Credit union protection act wiki
Author: admin | 01.11.2015
In what may turn out to be the largest data breach of its kind, Target initially reported that hackers had stolen credit card and debit card information connected to as many as 40 million customers who shopped at Target stores.
Subsequently, Neiman Marcus revealed it too had been the victim of a security breach, and there are some reporting that the POS system hacking could extend to additional retailers. The full magnitude of the damage will not likely be known for some time, when customers receive and examine their monthly statements and call their banks, security experts have said.
So, the question is – What is the best way to communicate around a data breach of this nature?
The one thing that should be part of any crisis plan is the reality that you might have to be in communication with hundreds of thousands of customers instantly.
This is an opportunity lost at a time when trust between customers and their financial institution is still fragile from the past financial crisis. The day after the initial reports surfaced, Target emailed millions of customers it thought were affected, and for whom it had email addresses.
The company also created a dedicated page on its website for the data breach, including resources about identity theft and credit reports. Finally, Target also sent postal letters and posted a series of short YouTube videos to explain details around the security breach, what the company was doing about the situation, and a discount offer to customers.
As mentioned, the timing, format, message and channel of communications from banks in response to the Target data breach have definitely been varied. Chase and PNC Bank were also very quick to respond using email to inform customers that a data breach had occurred even though little or no detailed information was available at this time.
Due to the sketchy information available during the first few days after the data breach was discovered and the need to proactively communicate to as many customers as possible, organizations like USAA, FirstMerit and Peoples United leveraged social media to help expand the scope of communication. Chase made a rather dramatic move right before the holidays, limiting both purchase and ATM transactions at a time when customers were most likely to need access to funds for the holiday. JPMorgan Chase was also the first major bank to announce a plan to ultimately replace millions of its 23 million debit cards.
Citibank also recently announced plans to reissue all customer debit cards involved in the data breach at Target. CitiвЂ™s move highlighted the potential for continuing damage to consumers, banks and Target as data stolen in the breach may keep leaking into the black market. The major consumer banks have been taking slightly different approaches in their responses to the Target breach. Additional communication beyond what Target did is important for customers since banks are generally responsible for charges made on stolen credit cards, but debit card users do not have the same protections and can be responsible for up to $500 in losses depending on when they report the fraud. One of the clearest and most direct communications came from Discover Card, who replaced cards, provided very direct guidance as to what their customer can do to further protect themselves and provided a link for more information. Of all of the communication reviewed, Discover appeared to be the only communication that could be easily viewed and responded to via a mobile device. There are a number of resources available to assist with communications to customers in the event of fraud or a data breach.
Prepare in advance – Consider a data breach likely and plan accordingly, designating a breach response team and developing a comprehensive and detailed plan. Keep communication lines open – In addition to direct communication to customers through direct mail and email, social channels can provide an excellent means to update customers on an ongoing basis. Be open, honest and transparent – In a data breach situation, the details are important. In the case of the Target breach and any retail industry breach that may be uncovered in the future, the communication should not be a one and done thing.
Beyond the public relations and trust-building opportunity discussed above, a dat breach of this nature also provides the opportunity to discuss and promote ID protection and credit monitoring services. Jim Marous is co-publisher of The Financial Brand and publisher of the Digital Banking Report, a subscription-based publication that provides deep insights into the digitization of banking, with over 150 reports in the digital archive available to subscribers. Most of the professionals in the communications business agree on the key components of a good emergency communications plan. Millennials Are Not a One Size Fits All Group Gaining MillennialsвЂ™ trust is essential for long-term survival. Download MerkleвЂ™s Q2 2016 Digital Marketing Report Take a detailed look at Q2 digital trends and channel performance. According to Westerville police Lieutenant Paul Scowden, the six in question ran a skimming operation, where card numbers were stolen from the records of local retailers.
The operation allegedly involved the help of employees from the skimmed retailers, who copied customer-card numbers with electronic scanning equipment.
The six suspects вЂ“ who range in age from 19 to 30 вЂ“ have been identified as Kwabena Bonsu, Jacques Daboni, Prince Dahome, Ayeshia Johnson, Jaimee Mukama and Seth Nyamekye.
