Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

CU System Archive

CU System

CUs Impacted in Target Breach Get Risk Mitigation Tips

 Permanent link
MADISON, Wis. (12/23/13)--As the Credit Union National Association works with other entities in the industry to monitor new developments in the widespread Target stores data breach and provide up-to-date information to help mitigate the risks to credit unions, new information has shed light on what credit unions will need to do--both for themselves and their members.
Target announced Wednesday that it had suffered a breach that compromised 40 million credit  and debit cards used at its U.S. stores between Nov. 27 and Dec. 15.
Thieves already are flooding the black market with the stolen information, along with city, location and ZIP code of the store where the card was used, according to Brian Krebs, the security expert who revealed the breach Wednesday (Minneapolis Star Tribune Dec. 20 and Wisconsin State Journal Dec. 21). Krebs said in a column on his website (Dec.19) that the information is being sold in batches of one million cards for $20 to $100 per card.

The city, state and ZIP code information ups the ante for credit unions and other financial institutions because it removes one of the red flags they typically use to monitor suspicious activity: out of state transactions, said Krebs.
Credit unions already were getting reports of fraudulent transactions and fielding questions from members who had made purchases at the stores during that period. (See related News Now story, CUs at Forefront in Advice to Consumers about Target Breach).
CUNA is working with CO-OP Financial Services, CUNA Mutual Group, PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, as well as the Electronic Payments Coalition and NACHA-the Electronic Payments Association, among others, to get information about the breach's impact on credit unions.
An alert from CO-OP Financial Service Wednesday said that for credit unions participating in fraud monitoring through Falcon Fraud Manager by CO-OP, heightened strategies are in place to identify signature fraud attempts for the cards potentially linked to this compromise.  "Related fraud linked to this data compromise is varied within many various states as well as other countries," said the alert. "For the U.S. fraud, we are also seeing a trend where confirmed fraud occurring locally to the cardholders within their own spending footprint."
CO-OP's alert said that, so far no fraud involving ATM withdrawals had been tied to the compromise. Credit unions can take many approaches upon receiving a card-compromise notice, and CO-OP recommended that credit unions review the list of suggested best practices to consider when determining what action to take.
MasterCard sent out to its credit and debit card issuers a list of compromised card numbers in its Account Data Compromise alerts No. 1904 and 1924 Friday. Alert 1904 indicates that the Target breach is the 1,904th breach since the beginning of 2013, to its credit and debit card issuers, said Ann Davidson, senior consultant, risk management at CUNA Mutual Group. Visa began sending its alerts Saturday and was still sending these out today, Davidson said. Its alert is US-2013-1335 and its updates have a, b, c, and so forth to added as new compromised card numbers are reported.

