Not saying that this breach is somehow connected, but all of my Wise cards(both physical and virtual) got charged($10, $100, $500) at random locations of the globe in May & June and method was manual entry. While some charges were declined initially because the expiry date was entered wrong on first try(all of my cards coincidentally have expiry date like 04/24 or similar) but cvv was always correct. To make matters worse, all these charges were manually entered somewhere and NO approval notification(thing that I get when I make any online Txn, regardless of amount) ever popped up. I only noticed the declined txns in the evening when I went to check my phone after work.
Wise sent me an email this month that there was a breach at Evolve but all ties were broken with them and no data was affected. But these random rise of fraud txn were saying otherwise. Also, thankfully, the txns were declined due to insufficient fund(I only use wise during travelling and add fund before departure) which gets me extra worried that those might have gone through if I had funds even when all of those cards were frozen[1].
[1] This is my typical habit after getting one of my real credit card with very high limits getting charged thousands of Euros while I was out sick in hospital for a month and then getting greeted by all these charges while I was barely able to sit still and still recovering. Thankfully, my creditcard provider accepted my paperwork and removed(reversed?) those txn and immediately sent me a replacement card in a week and disabled my hacked card. Since then, I always keep my CC frozen and only use proxy(Wise) when doing txn online with limited balance.
How do you know this, does Wise provide auth response data? (Merchants are not required to respect the CVV check, so it's possible for txns to go through with a non-matching CVV response code.)
I'm also curious about the lack of notifications. That would seem to indicate a level of account control beyond the cardholder data. Unless they were failed due to NSF before the notification step.
> How do you know this, does Wise provide auth response data?
Usually, for each transaction, wise gives a small type details, such as
* manual entry: when I manually type in all details on a form
* saved-detail: when I preauthorized some vendor or processor to perform txn without further interactions(think quick checkout using paypal)
* apple/google pay: when card is preauthorized in such
* chip and pin: means I entered the card physically on a machine and entered PIN
* contactless: means an NFC tap pay directly
Usually, all manual entry raises a notification and all the fraud charges were manual entry minus the notifications(immensely unusual unless I used the card with that vendor before frequently) on very random places in matter of days(one in California, followed by one in Tokyo). Then next time two in India followed by one in Vietnam. Then next week two in Malaysia followed by one in Bulgaria. And then several more.
While I freaked out because these vendors were entirely unknown to me and my card were all frozen with no funds in balance, the lack of notification and the charges in pattern(first $10, followed by $100 and then $500 or $250) were very odd.
In some cases a CVV can still result in a cheaper rate for the merchant on the transaction.
In other cases I've seen the lack of CVV entry result in my card provider triggering a curious 2fa-esque flow with my card provider (I can't remember the name for it) or in other cases, the card provider can just nope out. (Or trigger a fraud alert)
Same, just last week on my Wise account. "Manual entry". First a 0USD "card check" was triggered, couple hours later transactions started going through.
I noticed a couple days later by accident, randomly checking my balance in the app. I got no notifications from Wise app at any time.
Thing is, although I have a physical Wise card, it was never used anywhere since the account was opened, so I suspected something was way off. Can't be stolen credit card info from some random store online, or ATM skimming etc.
While I don't know what all the possible ways to pull this off are, had a feeling I'd be reading about it on HN soon.
This breach, or some other breach, looks to me like someone has enough info to charge random Wise accounts.
I suspect that some more data has been breached than Wise wants to disclose, but the bad practices in industry does not surprise me. It could be that the card provider for wise is at fault here and not wise directly but the fact that charges still happen and get declined due to inadequate funds without notifications for approval(which always happens for me on manual entry unless I used a vendor several times for same amount) for very random never before used vendors around the globe in short time should definitely trigger some fraud alerts.
Can someone explain why in the world Evolve has my data? (I use Mercury and Wise for my company). I tried going to their website and I'm still completely clueless.
Edit: Apparently Mercury was using Evolve as their banking partner. I know this is super common w/ online neobanks, but I'm really confused as to why they always choose the most random obscure bank. Why not partner with a major bank, or Column?
An act of Congress (I believe it was Dodd-Frank) capped debit card fees at a very low amount (fractions of a precent). An exception was left in for small banks to continue to charge credit-card-like rates for debit cards, around 2%.
Since then, every fintech has had essentially the same business model:
- Come up with some kind of "innovative" thing to sell consumers on that results in them generating debit card transactions. (Online bank account, instant international money transfer, loan, etc.) - the trick is that to get the money, you swipe that debit card.
- Partner with some small bank so that they are one the one providing the debit card. The law essentially has a loophole on it allowing this.
- The fintech company sets up essentially everything, with all the small bank does is have automated accounts created for cardholders when the fintech's software says so. No money is kept in the customer account until the moment of that debit card swipe - then it is instantly transferred in and instantly transferred back out for the payment.
- This requires reserves, but the fintechs and small banks collaborate on how to get good interest on the reserves involved.
