It's not yet 3 pm, and two alerts of security breaches at national retailers have already popped up in Mark Smith's inbox. The CEO of the small, 800-member Sears Spokane Employees Federal Credit Union sits at his file-covered desk in a tiny office tucked inside the first floor of NorthTown's Sears store.
Scrolling through his email, Smith reads bits of the vague yet familiar details aloud.
"They're not even saying or confirming anything," he says of the alerts. "Just saying it's a possible intrusion that ran for five months from mid-2013 to the fourth quarter."
The report from Visa also lists card numbers for some of the credit union's members who made purchases at the unnamed merchant during the suspected breach.
"Now we have to go in and kill the card and order new ones," Smith says, his voice flat.
This "card-killing" routine has become all too familiar for Smith and financial execs across the nation in the past half year as the technological weaknesses at American retailers are exploited by cybercriminals again and again. The system's flaws are better known after the large-scale attack at Target stores this fall, but a similar breach at Spokane-based grocery wholesaler URM, made public last November, is still being felt at financial institutions across the region, including at the Sears' Employees Credit Union.
Security experts believe these cyber attacks are only going to get worse.
Partly to blame is the magnetic stripe technology used on credit cards in the U.S. — an antiquated technology that dates back to the 1960s — which is incredibly easy for cybercriminals to obtain and replicate. While Europe and other developed countries have updated the technology, America lags behind, making us top targets of cybercriminals, according to experts like Alphonse Pascual, a security analyst at the national business strategy firm Javelin. In a Feb. 16 Los Angeles Times report, Pascual says: "All the issues we're seeing are the result of the legacy systems we have in place. This information can be stolen by anyone."
It was early September when Smith started noticing suspicious purchases on his members' accounts that later would prove to be associated with the URM breach.
"We're small enough that we can really keep an eye on the transactions," he says. "In my opinion we probably saw the fraud before most other [banks and credit unions] did ... and well before URM came out and said that there was a breach."
URM issued the first press release about the incident on Nov. 18, in which CEO Ray Sprinkle wrote that the company had begun investigating its data systems, but wasn't yet confirming a breach had occurred. A week later on Nov. 25, three days before Thanksgiving, URM issued a release stating its payment processing system — used by a large collective of its member-owner stores across the Inland Northwest — had indeed been hacked. It took another week, until Dec. 2, for the company to set up enhanced security measures to block the attack.
Although URM released a list of stores affected by the attack at the end of January — totaling 67 locations across Washington, Oregon, Idaho and Montana — official results of the forensic criminal investigation still haven't been released. URM executives, including Sprinkle, are remaining tightlipped and declined to comment until the final investigative report is completed.
Hanging on the wall behind Smith's desk, on which sits a 5-inch stack of paper-clipped records pertaining to the URM breach, a framed certificate lists his credentials as a financial fraud investigator with the Spokane Police Department. While Smith hasn't been involved in law enforcement investigations on the URM case, his credentials give him the authority to work collaboratively with the police when they're gathering evidence against suspected financial criminals.
Although Smith had early on confirmed that some kind of breach had occurred at URM's stores — based on members' account activity and by talking with leaders of other Spokane-area credit unions — he says he couldn't inform the company of his suspicions because of legal liability and the credit union's contract with Visa.
"The first thing I did was contact the Secret Service just to see if they were aware of anything that was going on," he says.
Roughly 47 percent of Smith's members were affected by the URM cyber attack. But in catching the fraud so quickly, almost all of the credit and debit cards captured during the breach were replaced by the time the incident went public in November.
"We were lucky enough having gone through that that we were well-prepared by the time Target hit," Smith says. "We took very little loss from Target."
The overall impact of the URM breach on Smith's credit union totaled about $42,000, he says, including the cost to replace members' cards, at about $5 each.
Of that total, $32,000 in fraudulent purchases came from one card whose owners unintentionally shut off their fraud monitoring alerts after inadvertently telling Visa a $1,000 purchase made in California was legitimate — when it was actually made by a thief.
A voluntary survey of credit unions in Eastern Washington, conducted by the Northwest Credit Union Association, which represents 160 credit unions in Washington and Oregon, has so far estimated the total impact of the URM breach at more than $687,500. Eleven credit unions participated in the survey, but the NWCUA declined to identify the particular institutions.
From his perspective, Smith says improved and stricter security protocol for merchants of all sizes is the first step in thwarting such security breaches. He believes merchants should be held to similar standards as financial institutions when it comes to sensitive consumer information.
The major card issuers are already pushing for U.S. retailers to make the switch by October 2015 to the more secure chip-and-pin card technology, also called EMV (which stands for Europay, Mastercard and Visa). It would be a costly switch for retailers to install new card-reading and payment processing technology, but the plan for the card issuers is to place fraud liability on the merchant rather than the issuer or financial institution.
Even though consumers affected by a security breach like those at URM and Target do get their money back in the end, Smith says the costs to clean up situations like these fall back to consumers, whether it's in the form of increased banking fees, interest rates or the overall costs of goods.
"It's not just a merchant problem, it's not just a financial institution issue," Smith says. "It's really everybody's issue." ♦