Discover also sent out an alert, DCA-U.S. 2013-1085. Visa's list contained more than 24 million debit and credit card numbers.
Davidson said she has talked to many individuals at credit unions about the breach. One credit union has blocked 19,000 Visa debit cards and 5,000 credit cards after it used its in-house system to search the dates involved and who shopped at Target.
Credit unions will see several challenges, including what to do during the holidays, said Davidson. Card associations have recommended blocking cards until after Dec. 25--during the key consumer spending season.
She pointed out a particular problem if credit unions block non-PIN-related transactions and instead require a signature on the cards. "The fraud will go away, but it would violate Visa's and MasterCard's processing rules." Credit unions should seek exceptions from the card associations if they decide to go this route, she said.
In merchant third-party losses, credit unions must report their fraud to Visa and MasterCard and specify that the transaction is related to "magnetic stripe fraud," not lost or stolen cards. "If the fraud is not reported properly, credit unions would miss out on the recovery," Davidson said.
Target's branded debit card, Target Red, is at low risk, because as a store-branded card, only the number of the card is contained on the magnetic security stripe. If someone duplicated that information, it would go through Target's processing system through the card association, not through the automated clearinghouse (ACH) network.
However, cautioned Davidson, branded cards can include the consumer's financial institution routing number and the checking account number, which means customers are at risk from debits from their checking account from these cards. "Credit unions need to stay on top of ACH reports and advise members to watch their statements for any [unauthorized] deductions from the checking accounts," Davidson told News Now.
Expect the compromised card information to also be used to buy up prepaid gift cards in bulk. "Prepaid gift cards will be a hot commodity," she said, noting that in New York, two million gift cards have already been purchased at Target stores.
Credit unions also can expect to see a spike in phishing attempts through texts, e-mails and phone calls as a result of the breach, and at least one credit union is worried about running out of plastic replacement cards, she added.
CUNA Mutual Group issued information to its bond policyholders indicating risk mitigation steps credit unions can take in response to the breach. They include:
  • Watch for phishing fraud. Educate members  not to respond to any e-mail, text message or phone calls asking for any card information including account number or PIN.
  • Report fraud.  Educate members to frequently review their activity and immediately report any unauthorized transactions.
  • Determine fraud exposure. Evaluate the card number compromise information to determine if your credit union has an increased exposure for future magnetic stripe fraud.
  • Match names for Track 1. Confirm your credit union is using name matching to help prevent future card fraud where the fraudsters could change cardholder names on Track 1, which carries the cardholder's name.
  • Alert credit bureaus. Since Track 1 carries the cardholder name, the cardholder may want to place an initial fraud alert with the credit bureaus to prevent identity fraud.
  • Review the card associations' alerts: Visa CAMs (which was to be released last week but had not been as of press time) and MasterCard's alert ADC1904.
  • Review open accounts. Determine which cards contained in the alerts are still active (open).
  • Move up card expiration dates. Accelerate the card expiration date on active cards contained in the alert if the card number will expire in the next 30 to 180 days. Credit unions could reissue these cards now.
  • Review other accounts. Determine which cards contained in the alerts have been closed due to fraud as a result of the Target breach.
  • Work with card processor/fraud monitoring system vendor to create rules and strategies to help prevent future fraud on the compromised card accounts.
  • Monitor your daily card fraud to identify any changes in fraud patterns that may be the result of the Target breach.
  • Recovery action. Confirm the card association's available dispute action on the compromised cards, as well as any timeframes.
  • Ongoing monitoring. Continue to watch for any follow-up information tied to this breach and if additional action is needed.
  • Review accounts involved in the breach. Determine which cards on the card association alerts are still active (open).
  • Review other accounts. Find out which cards on the alerts are non-active and have been closed due to fraud. Identify if the fraud pattern on the closed accounts matches the fraud pattern described in the card association's alerts.
  • Monitor or block and reissue.  Assess compromised cards to determine whether to monitor the affected cards or block and reissue the card.  If opting to monitor, contact the card association (Visa or MasterCard) to determine if the credit union's action will impact future recovery efforts.  Reissued cards will be encoded with new track information, which includes the new CVV/CVC values and card expiration dates.
  • Fraud reporting. Confirm all fraud associated with this event has been reported to the card associations and to CUNA Mutual Group. Use: Visa Fraud Reporting System (TC-40), MasterCard Safe System, or Plastic Card Customer Care Center.
CUNA, CUNA Mutual Group and the groups they are working with will continue to monitor the situation. CUNA Mutual Group said it would notify credit unions of any new information that becomes available.

