CU QUICK FACTS
Wright-Patt Credit Union
HQ: Beavercreek, OH
Data as of 03.31.19
12-MO SHARE GROWTH: 7.9%
12-MO LOAN GROWTH: 17.2%
It’s the nightmare scenario: A ex-Amazon employee is arrested for stealing credit card application data for 106 million people, plus 140,000 Social Security numbers and 80,000 bank account numbers — and then brags about it online.
When it happened to Capital One, the organization braced for the onslaught of media coverage and concerned cardholders. The bank is expected to incur $100-to-$150 million in breach-related costs for customer notifications, credit monitoring, technology costs, and legal support. It followed textbook crisis communications with an announcement and a detailed set of FAQs. Capital One, cloud vendor Amazon, and tech developer site GitHub are all facing lawsuits in the wake of the breach.
These are well-known companies, but in reality, cardholders don’t care whether an incident is a high-profile breach or an isolated attack. They expect immediate action, fast resolution, and clear communications. According to the experts at Wright-Patt Credit Union ($4.6B, Beavercreek, OH), the best way to respond to a card breach is to be prepared before it happens. Here, they share best practices for handling card breaches and helping members avoid them.
1. Educate Everyone
The best step credit unions can take to educate members, staff, and more about fraud is to establish a fraud awareness program. WPCU’s fraud awareness program includes the marketing, fraud, and training departments, with topics rotated throughout the year. The fraud department identifies card trends that must be acted on immediately and works with the team to broadcast warnings.
“The program includes disseminating information via as many channels as possible,” says Ilsa Esteves, loss prevention manager in compliance for the credit union. “To name a few, we use the mobile app, website, email, in-branch TVs, and our newsletter.”
Esteves recommends sharing these tips with members:
Never swipe a card if it has a chip. The magnetic strip on the back side of debit and credit cards stores the cardholder’s name, card number, expiration date, and more. In contrast, the chip encrypts this payment information. In the event of a breach, whoever has access to the data on the magnetic strip can make online purchases or even create a fake card.
Consider another form of payment. If a merchant is unable to process payments using chip cards, consider using cash, mobile payment (Apple Pay, Android Pay, Samsung Pay), or a credit card. Using a credit card instead of a debit card will prevent the account from being drained if the merchant is breached and data or information is compromised.
Use the debit card like a credit card. When using a debit card at a cash register, ask the merchant to process the transaction as a credit and sign for the purchase rather than entering the personal identification number (PIN). This reduces the chances a hacker will steal the PIN and do more damage by creating a copy of the card and withdrawing money at an ATM.
Routinely check bank and credit card statements. Review credit card and bank statements every month for unauthorized charges. Pay special attention to smaller charges. Criminals need to steal only a small amount of money if they have information on thousands of people. Some thieves steal a small amount and, if the cardholder does not notice, then steal a higher amount later.
2. Respond Quickly
The clock starts ticking as soon as a breach is discovered. Financial institutions and merchants have been criticized for waiting weeks before acting in past breaches. In the Capital One case, the breach allegedly occurred in March. An ethical security researcher who noticed a post on GitHub notified Capital One on July 17. The bank contacted the FBI two days later and was praised for the quick action.
Fraud alert technology has played a major role in helping consumers proactively respond to breaches. Consumers can place fraud alerts with the three major credit reporting agencies to fight identity theft. And, most card issuers now enable members to manage their own cards preferences, sign up for text alerts, set travel dates, and activate/deactivate cards in case of suspicious transactions. Of course, if a credit union doesn’t have updated, correct contact information — including a mobile number — alerting them will be difficult. As part of new member onboarding, collect mobile numbers and encourage members to sign up for alerts.
WPCU conducts a daily trending analysis of card disputes and ATM transactions to identify nefarious activity and immediately contacts by email or letter members whose cards have been compromised.
“By trending, we have uncovered card compromises and acted swiftly upon them,” Esteves says. “If a member’s card is part of those impacted through the trending, we replace their card regardless of whether they report fraud or unauthorized transactions.”
For unauthorized transactions, the credit union requires members to file a dispute and typically issues the member provisional credit for the unauthorized charges within one business day of filing the dispute.