The bust involved joint efforts spanning Franklin and Delaware Country with help from the Powell and Columbus police departments.
Further evidence is under investigation to decide whether the group will be tried by state or federal prosecutors. Chip-and-PIN credit cards, which have been in use in Europe and Canada for years, are expected to cut down on fraud and identity theft when the U.S. But come October 2015, the liability shift deadline will hit, and you will stop swiping credit cards. EMV cards have been the standard across Canada, Europe, and other parts of the world for years, and the technology is slowly making its way to the United States, the last major market still using swipe-and-sign credit cards. Unlike traditional swipe-and-sign credit cards, EMV cards are embedded withВ microprocessor chips that assign a unique code to each purchase.
These specific EMV cards, commonly known as chip-and-PIN cards, transmit this data in a dynamic way thatвЂ™s only viable for a single purchase,В thus harder to counterfeit because the unique chip data and PIN are both required to complete a transaction at a compatible terminal.
In fact, over the last year, only 0.03% of card transactions originated from chip-enabled payment terminals, according to EMVCo, which overseesВ the EMV payment technology. However, if you shop at a handful of domestic retailers who have chip-enabled terminals (or if youвЂ™re traveling overseas), there are ways to get your own chip-and-PIN credit card today. Just be aware that, depending on the institution, there may be a fee for requesting a replacement before you need one.
Chip cards have integrated circuits вЂ” embedded microchips вЂ” that are difficult for thieves to counterfeit. Magnetic-stripe cards hold data that can easily be skimmed by crooks then used to manufacture counterfeit cards for fraudulent use. DUMP Electronic copy of raw data stored on magnetic stripe of card including number, owner name and address, expiration date and CVV1, obtained by skimming or with point-of-sale malware, used to clone credit cards; price $20 to $125. Chip-and-PIN or Chip-and-signature EMV (EuroPay, MasterCard, Visa) fraud: PIN-bypass forgeries with second chip (man-in-the-middle) implanted on cards, tells card reader the PIN is correct even though random PIN entered. Card skimming: Customer card information and PIN captured at ATM, used to make counterfeit cards, fraudulent cash withdrawals. Card trapping: Customer inserts card into ATM, card physically taken, compromising PIN, used to make fraudulent cash withdrawals.
EditorвЂ™s note: This is part one of a two-part series on the move by local banks and merchants to chip-enabled cards.
Black Friday came and went last week, launching the holiday spending season that propels many retailers into profitability and also whets the criminal appetite of credit-card fraudsters.
In recent months, North Bay banks and merchants embarked on a massive effort to bring fraud-resistant microchip credit cards to local customers. JPMorgan Chase is the second-largest credit-card issuer in the United States, with outstanding credit balances in the fourth quarter of 2014 at nearly $120 billion, according to bank quarterly reports compiled by Forbes.
Based on outstanding credit at the end of 2014, San Francisco-based Wells Fargo ranked eighth in the United States. About four years ago, Visa and MasterCard announced that in October 2015, вЂњif a consumer comes into any merchant location and has a chip-enabled card,вЂќ Baumli said, вЂњand the merchant can only read it from the magnetic stripe,вЂќ then the merchant is liable for losses from any fraud that occurs in the transaction. Terminals that read chip-enabled cards as well as magnetic-stripe cards cost about the same, Baumli said, urging merchants to refresh their technology.
Near-field communications, which are encrypted, are considered as safe as chip-enabled credit cards. Chip cards also have vulnerabilities, though they require more effort by crooks to exploit. The вЂњman-in-the-middleвЂќ attack allowed a stolen chip card to initiate a transaction then an extra chip soldered on top of the original chip told the remote server that an entered PIN, even if random, was authentic. Computer scientists Houda Ferradi, Remi Geraud, David Naccache and Assia Tria, based in Paris, helped police with microscopic, protocol and X-ray forensic analysis of вЂњwhat the authors believe to be the most sophisticated smart-card fraud encountered to date,вЂќ the researchers wrote.