CU System Briefs(4)

 Permanent link
  • RALEIGH, N.C. (12/23/13)--The North Carolina Credit Union League is teaming up with the North Carolina Association of Electric Cooperatives in January to hold an educational seminar for political candidates.  It is part of the Credit Union National Association's campaign school program established in 2001. The North Carolina cooperative groups say they are offering the non-partisan "Campaign Academy" to potential candidates who want to learn about effective strategy. Topics discussed by the academy include fundraising, campaign finance laws, communications, cost and grassroots campaigning. The courses are scheduled to be held in Rocky Mount on Jan. 28, Fayetteville on Jan. 29 and Hickory on Jan. 30.  CUNA has said a main goal of the campaign schools is to give first-time candidates an overview of how to put together an effective campaign and ultimately to send a message to the candidates that credit unions are sophisticated when it comes to politics and elections ...
  • SEATTLE (12/23/13)--Verity CU announced last week that it has hired Mollye Taylor to be its new "Verity Mom" blogger. Taylor was picked for the job after an application process that required videos, blog posts, interviews and two rounds of online voting. Thirty-five women applied. Taylor has been given a $20,000 one-year contract for the part-time job, a MacBook Pro laptop, an iPod Touch and a video camera to reach out to other local mothers. She has been blogging at, a website launched in 2009, and took over from incumbent Verity Mom, Danielle Gahl, in November. Verity CU is based in Seattle, Wash., and has over $365 million in assets ...
  • ARLINGTON, Texas (12/23/13)--A man who allegedly robbed Educational Employees CU was given a taste of his own medicine just minutes later, according to police. Larry Poulos of Arlington, Texas, reportedly handed a teller a deposit slip with "bomb" written on the back. After he allegedly stole $5,000 in cash and fled to his apartment, Poulos' neighbors claimed they saw two large men walk into his dwelling and leave with the money. When police arrived on the scene, they said Poulos was wearing the same shirt seen on Education Employees' surveillance videos and noted that he was bleeding from the head. Poulos and his roommate told law enforcement that Poulos had been robbed (Huffington Post Dec. 19). The roommate also reportedly told the police that Poulos had detailed his plans to rob a bank a few days earlier. Poulos has been charged by federal prosecutors with robbery. The men who allegedly victimized him have not been caught. Poulos' roommate was detained because of an outstanding unrelated warrant for his arrest. Educational Employees CU is based in Fort Worth, Texas, and has about $1.46 billion in assets ...

Carolinas League Reveals New Logo, Finalizes Website Rollout

 Permanent link
COLUMBIA, S.C., and RALEIGH, N.C. (12/23/13)--The door opened another crack to give the credit union system a peek at the new look for the Carolinas Credit Union League (CCUL) when the logo for the merged league was released last week.
The logo--a carrick bend knot in two shades of blue representing the two leagues--stands for cohesion, expertise and strength, said Brandon Pugh, who currently is vice president of public relations and communications for the South Carolina Credit Union League.
CCUL is new trade association for North Carolina and South Carolina credit unions. Its new website,, will launch Jan. 1 (The Weekly Conversation Dec. 20).
The teaser video highlights the league's vision of being: dedicated to credit union success, credit unions' strongest advocate, a voice for many and a resource for all.
The website will have a community section in which credit union staff can engage peers and exchange support among groups by chapter, expertise or credit union asset size.
"We heard clearly that credit unions want their league to be a unifying influence and a champion of cooperation, and the community section will empower them to connect and collaborate," said Pugh.

