Wise County residents may have lost thousands of dollars in an apparent credit card scam that came to light this week.
It’s too early to pinpoint how many people had money electronically lifted from their bank accounts, but local and federal law enforcement officials are working to track down the culprit who apparently hacked into a credit card servicing company used by Taco Casa in Decatur.
As people began getting charged for purchases they didn’t make – all over the U.S. and even abroad – the reports started coming in.
On Wednesday, Decatur Police Chief Rex Hoskins talked to a woman who said her 3-year-old son’s savings account was used to buy groceries in Memphis, Tenn.
By Thursday, a Wise County sheriff’s deputy had seen his account charged for a purchase in Jamaica, a police officer’s card number was being used in Las Vegas, and Sheriff David Walker had been hit with a $42 charge from an outfit called “Beach Body” in California.
Several courthouse employees reported their accounts had been hit, and there were unconfirmed reports of losses as high as $23,000 in Montague County.
Walker said right now his officers are just taking reports from everyone who calls in. The Decatur PD is doing the same.
“It seems like the common denominator is Taco Casa,” Walker said.
He predicted “just about every bank in the county” would end up being affected and estimated as many as 600 to 700 people had either lost money or had their credit or debit card compromised.
Hoskins said he’d heard one bank had 375 customers whose accounts had been hit.
North Texas Bank President Andrew Rottner believes the actual number will be be much lower.
“We need to distinguish between potentially compromised cards and confirmed cases of fraud,” Rottner said Friday afternoon.
He said his bank had already “hot-carded” and reissued cards to all their customers who used them at Taco Casa during the period in question. He declined to release the actual number but indicated it’s much lower than what’s being reported.
Sorting it all out will undoubtedly take some time. While investigators work to unravel the mystery, Walker and Hoskins urged everyone to check their accounts and report any suspicious charges to their bank.
FEDERAL AGENCIES CONSULTED
Walker said he had been on the phone much of the morning Friday with experts from the FBI and the Secret Service.
“They don’t think it’s local,” he said. “If it had been somebody local, they would probably have gotten one, two or three cards.
“What we’re seeing is that within eight hours of eating at Taco Casa, their card number was being used by someone else in the United States or overseas. The Secret Service is under the assumption that somebody was able to break the firewall of the company that provides the credit card machines to Taco Casa.
“They’ve seen that before, in cases where a third-party company takes care of the credit card charges.”
He said it looks like the culprit got into the system the same way the company’s own IT people do, when they log in to fix problems that occur while they’re not in the office.
“Someone figured their password out, grabbed all the credit card numbers they could get, then turned around and sold them on the Internet,” he said. “These people will buy credit card numbers off the Internet and make themselves a debit card. Sometimes they’ll use six or seven cards before they get one to work.”
Rottner said banks are constantly on the alert for fraud activity, which they monitor daily.
“Our systems are pretty sophisticated to detect this,” he said. “We started sourcing this, and it led back to the merchant. We called our customer on Thursday morning and asked if he was aware of what’s going on. His back-end processor immediately moved him over to a dial-up system to get him off the web base.”
He said the hacking likely occurred in the restaurant’s point-of-sale system, which transmits credit card information via the Internet when customers swipe their cards.
Walker commended the merchant for responding quickly once he was advised of the problem.
“He was very quick in getting their credit card machine shut off, to stop the bleeding,” Walker said.
Hoskins said he and Walker, along with key investigators, will get together early next week to compare notes on what they’ve found. The FBI and Secret Service will be invited to that meeting.
Walker urged merchants to be wary of customers who come in with multiple cards and, when one gets rejected, just pulls out another.
“It’s been quite the nightmare for citizens,” he said. “Everybody should check their account. It’s a good reminder.”