Convenience vs Security for Credit Union Members

A recent data breach at Wendy’s hurt a lot of credit unions, and their members. What makes things worse is that features put in place to make security management convenient can result CU members being victimized even when thieves don’t have their PINs.

This news came from a post on security expert Brian Krebs’ blog.

Krebs, a former reporter from The Washington Post, blogs on security. He recently interviewed B. Dan Berger, CEO at the National Association of Federal Credit Unions, about the Wendy’s breach.

“According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.” Krebs wrote.

Berger and his team were on the case, and warned CUs about the breach. However, he said that CUs were losing more from the Wendy’s breach than they had from the previous Target and Home Depot breaches. He told Krebs about one CU whose CEO said that losses were 5 to 10 times worse with the Wendy’s breach.

All of this begs the question: how can thieves steal money from customer accounts when all they have is swipe data (no PIN)?

Thieves Setting PINs by Phone

It seems that the thieves who steal debit card information can use automated systems offered by CUs and banks to change the members PINs by phone. Thieves then had the ability to steal from the members’ accounts – even after members changed their PINs.

These automated systems exist to make security management easier for CU members. But that same convenience might actually work to the benefit of data thieves.

As Krebs put it, “Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.”

New Security Coming on Line

If there’s a silver lining in all this, it’s that CUs and banks are working double time to implement new chip-in-card technologies that will put swipe thieves out of business.

These chip cards are expensive, but they will thwart the types of technology that data thieves are using currently. This technology is cheap and plentiful, which has led to its proliferation.

However, no one in the security game really thinks that chip-in-card technology provides a permanent solution to data theft. At some point the thieves will figure out how to hack these new systems.

But, for a while at least, the chip cards should knock a lot of the players out of the data theft game. They will at least make it much more expensive for data thieves to get into the “business” of stealing data.

Copyright Today’s Credit Unions