The scheme has apparently been thwarted with a new mode called Combined Data Authentication along with upgrades to network software.
A similar idea for such a hack, but without necessary miniaturization, was devised by Cambridge University researchers, including Steven Murdoch, who published their findings in January 2010 after alerting the banking industry in Dec. Michael Leonard, vice president, fraud examiner and anti-money-laundering manager for Exchange Bank based in Santa Rosa, searches for stolen credit cards using the bank-identification number.
Hackers вЂ” some of whom call themselves вЂњcardersвЂќ вЂ” sell card data or вЂњdumps,вЂќ Leonard said, including the card number, expiration date and three-digit code on the back.
Some thieves use a вЂњmuleвЂќ who accepts initial shipment for a fee then re-ships the stolen merchandise to another recipient. A mule might accept transferred funds from a stolen card at a Western Union store, charging 25 percent for such a service. Money-service businesses, such as those that offer check-cashing services and stored-value cards, may send money to destinations in other countries. Merchants that donвЂ™t upgrade face charge-backs if fraud occurs due to their inability to read chip-enabled cards. Part 2 of this series next week will look further at the change to more fraud-resistant cards. Following the huge data breach at Target, which was first reported on 18 December, and has affected as many as 40 million credit and debit card holders, I canвЂ™t seem to be able to open a browser without stumbling into a news headline asking why the U.S.
Of course, the overall picture was much more complicated than these two charts suggest, but, clearly, the shift to EMV reduced fraud in Europe. As you can see, cardholders have suffered no fraud-related losses at all, which have been split between the issuers and the merchants. What you need to realize is that the issuance of chip cards is the far smaller part of the puzzle that needs to be solved, which is why Visa has focused its initiatives on the acquirers and their merchants.
As you well know, interchange rates are set by Visa and MasterCard, not by the card issuers, and I haven’t seen them rise all that much lately, if at all. In any case, it is a huge stretch to suggest that the issuers have been able to recoup all, or even a sizable chunk, of their fraud losses. But even if you were right and the card issuers were suffering lower losses than the data suggest, that would only strengthen my point: why would they be in any hurry to invest billions in implementing a new technology? TransUnion is a leading global provider of business intelligence services supported by more than 4000 employees, in more than 30 countries worldwide. Some banks are identifying compromised debit or credit cards and issuing fresh cards immediately while other banks are taking a watch-and-wait stance, taking action on a case-by-case basis if fraud is detected. Later, Target issued additional information that another 70 million customers may have had personal information compromised, including names, phone numbers and email addresses.
In working with a leading communications tracking firm, Competiscan, I was able to see a variety of communication strategies involving multiple channels and a variety of resolutions to the Target data breach.
While some communicated with customer as early as December 20th (the day after the initial discovery), some organizations have not yet reached out to all customers to explain what has occurred, what precautions can be taken and how the bank is working on their behalf. Thirty-one per cent said they had been notified by Target and 28 per cent said they had been notified by their bank or credit card company. Target has said that it plans to offer a year of free credit monitoring and identity theft protection to anyone who shopped in Target stores in the United States. It also provided the first set of steps a customer could take to protect themselves and where they could go for additional information. Chase assured customers that they would monitor their accounts while PNC referenced their Security Assurance Pledge and linked to a continuously updated FAQ page. The bank said it did not replace the debit cards sooner because it wanted to minimize disruptions during the holiday shopping season, according to a person briefed on the companyвЂ™s decision who spoke on the condition of anonymity. The other three consumer banks among the nationвЂ™s five largest вЂ” Bank of America, Wells Fargo and U.S.
Seeing that recent research indicates that close to 50% of all emails are viewed on a mobile device, it would be wise for more institutions to take this into account as they develop email communications. Many consumers monitor their transactions daily on their smart phones, even getting text alerts for transactions in almost real time. Understand the details and scope of breach and identify all impacted customers while determining appropriate message.
It should be ongoing as new information is uncovered and should assume the customer is looking for guidance and security on an ongoing basis.
