Debit card fraud that has affected customers at a number of credit unions in central Massachusetts is linked to transactions at office supply retailer OfficeMax, according to investigators.
Dozens of credit union members in the towns of Leominster and Fitchburg, Mass., have been defrauded of more than $45,000 in the last few weeks by criminals in the United States and abroad, according to law enforcement officials in those towns.
The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said.
In Leominster, police know of about 40 victims of incidents at a number of credit unions in the area, dating back to Feb. 28, said Detective Scott Wolfeasazder of the Leominster Police Department.
New victims are turning up every day, he said. “Just today I found out that City Employees Federal Credit Union had seven accounts accessed, with funds withdrawn from five of them,” he said, adding that Leominster Credit Union has had to close 500 debit accounts because of the fraud.
Most of the withdrawals are small, up to $500, and many were conducted in Barcelona, Spain, though ATMs in the United States and Canada have also been used. In total, the damages are upwards of $30,000, he said.
All the victims the police have reached at this point shopped at OfficeMax and used a Visa debit card, Wolfeasazder said. “Thats the common denominator on this end,” he said.
In neighboring Fitchburg, police know of dozens of residents who have had debit cards used fraudulently, with totals of around $17,000 in damages, said Sgt. Glen Fossa of the Fitchburg Police Department.
The transactions date back to mid-February and were linked to ATMs in Illinois, Turkey, Great Britain and Switzerland, he said.
The random nature of the fraud and its geographic distribution indicate that the stolen information is being fenced on the Internet, investigators say.
What Information Was Stolen
According to multiple sources, thieves may have made off with PIN blocks, or groups of encrypted debit card PIN information, as well as a key to decrypt the information.
That information is being used to format “white cards,” or blank magnetic stripe credit cards, according Fossa and Wolfeasazder.
For the card accounts stolen from Leominster and Fitchburgh credit union customers, the stolen information appears to be tested in California first, then used for fraudulent transactions all over the world, Detective Wolfeasazder said.
Law enforcement does not know if the PIN information was stolen from OfficeMax or a partner company, or whether it was taken in an electronic hack or leaked by an insider.
At least one source familiar with the investigation, who asked to remain anonymous because of the ongoing investigation, named OfficeMax as the source of the PIN block information.
However, OfficeMax, based in Itasca, Ill., maintains that its network has not been compromised, according to Bill Bonner, the companys spokesperson.
“We have no knowledge of a security breach at OfficeMax,” he said.
Criminals have turned to debit card accounts because they are less well-protected by anti-fraud technology than traditional credit card accounts, said Mike Urban, director of fraud technology operations at FairIsaac, a Minneapolis, Minn., company that monitors ATM and banking fraud.
FairIsaac is monitoring a number of ATM fraud incidents around the country and notifies card issuers when it identifies fraudulent activity on an account, Urban said. “We are seeing a significant increase in stolen PIN cards,” he said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.