Advice for CEO Evaluation in Latest Directors Newsletter

 Permanent link
MADISON, Wis. (12/23/14)--A credit union's board of directors must ask the CEO certain questions to evaluate whether the CEO is a well-rounded leader, a leadership consultant told the Credit Union National Association's Credit Union Directors Newsletter.
In the newsletter's December issue, Jeff Rendel, president of Rising Above Enterprises, suggested that boards pose two questions to their CEO:
  • What criteria would you use to assess a peer?
  • What standards would you want another CEO to use during your assessment?
Well-rounded CEOs possess different strengths, said Rendel. They hail from diverse credit unions with a range of asset sizes but gravitate toward similar measures to gauge effectiveness. Their thoughts can be boiled down into six components, with the understanding that leadership binds them together.
Consider adding these features to your credit union's models for evaluating, developing, and rewarding your CEO:
  • Focus on the future. How is the CEO deliberately positioning the credit union for the future? What strategies has the CEO developed and implemented? What patterns does the CEO notice in the broader environment, and how does the leader act on this to steer the credit union? Where does the CEO add innovative products, services, and processes?
  • Stay connected to members. How does the CEO remain connected with the members? How does the credit union stack up against the competition? What benchmarks disclose its status? How loyal are the credit union's members? What lifetime value can it expect from its members? Is the credit union growing in revenue, profits and loyalty?
  • Keep a steady focus on people. What leadership pipeline and development system does the EO have in place? How are employees engaged and growing in their jobs and career ambitions? How efficient is the credit union in using employees' talents where they best fit?
  • Achieve and sustain business results. Which financial metrics offer evidence of success? Revenue growth? Profit margins? Asset quality? Capital ratios? Efficiency ratios? All of the above? Does the CEO report on and achieve the metrics of success established by the board?
  • Develop community leadership. What does the CEO do to support the communities the credit union services? How involved is the CEO in the community? How involved are employees in the community? Does the CEO have a leadership role in professional associations? How involved is the CEO in industry advocacy efforts?
  • Lead your own life, too. How often can your CEO really get away? Has the CEO developed a solid leadership team to take the reins while absent? How is the CEO's overall health as it affects leadership of the credit union?
For more information, use the links.

'People Helping People' Have Holiday Cheer, CU Style

 Permanent link
MADISON, Wis. (12/23/13)--Credit unions' spirit of "people helping people" is a constant throughout the year.
Click for slide show U.S. Air Force troops deployed in Afghanistan will receive holiday cards thanks to Arrowhead CU. One employee--Jason Swolgaard--took the call to action to heart. He, his wife Giulia, and daughters Amelia, Caitlin and Alyssa came together with Giulia's first-grade students and family members to create 123 cards. The San Bernardino, Calif.-based credit union sent more than 300 cards to service members. (Arrowhead CU Photo)
Sometimes, it is under bleak circumstances. In 2013, they helped their staff, members and community through natural disasters: Devastating tornadoes in Oklahoma and Illinois; floods in Colorado; and wildfires in Arizona and California. Budget struggles at the federal level resulted in sequestration being implemented and a government shutdown, prompting credit unions to employ programs to ease members' financial stress.
Around the holidays, though, that strong spirit is particularly bright. Creativity abounds to help those in need--ugly-sweater fundraisers were particularly popular this year.

Barrels and boxes were filled with thousands of toys and food items. Cash donations numbered in the thousands as well. Visits from Santa warmed hundreds of hearts.

From toys in a box to warm, fuzzy socks, credit unions brought cheer and fun to their communities.  The slideshow is a very small representation of holiday cheer--credit union style.

CUs at Forefront in Advice to Consumers about Target Breach

 Permanent link
MADISON, Wis. (12/23/13)--Credit unions, while fielding questions from members, are at the forefront in providing reassurance, advice and information for consumers worried that their debit and credit cards were among the 40 million cards compromised by the huge Target stores data breach announced last week.
A number of media approached financial institutions for input on the incident and how they were helping members whose cards were compromised. Many reported comments, advice and actions taken by credit unions on behalf of members potentially affected by the breach. The fact that credit unions are often the only financial institutions interviewed for the stories that impact all financial institutions indicates credit unions have achieved increased visibility.
The breach's timing was bad, said Space Coast CU, based in Melbourne, Fla.  "The breach could not have come at a worse time, with the heightened holiday purchasing. SCCU will strive to minimize the inconvenience to impacted members, but the first priority is to protect the membership from fraud," the $3.13 billion asset credit union said in a statement Thursday ( Dec. 19).
In Dubuque, Iowa, $1.1 billion asset Dupaco Community CU urged consumers to check all their statements.  "It doesn't matter if they use the card once or 20 times," said Dupaco Senior Vice President of Marketing and Public Relations Dave Klavitter on (Dec. 20).  "Always check your financial statements. Check your online banking. Set up e-notifiers if you notice anything that is goofy."  The article also urged consumers to check the account every day because thieves will take days, weeks or months to commit fraud on all the information stolen.
Santa Rosa, Calif.-based Redwood CU assured consumers they would not be charged for any unauthorized transactions. Members should not panic at this point, said Robin McKenzie, spokesperson for the $2.2 billion asset Redwood. "It is important to stay calm and realize they are not responsible for any fraudulent activity. They are covered," McKenzie told The Press Democrat (Dec. 19). About 300 of Redwood's 230,000 members called and expressed concern but none reported losses. Redwood advised members whose cards were compromised to apply for new cards.
First Alliance CU, a $138 million asset credit union in Rochester, Minn., said Thursday it was expecting more than 1,000 members to be affected by the Target data breach.  At first, it was notified that 130 members' cards were compromised, but by 10 a.m. Thursday the count was up to 750 cardholders. As each hour passed, more were expected, CEO Kelly McDonough said ( Dec. 19). McDonough told the station the credit union would call each member on the compromised list and explain what the credit union would do.  Members don't have to worry or be uncertain about what's going to happen with their card, McDonough said.

