IN BRIEF | YS Credit Union suffers massive fraud attack
- Published: September 21, 2022
Ed. Note: The following article, excerpted here, will appear in full in the Thursday, Sept. 22, print edition of the Yellow Springs News. The full, in-depth version will appear online next week.
The Yellow Springs Federal Credit Union recently became one of many targets of a widespread debit card-based fraud attack.
Of the local credit union’s 2,000 person membership, 161 card-holding members were affected by the attack as of Monday, Sept. 19.
YSCU CEO Sandy Hollenberg told the News in an interview earlier this week that the attempted fraudulent transactions made on member debit cards totaled over $35,400 as of Sept. 19.
Hollenberg said the credit union was able to prevent nearly 70% of those fraud attempts, with over $10,000 posted to member checking accounts. Debit card charges ranged from a couple dollars to several thousand dollars.
According to Hollenberg, she and the five-person staff at the credit union have spent the last three weeks ensuring that all members affected do not suffer any financial loss to their checking accounts. Compromised cards have been closed, and replacements have been issued.
“Every dollar of fraud has already been posted to member accounts or is in the process of being credited,” Hollenberg said. “No member involved in this situation will have a single outstanding penny.”
Hollenberg said the attack, which began slowly and incrementally at the beginning of September, did not target members’ saving accounts or any personal information such as names, social security accounts or addresses.
“This was not a case of identity theft,” Hollenberg said. “No member data has been stolen by these fraudsters.”
Hollenberg identified this spate of fraud as a “brute-force attack” coming from an external source.
This type of fraud involves algorithmically generating debit card numbers en masse and attempting to make small online purchases until a transaction goes through. Once the fraudsters snag a match to the randomly guessed debit card number, fraudsters will then begin making larger purchases until noticed.
This wave of attacks not only affected the Yellow Springs Credit Union, but also financial institutions across the country and internationally, though Hollenbeg said the exact number of institutions impacted remains unclear.
“This is not specific to us,” Hollenberg said. “All the appropriate blocks are in place. It’s no fault of our systems, our employees, our board of directors or our vendors.”
She said the fraud investigation department in the credit union’s external processing company, which Hollenberg declined to name for liability reasons, identified Russia as the likely source for this attack. Having made this determination by tracing IP addresses and observing patterns among the fraudulent transactions, the credit union’s processing company has put a temporary block on all YSCU debit card transactions made in and coming from Russia. The duration of this block remains uncertain.
Hollenberg added that the fraudsters could potentially hail from other countries, and that additional countrywide blocks may be added as more information becomes available from the ongoing investigations.
The credit union can be reached by email at firstname.lastname@example.org, or at 937-767-7377. It is open 9 a.m.–5 p.m. Monday–Friday, and 9 a.m.–noon Saturday.
No comments yet for this article.