Fifth Third Bancorp Thursday confirmed that it is reissuing debit cards to a "limited number" of customers in Michigan because of fraud concerns. Letters to the affected customers started going out on Tuesday.
A spokeswoman for the bank said the move was precautionary, not a response to any actual cases of fraud.
"We were notified by MasterCard of a number of cards being potentially compromised" by a security breach at a retailer, said Stephanie Honan, a spokeswoman for the Cincinnati-based bank, which manages over $105 billion in assets. "We put those cards through our monitoring system, and we felt that we should reissue them. We were not forced to reissue them" because of any actual fraud, she said.
Honan refused to disclose how many cards were being blocked and reissued, though a local media report pegged the number in the "thousands."
As is usually the case, MasterCard Inc. did not disclose the name or the location of the retailer where the breach occurred, so it is not possible to confirm whether the compromise was related to the Wesco breach, Honan said. "The timing may make it seem that way, but we were not told," she said.
A spokesman for MasterCard confirmed that the company is investigating a potential security breach involving a Michigan retailer. MasterCard has notified the affected banks to watch for any suspicious account activity "and to take the necessary steps to protect cardholders," the spokesman said in an e-mailed statement.
"MasterCard is concerned whenever cardholders are inconvenienced, and we will continue to monitor this event," the statement said.
Fifth Third is among several banks and credit unions in the Muskegon area that have been forced to block and reissue credit and debit cards because of fraud concerns that appear to be related to a breach at Wesco that occurred between July 25 and Sept. 7. A statement posted on Wesco's Web site said the company is investigating the possibility of credit card fraud associated with card use at its stores. Both the U.S. Secret Service and the U.S. attorney's office are investigating the breach, Wesco said.
Wesco itself has not offered any explanations as to how the breach may have occurred. But very often such data compromises involve security breaches at point-of-sale (POS) systems, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc.
"Four out of five data breaches are happening at the point-of-sale system," Litan said. Especially vulnerable to such breaches are systems at convenience and grocery stores, as well as gas stations, she said.
Much of the exposure is the result of the continuing trend by merchants to unhook their POS terminals from dial-up networks and connect them to IP-based networks, Litan said. Such systems often store magnetic stripe data from credit and debit cards and are deployed with default passwords that are easily hackable, she said.
The Payment Card Industry (PCI) data security standard from credit card companies such as Visa International and MasterCard explicitly prohibit the storing of such information on POS systems. Even so, a large number of retailers still do so. And many POS software products even today store such data by default, she said.
"Crooks figure out which brands are storing magnetic stripe data and determine which companies to target simply by looking at the list of customers on the terminal manufacturer's Web site," she said.