All of them also agree that good communications is not just a good protection against financial loss, but also provides the potential for goodwill and loyalty going forward if done well. Brands that build engaging, personal banking relationships will win a larger share of spending power.
Leverage these insights to establish benchmarks and improve your digital advertising program. Secret Service, Westerville police have announced the apprehension of six suspects in an alleged credit card fraud scheme spanning central Ohio.
Upon obtaining the digits, the group had them magnetically transferred onto the fraudulent prepaid cards. Hacks at four major retailers вЂ” Home Depot, Michaels Stores, Neiman Marcus, and Target вЂ” compromised the payment-card data of more than 130 million customers. 23,В there had been 761 data breaches in 2014, resulting in more than 83 million exposed records, according to the Identity Theft Resource Center, whichВ tracks confirmed data breaches. For months, youвЂ™ve heard about the вЂњinnovativeвЂќ and вЂњadvancedвЂќ security upgrades credit cards are getting. To authorize the purchase, the consumer must enter their validВ personal identification number (PIN), which is designed to replace their signature at checkout. For example, since the widespread implementation of chip-and-PIN cards in 2004, payment fraud has declined drastically in the United Kingdom.
So some experts and banking institutions say thereвЂ™s no senseВ in using the new chip cards at this point, as they provide the best protection when used at chip-enabled terminals, which are currently hard to find in the U.S. If your old card expires, is damaged, or lost, you may request a new card ahead of schedule.
However, the rankings and listings of our reviews, tools and all other content are based on objective analysis. The chip varies the way it transmits data each time it is used, encrypting secure data as it communicates with a card reader.
A chip-card reader does not have to connect to the credit card company to authorize the charge during a transaction.
In December 2013, hackers who were not caught skimmed magnetic-card data from about 40 million Target customers вЂ” the largest credit-card theft and fraud in history.
The cost to retailers and banks to switch to chip cards and new terminals is about $8 billion. Remember December 2013 when hackers skimmed credit-card data from some 40 million Target shoppers? 10 federal indictment of Gery Shalon, an Israeli who allegedly ran a sophisticated ring that in the past three years hacked into JPMorgan Chase, Fidelity Investments, ETrade Financial, Scotttrade, TD Ameritrade and News Corp. Wells Fargo consulted with its merchant customers and helped them acquire terminals that handle chip cards.
In May 2011, French banking group GIE Cartes Bancaires discovered an ingenious form of fraud involving about 40 chip-and-PIN cards stolen in France and used to make purchases in Belgium. Depending on the freshness of the theft, the price can range from a few dollars up to $100.
A bank handling accounts for such businesses has to exercise additional due-diligence to look for money laundering or fraud, Leonard said. He sets up Exchange BankвЂ™s computer system to check a customerвЂ™s pattern of typical card use against actual use, such as geography.
It turns out that, rather than embark on a years-long roll-out of the more secure EMV card technology, U.S. The American Bankers AssociationвЂ™s?a2011 Deposit Account Fraud Survey Report told us that in 2010 debit card fraud losses totaled $955 million. King from the Federal Reserve Bank of Atlanta looked closely into these reports and here is what he found. With technology-based intelligence products, including innovative credit decisioning and fraud prevention tools, advanced target marketing products, risk and profitability models and portfolio management, TransUnion enables businesses to manage financial risk and capitalize on market opportunities. Either way, many banks are using a proactive, multichannel approach for keeping customers informed which can build much sought after loyalty and trust.
Unfortunately, in a scenario with so much publicity, the impact of the breach may be felt for months .
For instance, Target’s initial notification post garnered over 3,500 comments and 1,600 shares in the first few days from customers concerned about their card security. Bank вЂ” have said they are carefully watching cards for signs of fraud, but they have not broadly reissued debit or credit cards.
For most of us, this upgrade is just a fantasy, as our wallets still store tattered magnetic-strip cards with our signatures (sometimes) scratched on the back.
