By AnnaMaria Andriotis
So much for a blasé data breach. Last month’s breach of Citigroup credit card numbers didn’t include the cards’ expiration dates and securities codes, which should have prevented the hackers from using the cards. Even so, this week Citi announced that some 3,400 of those credit cards (about 1% of the total compromised) were fraudulently used to the tune of $2.7 million.
None of the cardholders are held responsible for those charges, says a Citi spokesman. But how did it happen? Citi could not confirm but suggested that some of the customers may have been involved in breaches at other companies that gave the hackers the full suite of information they needed. “I suspect what you’re going to find is this was a very sophisticated hack by a group that’s done more than this,” says Jay Foley executive director at the Identity Theft Resource Center.
Citi’s is among the latest in a series of breaches so far this year. There have been 216 year-to-date, according to the Identity Theft Resource Center, down from 333 in the same period last year. In many cases, fraudsters have grown more sophisticated and are better able to access customer information and remain undetected than in the past, says Phil Blank, managing director of security, risk and fraud for Javelin Strategy and Research. A report out today by Javelin shows that among roughly two dozen of Visa and MasterCard’s largest credit card issuers, the bigger institutions including Bank of America and U.S. Bank are among the best equipped to prevent, detect and resolve fraud. The relatively smaller banks on the list came in at the bottom, including State Farm, Associated Bank and SunTrust. The annual study, which was conducted before reports of Citi’s breach surfaced, ranked Citi in ninth place.
The study considered several factors, including financial firms’ security procedures, the availability of fraud alerts and other monitoring strategies. In response to the findings, a SunTrust spokesman says the company has “processes and procedures in place to ensure we are vigilant in our responsibility to clients.” A State Farm spokesman says the company maintains physical and electronic safeguards that comply with federal regulations and that it regularly monitors computer networks and tests the strength of its security. A spokeswoman for Associated Bank says it employs several strategies to detect fraud against customers, including monitoring daily transaction activity and analyzing reported customer issues to identify potential security breaches and fraud. Cabela’s WFB, which was the fourth-worst bank on the Javelin list, did not return a request for comment.
And identity theft experts say that protecting consumers’ credit card information doesn’t just stop with the card issuer. In the past, payment processing systems, which transmit credit card information from a retailer to the card issuer after a purchase is made, have been hacked. “There are all sorts of probabilities,” says Foley.
Luckily, consumers have protections when their credit cards are fraudulently used. Credit card companies hold customers liable for up to $50 of unauthorized credit card transactions and often times they waive that charge as well. Still, knowing that your credit card number or other identifying information is out there is enough to make most consumers queasy – and could increase the chances of becoming a victim of fraud going forward. Here are Javelin’s rankings for the card issuers providing the most and least protection and help against fraud.
Best (score out of a possible 100)
Bank of America (87)
U.S. Bank (73)
Capital One (68)
State Farm (43)
Associated Bank (46)
Cabela’s WFB (48)