Skip to main content

Online Banking

Financial Safety

Brute Force Attacks

Recently, our debit cards have been subjected to brute force attacks. This issue is affecting multiple institutions. Security Savings Bank’s Fraud Detection Center is closely monitoring these attempts to prevent any fraudulent activity from occurring.

As a cautionary measure, we are restricting the affected debit cards, as well as the group of retailers from accepting our debit card until this situation is resolved. If your debit card has been restricted, please call us at 309-734-9333.

It is important to note that your account and personal information have not been compromised.

If you have any questions on brute force attacks, please read the FAQs below or call us at 309-734-9333 to speak with a savings counselor.



What is a brute force attack?

A brute-force attack is a trial-and-error method used by fraudsters to obtain payment card information such as an account number, card expiration date, PIN, or 3-digit security code on the back of the card (CVV).

How is it executed?

The fraudsters have found a partial number associated with Security Savings Bank’s debit card batch and they are using this partial number along with random numerical strings to guess at full card numbers, expiration dates, and 3-digit security codes on the back of the debit card (CVV). Once the fraudster has gained access to the information, they can use a merchant’s terminal or online system to perform computer-generated test transactions until the fraudster receives a valid authorization. These authorization requests can accumulate into the thousands in seconds.

Using this authorization information, the fraudster can then combine the valid card verification value, expiration date, and card numbers obtained via the brute force attack to perform fraudulent transactions. The fraudsters do not have the cardholder’s name, phone number, address, or PIN. They are simply trying to guess at card numbers and expiration dates to find a match.

Why am I getting a phone call about possible fraud?

Our fraud detection center sees the suspicious attempts, blocks the fraudulent transaction, and follows up with a call to the cardholder to be sure it is not a legitimate transaction. This means that our fraud detection center has done its job to prevent fraudulent activity from occurring. It is not likely the fraudsters will try again on that card once the transaction has been blocked. They will move on to guess other card numbers looking for a successful match.  Your information has not been compromised but if your card has been restricted, please call us at 309-734-9333.

Do I need to file a fraud report?

No, not unless fraud was posted to your account.  If all the attempts of fraud were blocked, no action is needed.

Is a brute force attack a card compromise?

No. The card numbers in the attacks were not obtained from a compromise. The fraudsters are simply guessing card numbers and the card expiration dates. If your card has been restricted, please call us at 309-734-9333.

What happens when there is a successful fraud transaction hit?

When the fraudsters get a successful hit on a debit card, they try to use that card information to make large internet purchases before the bank and the account owner notice the activity.  Thankfully, the Security Savings Bank Fraud Detection Center has been able to block many of the “successful hits” from performing any big dollar fraud resulting from these brute force attacks.



Our world is becoming more digital. It is important to be diligent to prevent fraud when using online services like our online or mobile banking, mobile app, and Zelle®. Keep these tips in mind to protect yourself from scammers.

  • Your financial institution will never call you to request information you received via text (SMS) or pressure you to reset your online banking password
      • Don’t trust caller ID; Caller ID may be modified to show your financial institution’s name
      • Don’t provide your online banking log in credentials, one-time password, account number or personal information by email or text or phone call. Using their published phone number, reach out to your financial institution to confirm that the request is legitimate
      • Don’t give information over the phone if you receive a call stating that a transaction is canceled, even if the caller claims to be from your financial institution. Once again, contact your financial institution using a published phone number to inquire about the transaction
      • Don’t click on links in unsolicited emails or texts 
      • Don’t give an unsolicited caller remote access to your computer


      Through your use of the Services, we may collect personal information from you in the following ways:

      (a) Personal Information You Provide to Us
      • We may collect personal information from you, such as your first and last name, address, email, telephone number, and social security number when you create an account.
      • We will collect the financial and transaction information necessary to provide you with the Services, including account numbers, payment card expiration date, payment card identification, verification numbers, and transaction and payment history.

      • If you provide feedback or contact us via email, we will collect your name and email address, as well as any other content included in the email, in order to send you a reply.

      • We also collect other types of personal information that you provide voluntarily, such as any information requested by us if you contact us via email regarding support for the Services.

      (b) Personal Information Collected from Third Parties—We may collect certain information from identity verification services and consumer reporting agencies, including credit bureaus, in order to provide some of our Services.
      (c) Personal Information Collected Via Technology—We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, our communications, and other online services, such as:
      • Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type, IP address, unique identifiers, language settings, mobile device carrier, radio/network information, and general location information such as city, state, or geographic area.
      • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.
      • Cookies, which are text files that websites store on a visitor’s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, and helping us understand user activity and patterns.
      • Local storage technologies, like HTML5 and Flash, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.
      • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
      • Location Information. If you have enabled location services on your phone and agree to the collection of your location when prompted by the Services, we will collect your location information when you use the Services; for example, to provide our fraud detection services. If you do not want us to collect this information, you may decline the collection of your location when prompted or adjust the location services settings on your device.


      Online Banking, Data Security & You