From 2004 to 2010, transaction fraud at retailers plummeted by 69% in the UK, according to data by the UK Payments Administration. If you have your valid card, you may still contact your credit card company to request one. For more information and a complete list of our advertising partners, please check out our full Advertising Disclosure. Shalon and his colleagues allegedly used stolen data on nearly 100 million customers to carry out credit card fraud, stock pumping, online gambling, money laundering and criminal payment processing.
Bank of America came in third, with about $102 billion, followed by Capital One, American Express, Discover, Synchrony and Wells Fargo. Since the deadline, Baumli has not heard of cases where fraud occurred and the merchant was not able to read a chip card, but itвЂ™s still early.
17, Savings Bank of Mendocino County warned its customers that an automated call device was used to tell prospective fraud victims in the 707 area code that their bank-issued MasterCard had been blocked, soliciting the customerвЂ™s PIN and Social Security number to re-activate the card.
Murdoch went on to work as a research fellow in information security at University College London.
He uses a separate Wi-Fi network to connect to the Internet and doesnвЂ™t link the laptop to Exchange BankвЂ™s internal network. If a customer rarely travels to Europe, for example, and a charge comes from that region, itвЂ™s a signal of potential fraudulent use. At first, my reaction was вЂњDonвЂ™t you read UniBulвЂ™s blog?вЂќ, for weвЂ™ve covered the subject quite extensively over the years. From a?aNilson Report study?awe learned that the cumulative bank card losses (credit and debit) in 2010 amounted to?a$3.56 billion.
According to PaymentsSourceвЂ™s bank card profitability studies, financial institutionsвЂ™ credit card-related fraud losses were the largest among payment cards and grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion.
And they knew perfectly well what would happen if they switched to EMV вЂ” they knew because the Europeans had already done it.
Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique. Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. And yes, Visa and MasterCard should have been quicker to force EMV adoption on their member banks, as that would, in the long run, have benefited them more than anyone else. Regarding cardholders, their interest rates have been very high, yes, but that is because underwriting risk has skyrocketed in the wake of the financial crisis. Communications from banks and credit unions should include a reference to these tools for the next several months.
Facing rampant credit-card fraud, banks in France started using chip-enabled cards in 1984.
You donвЂ™t have the exposure.вЂќ When merchandise is shipped after purchase with a stolen dump, the crook is at risk at the address where stolen goods are delivered. But then, on reflection, I realized that the world doesnвЂ™t revolve around UniBul quite yet and thought I should revisit the topic. Not to mention that, as European merchants donвЂ™t always know how to accept mag-stripe cards on their EMV terminals, many Americans find themselves unable to use their cards in Europe, which leads to additional hundreds of millions of dollars in lost annual revenues for U.S. A?aPaymentsSource report has calculated that card issuers alone have lost $1.16 billion to fraud in 2010.
After an aberration in 2009, when credit card fraud losses fell by 14 percent, they grew again in 2010, by 22 percent. Yet, Visa finally decided to force the issue in 2011, when it announced its plans to вЂњaccelerate chip migration and adoption of mobile paymentsвЂќ.
Visa will provide additional guidance as part of its bi-annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions. You should remember that until a couple of years ago, charge-off rates were at record-highs. But some retailers, such as Wal-Mart, are installing the new chip-enabled payment terminals. The information in our reviews could be different from what you find when visiting a financial institution, service provider or a specific product's website. EMV-enabled debit cards, which offer both debit and credit payment options, will roll out later, expected fully by end of 2017. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchantвЂ™s acquirer.
No, it would not, although it is just possible that it would have made it more difficult for the hackers to make use of the cardholdersвЂ™ account information, although that is debatable.
Yet, evidently the sum of these losses and foregone revenues pales in comparison to the $3 billion needed for the wholesale switch to EMV (according to an estimate by the Mercator Advisory Group, a consultancy). The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties. The good news is that we are making progress and the EMV technology is slowly arriving in America.
