Account takeovers stemming from credit card management systems

Credit unions utilizing credit card management systems offered by card processors have recently reported fraud due to account takeovers, according to a new risk alert from CUNA Mutual Group.

Credit card management systems allow members to view balances and recent transactions, sign up for and access e-statements and make payments 24/7. Fraudsters, however, are enrolling compromised cards for this service by exploiting weak authentication measures and when they log into the credit card management system unauthorized, they:

  • create profiles for cardholders;
  • change cardholders’ phone numbers;
  • change cardholder e-mail addresses to the fraudsters’ email;
  • make fraudulent payments via ACH to free up credit limit; and/or
  • initiate a card transaction to receive a fraud alert to the updated mobile phone number on file and confirm the fraudulent transaction as a valid cardholder transaction

A key indicator of fraud are transactions that involve the purchase of cryptocurrency, the alert stated.

Credit unions using a card processor’s credit card management system for members to manage their cards should consider the following risk mitigation tips, according to the alert:

  • avoid placing the link to the card processor’s credit card management system on your public-facing website; instead, place the link within online banking;
  • if cardholders are able to change their contact information through the system, card services staff should review file maintenance reports provided by your credit card processor for changes to cardholder information on file, such as changes to phone numbers and email addresses;
  • work with your card processor to evaluate the authentication measures for members who enroll for this service and demand a strong authentication method to mitigate account takeover risk;
  • inform members to never provide personal information in response to a text message or phone call purportedly from the credit union; and
  • advise members that no credit union employee would ever ask for personal information, such as account numbers, usernames, passwords and passcodes.

CUNA Mutual Group’s risk alerts, in additional to additional risk-prevention resources, may be accessed on their Protection Resource Center. Log-in is required.

Leave a Reply