BRATTLEBORO — Approaching the holiday weekend, several debit cards used at an unnamed local merchant were compromised.
According to Brattleboro Savings and Loan President and CEO Daniel Yates, he believes the merchant's system was breached and approximately 102 cards at BS&L were affected. As a result, the bank will credit about $3,000 in total to its customers, he said.
Yates further explained that this fraud occurred because someone got a hold of card holder data through this particular merchant. As cardholders used their cards at the store, the software program that the hackers surreptitiously installed captured the information including names, account numbers and card expiration dates. In cases such as this, the information is then sometimes sold to another person who manufactures a fake debit card.
"We have actually narrowed down what we believe that problem merchant to be, but our investigation continues so we're not going to identify them at this time," said Yates.
Yates and Senior Vice President Thomas Martyn said BS&L has been in touch with the merchant and the merchant said they have acknowledged that they had a problem and are continuing its investigation. Since then, there has been a "precipitous" drop-off of related fraud alerts.
According to Yates, BS&L began receiving notifications from its fraud detection program on the evening of Wednesday, June 29. The notifications indicated that there was a "potential situation" where cards had been compromised. Yates said the team at BS&L began working on the issue into Wednesday evening, temporarily blocking transactions at a wider range of locations outside of New England. BS&L customers who had their cards compromised are being issued new cards by BS&L without cost.
All of these fraudulent transactions that were made were done by signature rather than by pin according to Yates. Martyn said he suspects that anyone who used their "un-chipped" debit or credit card at this merchant's place of business had their card information compromised.
To prevent the risk of further fraud, by late October or by the beginning of 2017, BS&L will issue Europay, MasterCard and Visa (EMV) cards to all its customers. EMV cards contain a super-small computer chip that is more challenging to counterfeit. Another push for banks to move toward EMV cards is because any merchant that has not installed chip reader since October 2015 is liable for any losses, according to Yates. At this moment, the bank "eats the losses," when fraud like this recent case occurs, hence the $3,000 or so that BS&L credited back to its customers instead of the merchant.
However, Martyn notes that chip cards are not a "silver bullet for fraud prevention," but will go a "significant distance" to reducing fraud. Martyn says that if a merchant does not have a "chip" terminal, a customer will have to swipe their card and all of their information is still stored in the magnetic stripe on the back of the card.
Yates offered suggestions to merchants in order to reduce further fraud.
"Merchant's can certainly upgrade their equipment to chip enabled readers," said Yates. "But I would also say a very simple thing merchants can do is ask to see identification."
Yates said he is grateful when he travels out of state and merchants ask to see his ID, as he feels it ensures further protection. He noted that while it may feel like an inconvenience to customers to have to be carded while making purchases, this will protects customer's from an inconvenience of having their card shut off and reduces the risk of fraud.
"I don't know the statistics of how much money is lost annually through debit and credit card fraud, but I have to believe it's up to billions of dollars," said Yates.
As for advice to cardholders, Yates says it is important people maintain a "sense of alertness," never give out their account number of the phone to anyone and look closely at the where they are inserting a debit card at gas stations or ATMs. Martyn noted that criminals have placed "skimmers" on the face of machine so as a person's card passes through, the skimmer captures information before reaching the machine. Yates and Martyn further suggests that individuals update their contact information at their bank, review statements regularly and sign-up for online banking. Yates also noted BS&L will never send a customer something by email that asks them to click on a link that will click through an individual's account.
"I thank our staff for being alert, it's indicative how much our staff cares about this business and its customers," said Yates. "There was always someone watching this on their own time when they had just started their vacation."
Yates added that BS&L will always do its best to serve and make the most minimal impact on its customers
BS&L's fraud center has sent texts, calls and emails to its customers as some legitimate transactions could be blocked if customer's do not confirm them. If customer's have questions, concerns, or wish to make sure BS&L has its customer's cell phone number listed for fraud text alerts, call BS&L at 802-254-5333 or 802-246-1600.
Maddi Shaw can be reached at 802-254-2311, ext. 275