3. Verify Unauthorized Transactions
Mind Your FAQs
In the wake of a high-profile breach announced this summer, Capital One released a list of frequently asked questions to assuage the concerns of worried consumers. Here’s a sampling; read the answers here.
How did you discover the incident?
When did this occur?
How do I know if I’ve been impacted?
What are you doing to protect me after this incident?
How can I sign up for credit monitoring/identity protection services?
Are there any additional steps that I can take to protect myself against fraud and identity theft?
How may I contact someone about the breach?
Unauthorized charges can be the result of a stolen credit card or compromised credit card number. Or, they can simply be the result of a merchant’s clerical mistake. In some cases, questionable charges might come from a joint account holder or someone else authorized to use the card.
It’s important for member services to do a little detective work and ask about the possible scenarios for suspicious charges. This can save on time and frustration associated with charges that are valid.
“A common example is a free trial subscription where the customer fails to unsubscribe,” says Kim Ingram, director of retail services at Wright-Patt Credit Union. “The customer needs to resolve this directly with the merchant. It is important to educate the member on what is an unauthorized charge. This will protect not only the credit union but also, more importantly, the member.”
4. Coordinate Between Member Services And Fraud Investigation
Since the move to chip-enabled cards in 2015, fraudsters have stepped up identity theft. Identity fraud claimed a record 16.7 million victims in 2017, resulting in $16.8 billion in losses. Most of these attacks were new account fraud in which a hacker opens a credit card account using the victim’s stolen personal information. Often, it takes fraud investigators weeks to sort through the damage and help victims repair their credit.
Like many credit unions, WPCU uses a third-party vendor for call center services specifically related to card disputes and views those call center services and card fraud investigations as two separate entities. Nevertheless, according to Ingram, call center agents understand how unauthorized charges/claims are documented in a dispute and can address member frustrations about the progress of the investigation and the responsiveness of the credit union.
5. Warn Of Phishing Attacks After A Breach
A major, well-publicized card breach is just the beginning for some criminals. It’s a common tactic to follow a breach with phishing attacks to unlock access to other accounts and personal information. Phishing occurs when cybercriminals fool victims into opening an email, instant message, or text message and then steal their login credentials
“After a sizeable data breach makes the news, hackers heighten their efforts to steal more sensitive information by sending malicious breach-related emails including credit monitoring offers,” Esteves advises.
Phishing emails often have clues that should raise suspicions, such as typos, poor formatting, and demands for urgent action. Members should consider the context of the communication. For example, if the member hasn’t signed up for text alerts, then the text is probably fraudulent. Intended victims should follow these steps in case of suspected phishing:
Do not reply to the email.
Do not click on any of the links embedded in the email.
Forward the email to the financial institution for investigation and then delete it.
Monitor the account for suspicious activity.
6. Hold Merchants Accountable
One of the biggest potential strategies to reduce card fraud is to require card-accepting merchants to adopt chip-enabled terminals. Similarly, financial institutions can protect cardholders by enabling rules that will decline transactions when a chip-card is swiped at a chip-enabled terminal.
“Laws should be enacted to require a transition to chip-enabled terminals with a deadline and fines for non-compliance,” Esteves says. “In addition, there should be legislation that requires merchants to have not only certain levels of data security but also frequent intrusion tests to ensure customer data is secure.”
Imposing higher fines on companies that incur data breaches can help. For example, in July the Federal Trade Commission settled with Equifax on a fine of up to $700 million over its “failure to take reasonable steps to secure its network” from a high-profile breach in 2018.
The European Union can levy fines of up to 4% of the company’s total revenues, and the California Consumer Privacy Act, which goes into effect on Jan. 1, 2020, levies fines of $100 to $750 per consumer per incident, or actual damages, whichever is greater. Both regulations require companies to report breaches to authorities within 72 hours.
In the end, however, the best way to prepare for a breach is to work to reduce the chances of one happening at all. And this comes back to No. 1. Education is key.
“Member education is critical,” Ingram says. “The more informed members are, the less likely they are to fall victim to a card breach.”