In a later story in  the Minneapolis Star-Tribune, McDonough said it had identified 859 members who had shopped at Target and has been contacting them to order new cards. The new cards cost the credit union about $5 each and typically take five to seven days to arrive but because of the holidays could take up to 14 days.
First Alliance is "taking into account that it is Christmas" and is advising members not to panic. "We'll be in touch with you. In the meantime, we know that your credit card's on that list so we will be watching out for you." McDonough advised consumers to make sure their financial institutions have their contact information.
Several New Mexico credit unions reported to the Albuquerque Journal Business (Dec. 20) that they have begun canceling and issuing new debit and credit cards or were planning to do so. New Mexico Educators FCU, with $1.4 billion assets in Albuquerque, said it is issuing new cards and deactivating the old ones by Jan. 4.
East Idaho CU in Idaho Falls, Idaho, with assets of $269 million, canceled hundreds of debit cards after seeing bogus charges after the Target breach, CEO Brad Bauges told KIFI ( Dec. 20). Membership at the credit union totals 39,000. The credit union discovered so much fraud that it will issue new cards to all cardholders who shopped at Target during the breach window, Bauges said.
The $68 million asset Wichita Falls (Texas) Teachers CU identified 400 members affected by the breach. More than a dozen employees have been contacting the cardholders, said (Dec. 20). Jane Fitzgerald, CEO, told the publication that hackers might not use the information for six months, but credit union is disabling the cards anyway to keep thieves from using the information.
Knoxville (Tenn.) TVA CU, which has $1.19 billion in assets, said that members who shopped at Target should call the credit union so it can cancel the card and replace it for free. It did not want to take any risks that members would experience fraud ( Dec. 20). Also $211 million asset UT FCU, based in Knoxville, said it is closely monitoring  the situation and will send affected cardholders a letter.
Bethpage (N.Y.) FCU and Teachers FCU, Smithtown, N.Y.,  sent out alerts in the wake of the breach, saying they would contact members impacted, reported (Dec. 20).  Bethpage, with $5.5 billion in assets, noted in a local paper that if it suspected an account had been affected, it would contact those members and issue a new card. It is telling members that in the meantime, they can use their existing cards. The $4.9 billion asset Teachers FCU said it was analyzing cardholder transactions and would contact members if necessary.
See related News Now story, CUs Impacted in Target Breach Get Risk Mitigation Tips.

CUNA Closed for Christmas, News Now Returns on Thursday

 Permanent link
WASHINGTON and MADISON, Wis. (12/23/13)--The Washington, D.C., and Madison, Wis., offices of the Credit Union National Association will be closed Tuesday and Wednesday in celebration of the Christmas holiday.
News Now will not publish Tuesday or Wednesday, but will return to regular publication Thursday.