Debit cards affected by the Global Payments incident have reportedly been used by fraudsters.
According to an article by security blogger Brian Krebs, Connecticut-based Union Savings Bank said it had seen an unusual pattern of fraud on a dozen debit cards it had issued, noting that most of the cards had also been used in a café at a nearby school.
When the bank determined that the school was a customer of Global Payments, Union Savings Bank's chief risk officer, Doug Fuller, contacted Visa to alert it of a possible breach at the Atlanta-based processor.
This led to Tony Higgins, then a fraud investigator at a grocery chain in Southern California and Nevada, to detect that fraudsters were buying low-denomination pre-paid cards from the stores and encoding debit card accounts issued by Union Savings Bank onto their magnetic strips.
Those cards were then used to purchase additional pre-paid cards with much higher values, which were then used to buy electronics and other high-priced goods from retailers.
Higgins told Union Savings Bank that the fraud was located mostly in Las Vegas, with other activity in neighbouring states.
Fuller said Visa has alerted Union Savings Bank that around 1,000 debit accounts it issued were compromised in the Global Payments breach, including the accounts that initially prompted Union Savings Bank to investigate. Officials at the bank said it has suffered approximately $75,000 in fraudulent charges and had spent close to $10,000 in reissuing customer cards.
Higgins also reported fraud against the Bank of Oklahoma and Fulton Bank of New Jersey to the tune of about one thousand stolen card accounts a week.
Global Payments said the breach could have persisted for eight months and was believed to have originally impacted around 1.4 million cards. Earlier this month, Global Payments confirmed that it was revalidating its PCI-DSS status after "some card brands" removed it from their lists of PCI-compliant processors.
Initially, Global Payments claimed that only Track 2 data was taken, not including cardholder names, addresses and other data, but Krebs said the Union Savings Bank experience shows that Track 2 data alone is enough for fraudsters to encode the card number and expiration date onto magnetic strips. These cards can then be used at any merchant that accepts transactions that do not require the cardholder to enter their PIN.