A Review of a Recent Debit Card Attack

Fraud is a constant battle. We recently encountered a new type of debit card attack and here’s what we did about it.
SC Blog Fraud

Fraud is a constant battle. Unfortunately, the pandemic has only increased the amount and ways in which fraudsters are attempting to take advantage of people. The Federal Trade Commission has published several reports of new types and changes in the area of fraud in 2020 alone.

We’re always working to protect you. Simple has dedicated teams to identify, reduce and mitigate fraud, and sophisticated and ever evolving processes and technology working to respond and defend you in the battle to fight fraud.

We recently saw an increase in a different type of irregular activity that affected some of our customers. This is a recap of what happened and what we did about it. We’ve also included some things you can do to be alert and protect yourself against this or other types of fraudulent behaviour.

What happened with debit cards?

Over the Labor Day weekend, we began to see a significant rise in the number of our customers’ debit card transactions being declined and an increase in customers reaching out to us, inquiring about notifications they were receiving.

We immediately began reviewing activity and identified an attack called a PAN enumeration attack. A PAN enumeration attack utilizes a PAN generator to guess card data by leveraging certain merchants’ flawed processes and automated systems to quickly test many potential card numbers in hopes that some will succeed. Basically, they’re throwing everything at the wall and seeing what sticks.

This generated a lot of declines. These declines DID NOT necessarily mean the customer’s card number had been guessed or obtained. But, it did create a lot of questions when customers began seeing these notifications, increasing our call volumes–and in turn wait times–to unacceptable levels.

While it is always bad to be targeted by a fraudster, this was an excellent example of how tools–such as the ability to block and unblock your debit card quickly through the app, or setting up little nudges, like push notifications–help you know the moment purchases or declines happen and put you in control of your card and money.

Here’s what we did about it.

We had an anti-fraud team of engineers, information security and data analysts constantly monitoring and assessing the situation to anticipate the fraudulent behaviour and implement protections.

  • We quickly identified a small number of merchants being used for these attacks and prevented transactions through them.
  • We set rapid blocks for any card numbers guessed in the attack.
  • We automatically disputed the large majority of transactions–if our customers hadn’t yet filed a dispute–to make the experience as fast and painless as possible for the very small number of customers that actually had a fraudulent transaction go through. Fortunately we already have processes in place and the majority of the transactions were for amounts less than $5.
  • We worked closely with Visa, immediately notifying them of the unusual activity and merchants associated with it, to help them adapt their security measures and inform the merchants at which these attempts are originating, to help them better protect themselves and their customers.
  • To protect our customers’ accounts, we’ve been aggressive in our approach to identify these merchants. In doing so, a few legitimate transactions have been accidentally caught up in this. We apologize for the inconvenience and have already reached out to anyone that was impacted by this

What can you do to protect yourself?

We work diligently everyday to stay ahead of the ever changing business of fraud, and we won’t stop working hard to protect you, but, there are some things you can do to better protect yourself.

  • Closely monitor any bank accounts you have. Our app makes it easy to do this for your Simple accounts.
  • Use strong and unique passwords.
  • Don’t give out your personal information over the phone, unless you initiated the call.
  • Be careful when using social media and email, and keep private things private.

Here are a few more things you can do specifically to protect your debit card and respond if a fraudulent transaction appears on your account.

Activate push notifications. Simple automatically sends nudges for things like transactions and deposits. You can customize these to meet your needs.

If you see transactions that you don’t remember or if you misplaced your debit card, block it. You can do that yourself in 10 seconds directly from your app.

If you see a transaction that you don’t recognize, you can dispute it directly in the app, no need to call. Just dispute a transaction in 5 clicks and 15 seconds and reorder a new card in 3 clicks and 10 seconds more.

Simple’s technology and the people that support it are strongly dedicated to protecting you and your money. By holding an account with us, you’re entrusting us with the security of your information; we take that responsibility seriously. We do a lot of work behind the scenes to keep your information safe. Check out our Security policy for more details on this work.

Disclaimer: Hey! Welcome to our disclaimer. Here’s what you need to know to safely consume this blog post: We do our best to make sure information is accurate as of the date of publication, but things do change quickly sometimes. Any outbound links in this post will take you away from Simple.com, to external sites in the wilds of the internet; neither Simple nor our partner bank, BBVA USA, endorse any linked-to websites; and we didn’t pay/barter with/bribe anyone to appear in this post. Individual situations will differ; consult your favorite finance, tax or legal professional for specific advice. And as much as we wish we could control the cost of things, any prices in this article are just estimates. Actual prices are up to retailers, manufacturers, and other people who’ve been granted magical powers over digits and dollar signs.