected franchise locations.
“Fraudsters like to attack over long weekends,” said Martyn, who also said the bank had been in a bind over how to address the problem without creating significant hassles for its customers over the Independence Day holiday.
In the end, Yates said the bank blocked debit-card access to all big-box stores outside New England and temporarily added a cap for signature-based purchases. Customers could still use their cards for debit transactions authorized by their personal identification numbers.
For the small bank, the cost goes beyond the fraudulent charges.
It costs $6 to $7 to replace each compromised debit card, for starters. And then there's the opportunity cost, measured in the value of employees' time.
“Eight days later, this has taken most of our attention on a full-time basis,” Yates said.
Who pays?
Magnetic-stripe cards have been around since the 1970s, and the analog technology - essentially magnetic tape of the sort used in cassettes that's fused into the plastic card - is inherently insecure. Card readers capture the information as though the numbers were typed into a computer in broad daylight.
The technology is being supplanted by EMV, a new standard developed by six major credit card companies. EMV stores data on circuitry in encrypted form, protecting it from interception and theft. Yates said his bank is in the process of converting to the chip cards, which as of 2015 accounted for less than 2 percent of card transactions in the United States. The technology is far more ubiquitous in Europe, Canada, and Africa.
But “the chip card is not a silver bullet,” Yates said. “It works very well in certain circumstances but is useless in others” - like online or phone transactions that don't physically require the card to be swiped.
Yates said federal banking regulations require customers to notify banks of fraudulent charges within 10 business days of receipt of their monthly statement. Customers who avoid balancing their checkbook but keep a cash buffer on hand to avoid overdrafts put themselves at risk of liability for fraudulent transactions on their accounts that are noticed weeks or months after the fraud took place.
Cardholders of business accounts are also fully liable for fraudulent debit or credit charges, Yates added.
All the more reason for customers to be diligent about their card use, the bankers said.
“Thieves go for the low-hanging fruit,” Martyn said, indicating that fraudsters target operations with spotty attention to security, like fast-food restaurants or gas-station ATMs.
Yates urged consumers to pay close attention to ATMs, which can be equipped with “skimmers,” or electronic devices that can capture and steal customer information every time a card is swiped.
“Look very closely,” he said. “They can be so slick.”
Customer vigilance
Yates and Martyn noted that the bank has recently invested in a fraud detection service that will automatically notify customers by text message of suspicious activity on their accounts.
“It'll text you, email you, call you,” Yates said.
“If we have your cell phone number, it's pretty darn close to instantaneous,” Martyn said.
Martyn said the system flagged one customer's recent transaction as suspicious and texted the customer. Four minutes later, the system automatically blocked the card as a security measure. Two minutes after that, the customer replied to the text, confirmed that the transaction was authorized, and the block on the card was automatically lifted.
“But that doesn't work if the bank doesn't have the right cell phone number or if you don't answer the phone,” Yates added, conceding that he himself might be tempted to ignore unexpected phone calls from a bank, as many do.
“I encourage customers of every bank, every credit union, to make sure their financial institution has current information on how to contact you,” he said.
Yates also urged consumers to be vigilant about protecting their computers from spyware and malware, much of which is installed by clicking on website links embedded in emails.
Hackers engaged in phishing target victims by sending spam designed to look legitimate - so much so, in fact, that in internal training exercises even bank employees get fooled, Yates said.
The takeaway is for customers to be skeptical and cautious about their email and their consumer habits in an environment where, according to industry experts at The Nilson Report, card fraud reached $16.31 billion globally in 2014.
And, in the end, customers should be mindful of the consequences, even if they aren't liable for the fraud.
For large banks, shareholder dividends might be affected. In the case of Brattleboro Savings & Loan, a mutual savings bank owned by its depositors, all its customers ultimately are hurt by card fraud, and bank management must plan accordingly.
“I'm sorry to say, we have a reserve in anticipation of this happening,” Yates said.