Some local credit and debit card holders are discovering new restrictions on how much they can spend in a day on their cards or where they can use them.
The banks and credit unions that issued the cards aren’t just playing the Grinch. They’re trying to contain the financial impact of a regional credit card fraud outbreak that has affected thousands of grocery store shoppers in the Inland Northwest.
Financial institutions likely will be the ultimate victims of what many banking officials say is the biggest-ever case of cyberfraud in Eastern Washington.
Many customers are wondering who’s responsible for covering the losses in the fraud case that exposed credit and debit card data handled by Spokane-based URM Stores, said Debie Keesee, CEO of Spokane Media Federal Credit Union.
“Almost 100 percent of the time, it’s the financial institution,” not the merchants or cardholders, she said.
Beyond trying to limit how much money a fraudster can charge on a card, banks and credit unions are placing limits on newly reissued or not-yet-compromised cards to hold down the losses they’ll probably absorb, banking officials said.
Investigators including the U.S. Secret Service are still trying to identify those responsible for the financial data breach.
URM Stores, a grocery store cooperative, transmits card-purchase transactions from many Inland Northwest grocery stores to a major national card processor. Among the grocery stores that use URM are Rosauers, Harvest Foods, Huckleberry’s Natural Market, Yoke’s Fresh Market and Super 1 Foods.
Many of those stores stopped handling credit cards on their computer networks in late November until URM Stores applied a security patch. URM Stores said it has hired an investigator to help secure the network and identify who was behind the break-in.
Starting in September, local credit unions noticed a large increase in reports of member card fraud. They also identified a likely URM security problem because every cardholder reporting a fraudulent purchase used that card at a URM-serviced grocery.
Investigators say the crooks sold card numbers on the black market; criminals used that data to create counterfeit cards. Purchases tied to the URM break-in have ranged across the U.S. and overseas, including purchases in China and India.
The major credit card companies, such as Mastercard and Visa, allow banks or credit unions to “charge back” illegal card payments if the purchase occurred without a signature, such as online. In those cases, the obligation to cover the loss falls on the merchant.
But investigators say the vast majority of illegal purchases tied to URM Stores took place with counterfeit cards that someone produced with the card numbers.
That’s left banks and credit unions stuck with the bill, said Randy Fewel, CEO of Spokane-based Inland Northwest Bank. Fewel said his bank faces a loss of at least $32,000 from the URM fraud outbreak.
INB has already replaced 300 member cards compromised so far, and the number is increasing, Fewel said.
While all banks arrange for insurance to cover card fraud, the policies often have deductibles and other limits that still leave the bank facing a stiff bill when large-scale fraud occurs, Fewel said.
INB, he said, has an insurance policy that requires INB to cover the first $500 of fraud per card.
“After the $500 deductible for each one, the insurance covers 50 percent of everything over $500,” Fewel said. “But very few of our losses amounted to over $500 per card, so INB will be absorbing over $32,000 in losses costs associated with this URM situation,” he said.
The impact is even more serious for smaller independent credit unions, said Mark Smith, a criminal fraud investigator and CEO of Spokane-based Sears Employees Federal Credit Union.
Sears Employees Federal Credit Union, with 837 members, will need to use money from its reserves to cover the card-fraud loss, Smith said. Without that reserve, it would have ended the year with a loss, he said.
So far the fraud affecting Sears’ cards totals about $43,000.
With insurance, the amount the credit union has to cover will be above $30,000.
Credit unions, unlike banks, are nonprofit businesses and generally operate on thin margins, Smith said.
An unusual circumstance is that a single Visa card accounted for about $32,000 of the illegal charges borne by Sears credit union members. It belongs to a Spokane couple whose card was compromised in the URM Stores break-in.
Large purchases in California on their card triggered a call to the couple from a Visa fraud-detection team that tracks unusual card activity anywhere in the country.
The couple thought the Visa call was related to their recently using a second Visa card, not connected to Sears, to pay for an extended service warranty, Smith said.
“So they told Visa’s fraud team they had authorized the purchases. When they told Visa that, the detection team turned off fraud detection for the next 35 days on the card,” Smith explained. The result was to give the criminals a green light to keep running up huge purchases at various California stores, he said.
Eventually Smith spotted the unusual activity and canceled the card. Even so, Sears’ insurance policy for card fraud will pay only $2,500 for the couple’s card, leaving the credit union stuck with the balance.
Smith said the credit union has replaced more than 80 cards, though only 23 of those have been used by cybercriminals in the past three months.
A $30,000 loss will mean different things to area banks and credit unions, depending on their size, Smith added.
“I’m sure Spokane Teachers Credit Union, because they’re so large, has a large reserve set aside” for such losses, Smith said. But some smaller credit unions in the area will probably need to adjust service fees and loan rates over the next year as they recover from the card-fraud repayment hit, he said.
STCU, based in Liberty Lake, has more than 85,000 members. The credit union has replaced more than 360 credit or debit cards that have been compromised in recent months, spokesman Dan Hansen said. The average amount of fraud per card is about $150 to $200.
Another large area credit union, Numerica, reported it has replaced 400 compromised debit cards. Card Services Supervisor Mary Ann Cross said those cards racked up, on average, about $300 in illegal transactions, and all of them involved counterfeit cards.
Both STCU and Numerica spokespeople declined to state the total losses each credit union will likely need to cover.
Smith and Keesee said a law passed in 2010 in Washington gives banks or credit unions options to recover the costs of replacing cards caused by a financial data breach. One is to prosecute the criminals responsible for the break-in. The other is to take the company responsible for the data breach to court. First, though, the banks and credit unions would have to establish negligence on the part of the company involved in the breach.
“That is a hard burden to establish negligence. And by the time we’d be at that point, we’d spend more on the legal costs than we’d be able to recover,” Smith said.