Fraudulent charges from Home Depot breach surface

With the massive security breach that Home Depot (HD) disclosed this month, the fallout continues to spread.

Banks are witnessing fraudulent transactions that are impacting customer accounts, with criminals siphoning money from bank accounts to pay for items ranging from groceries to electronics. One credit union in Colorado, the Air Academy Federal Credit Union, said it had blocked about $20,000 in potentially fraudulent activity tied to debit cards compromised in the Home Depot breach.

Coming on the heels of Target's (TGT) data breach, the hack at the giant home improvement retailer has the potential to amplify the damage, adding to customers' frustrations and mounting costs for banks and credit card issuers. Credit unions were socked with $28 million in costs for the Target breach, according to research from the National Association of Federal Credit Unions. The Home Depot attack could result in even greater damages.

"The Home Depot breach is bigger than the Target breach in terms of the number of cards impacted," Jillian Pevo, director of legislative affairs for the National Association of Federal Credit Unions, told CBS MoneyWatch.

So far, the Air Academy Federal Credit Union in Colorado Springs has seen "a lot more activity off this one than Target," chief financial officer Brad Barnes said. Many of the charges came from Indonesia and Canada, although some were made closer to home, in Denver. About 5,800 debit cards out of his credit union's 25,000 total debit cards were compromised by the breach, he added.

The giant home improvement retailer earlier this month confirmed that its payment systems were hacked starting in April, although it said there was no evidence that PIN numbers for debit cards were stolen. About 56 million cards may have been exposed in the breach, compared with 40 million cards at Target. A spokesman on Wednesday reaffirmed that the company has no indications that PIN numbers were compromised.

"It's important to note, as we've said all along, customers won't be liable for fraudulent charges, and we have no evidence that debit PIN numbers were compromised," Home Depot Stephen Holden wrote in an email.

Credit unions will make their customers whole if their accounts are victimized by card fraud, but the costs add up, Pevo noted. That includes the added employee hours required to handle calls from concerned banking customers, as well as card re-issuance. In the Target breach, each credit union faced costs of $43,000, the group found.

One woman from Kalama, Washington said her credit union alerted her that someone was trying to buy $300 in groceries in San Francisco with her card, according to The Wall Street Journal.

For consumers, the specter of drained bank accounts is frightening, but there are steps they should take to protect themselves, noted Yaron Samid, the chief executive at BillGuard, which offers an app to monitor financial accounts for suspicious activity.

It's also important to understand that there are differences in how banks and credit card issuers handle liability. With credit cards, consumers aren't liable for most fraudulent charges, with one caveat: if a victim doesn't report suspicious activity until after two days have passed, he's on the hook for a $50 liability. With debit cards, though, the situation is stickier. Customers are liable for up to $500 if two days have passed, and are responsible for all losses if more than 60 days have passed.

"You need to be especially vigilant now in checking your card statements carefully and regularly," Samid told CBS MoneyWatch. "Card holders are terrible with checking card statements. even if we spot it most of us won't take the time to call the bank."

But consumers can't be complacent now, he added. "In the wake of all these data breaches, you really need to be on the lookout for small charges, not just large ones," he said.

That's because fraudsters will often put micro-charges, as small as $1, to test whether a card is viable. If it passes that test, the crooks can then sell the card to other criminals.

That criminals are targeting debit cards and bank accounts "is a very troubling phenomenon," Samid noted. "The sheer size of the breach, over 56 million cards stolen, is a very rich dataset" that hackers can mine to find additional information, such as addresses, zip codes, and more.

With that information, "hackers can call the bank pretending to be you and change your PIN on your debit card so they can take ATM withdrawals," he said. "We are already seeing significant ATM fraud because of the sheer size of the breach."

Consumers should consider setting up alerts with their banks that will send them texts whenever an ATM withdrawal is made at their accounts, as well as alerts for micro charges and large charges. "Hopefully it won't be too annoying for you, but you should know anytime money is taken out," Samid said.