Shostack + Friends Blog Archive


Various Oregon credit unions, debit cards, organized fraud ring?

This one seems to have slipped below the radar.
From the January 25 Corvallis, Oregon Gazette-Times:

Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may have been compromised.
Fair Isaac would not return calls seeking an exact tally of customers affected, but at least 1,200 accounts of OSU Federal customers alone were flagged. If all of those cases turn out to represent actual identity thefts or account raids, that would make this a significant instance of electronic piracy; the total number of Oregon identity theft cases reported to the Federal Trade Commission in 2004 was 3,156.

Also in the article is this little teaser:

[T]he facts still emerging indicate that Corvallis may have been part of what is shaping up to be a national debit card and identity theft raid. The FBI is investigating where the thefts originated — a process that could take months or longer.

From earlier coverage we learn that

It’s not clear exactly what happened to trigger the alert, but officials at area financial institutions stress that their computer systems have not been breached.
The problem, they say, appears to have occurred at some other point in the electronic economy — perhaps at a retail business that accepts debit card payments or at a third-party vendor that processes the payments.
Fair Isaac Corp. did not return a phone call Monday seeking more details about the security breach.

Each of the effected institutions is replacing customers’ cards, showing that the “Alabama rule” is now the way it’s done.