CFPB Takes Action Against Wells Fargo for Illegal Student Loan Servicing Practices
Wells Fargo to Pay $3.6 Million Penalty to the Bureau
Washington, D.C. – The Consumer Financial Protection Bureau (CFPB) today took action against Wells Fargo Bank for illegal private student loan servicing practices that increased costs and unfairly penalized certain student loan borrowers. The Bureau identified breakdowns throughout Wells Fargo’s servicing process including failing to provide important payment information to consumers, charging consumers illegal fees, and failing to update inaccurate credit report information. The CFPB’s order requires Wells Fargo to improve its consumer billing and student loan payment processing practices. The company must also provide $410,000 in relief to borrowers and pay a $3.6 million civil penalty to the CFPB.
“Wells Fargo hit borrowers with illegal fees and deprived others of critical information needed to effectively manage their student loan accounts,” said CFPB Director Richard Cordray. “Consumers should be able to rely on their servicer to process and credit payments correctly and to provide accurate and timely information and we will continue our work to improve the student loan servicing market.”
Wells Fargo is a national bank headquartered in Sioux Falls, S.D. Education Financial Services is a division of Wells Fargo that is responsible for the bank’s student lending operations. Education Financial Services both originates and services private student loans, and currently serves approximately 1.3 million consumers in all 50 states.
Student loans make up the nation’s second largest consumer debt market. Today there are more than 40 million federal and private student loan borrowers and collectively these consumers owe roughly $1.3 trillion. Last year, the CFPB found that more than 8 million borrowers are in default on more than $110 billion in student loans, a problem that may be driven by breakdowns in student loan servicing. Private student loans comprise approximately $100 billion of all outstanding student loans. While private student loans are a small portion of the overall market, the Bureau found that they are generally used by borrowers with high levels of debt who also have federal loans.
According to the CFPB’s order, Wells Fargo failed to provide the level of student loan servicing that borrowers are entitled to under the law. Because of the breakdowns throughout Wells Fargo’s servicing process, thousands of student loan borrowers encountered problems with their loans or received misinformation about their payment options. The CFPB found that the company violated the Dodd-Frank Wall Street Reform and Consumer Protection Act’s prohibitions against unfair and deceptive acts and practices, as well as the Fair Credit Reporting Act. Specifically, the CFPB found that the company:
- Impaired consumers’ ability to minimize costs and fees: Wells Fargo processed payments in a way that maximized fees for many consumers. Specifically, if a borrower made a payment that was not enough to cover the total amount due for all loans in an account, the bank divided that payment across the loans in a way that maximized late fees rather than satisfying payments for some of the loans. The bank failed to adequately disclose to consumers how it allocated payments across multiple loans, and that consumers have the ability to provide instructions for how to allocate payments to the loans in their account. As a result, consumers were unable to effectively manage their student loan accounts and minimize costs and fees.
Under the Dodd-Frank Act, the CFPB has the authority to take action against institutions engaging in unfair or deceptive practices. Among the terms of the consent order filed today, Wells Fargo must:
- Pay $410,000 in consumer refunds: Wells Fargo must provide at least $410,000 to compensate consumers for illegal late fees. This includes refunding illegal fees due to the bank’s failure to disclose its payment allocation practices across multiple loans within a borrower’s account as well as the bank’s failure to inform consumers that they could instruct the bank to allocate payments in a different way. This also includes refunding illegal fees charged because of the bank’s failure to combine partial payments made in the same billing cycle, and fees improperly charged when borrowers made a payment on the last day of the grace period.
This order comes as the Bureau takes steps to ensure that all student loan borrowers have access to adequate student loan servicing. Last year, the Bureau released a report outlining widespread servicing failures reported by both federal and private student loan borrowers and published a framework for student loan servicing reforms. As part of this work, the Bureau has continually raised concerns around, as well as taken enforcement and supervisory actions against, illegal student loan servicing practices related to the handling of partial payments. Building on this, earlier this year, the Bureau called for market-wide reforms and announced that it was prioritizing taking action against companies that engage in illegal servicing practices. Today’s action is an important part of this ongoing work.
Students and their families can find help on how to tackle their student debt on the CFPB’s website.
The Consumer Financial Protection Bureau is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. For more information, visit consumerfinance.gov.
If you want to republish the article or have questions about the content, please contact the press office.
Subscribe to our RSS feed to get the latest content in your reader.