There are now fintechs which offer "fintech as a service" which will set all of this up for a tiny bank who can then offer this to any other fintech with almost no involvement from the tiny bank. All they have to do is sign a few papers.
The definition of a big or small bank is based on the amount on deposit, so they are careful to not actually have any money on deposit.
Congress needs to correct this abuse, immediately, and only allow the larger debit card fees for traditional checking accounts held by consumers where the money involved is held on deposit at that bank.
Edit: one of the major problems here is that small banks are often not staffed for adequate cybersecurity for global operations like these; they do just fine doing hometown community banking, but are very vulnerable to being cracked like this. Yet another reason small banks that are providing big-bank services should be regulated like big banks.
There are plenty of reasons to partner with a bank as a fintech other than to drive debit card revenue.
1. There are lots of regulations that say only banks can do certain actions, like lend in all 50 states under the rules of a single state. Or open a FDIC insured checking account. Or have a unique account+routing number for each user to send ACH funds to (various reasons this could be preferred to everyone ACH to one single global account). These are valuable services without any debit card issued by the fintech.
2. It is basically impossible to become a bank. The government only approves a handful a year. Square (block) actually got approval recently but it is very difficult to do.
As a result of (1) + (2) is that if your company needs any banking products at all you need to partner with a bank because there is just no reasonable way to legally build that functionality yourself.
(2) - well, it isn’t that hard to become a bank, but it is hard to become a bank when your business plan is “we want to operate well outside of established regulation and norms”. (Starting a state chartered bank is particularly straightforward.)
There are many small banks that would like to be acquired and they are generally profitable. A VC-funded fintech would not have a terribly difficult time acquiring a bank, particularly one that wants to offer BaaS, like Synapse did.
Currently working at a state chartered credit union. Although it is "easy" to start one, most states regulations are very strict and lag significantly behind federal ones. Hell, where I work we aren't even allowed to serve businesses, loans, deposits, or otherwise.
My last job's [1] basic premise was trying to get around this by using their VC money to simply buy a struggling-but-still-FDIC-approved bank, and then try and make a fintech on top of that. It seems like that skirted a lot of the issues that most fintechs have to deal with.
[1] It is not hard to find my work history but I politely ask you do not post it here.
3. Smaller banks might be worse at preventing you from breaking the law.
(This data dump exposes lots of customers that should have triggered KYC issues, like an American dog-walking startup remotely operated from Pakistan )
The key to keeping debit card fees down isn't to legislate a fee cap, it's to make payment rails more open and competitive.
Why are regulators still attacking stablecoins, for example, when they represent one type of innovation that could actually lower transaction costs? Creating a legislative framework that encourages innovation rather than stifles it would make a lot more sense than trying to micromanage fees.
Yep, FedNow is a good step in the right direction, but the list of banks that participate needs to grow substantially. Many small and mid-sized banks/FIs aren't having a great 2023/2024, so I wouldn't expect to hear much about them integrating with new payment rails until their fundamental economics improve a bit allowing the decision makers to loosen up the purse strings again.
source: have worked in the industry consulting and doing technical design and implementation
I work in a firm very closely associated with CC and ACH processors, and I feel like the only time FedNow ever came up was when I mentioned it.
The low cost of acceptance and fast response times would seem to appeal to any merchant who's already begrudgingly accepting ACH, even if it's not a direct replacement for card payments.
This technically exists but can you actually use it? It seems like there are no articles about it in the 2024 calendar year.
I remember reading a really nice screed from walmart last year pushing the fed to turn the screws on rent seekers, but without RFP and ubiquitous participation that isnt going to come about.
bit of a conspiracy here but IMO banks have been observing the fraud rates with zelle, venmo, etc and only tolerating it because an external party gets to be the bogeyman.
In cases of unauthorized Zelle payments, consumers have legal rights and protections under the Electronic Funds Transfer Act (also known as "Reg E”). This also applies to FedNow instant payments, which has fraud management services available and includes a closed loop reporting requirement.
You should expect to see instant payment functionality that runs on FedNow rails within banking apps in the next 6-12 months. I cannot share more detail publicly unfortunately, my apologies.
(contribute at a fintech, thoughts and opinions always my own)
One of the bigger product goals for Zelle, I thought (though perhaps not the most publicized), was "moving liability away from banks more to consumers" (not exclusively, but moreso), I thought? I believe there had even been leaked internal presentations on that liability reduction.
> one of the major problems here is that small banks are often not staffed for adequate cybersecurity for global operations like these; they do just fine doing hometown community banking, but are very vulnerable to being cracked like this. Yet another reason small banks that are providing big-bank services should be regulated like big banks.
Exactly — people are responding to me with comments about how SVB failed, or how the Goldman partnership isn't going well, but like... looking at Evolve's website I know for a fact they aren't hiring solid SWEs for cybersecurity.
I understand nobody's perfect, but this is the "Nobody got fired for buying IBM" ideology at work. If you chose Goldman and they got hacked, sure, I'll say "well you couldn't have known" — but if you choose a random bank based in Memphis I've never heard of, I'll naturally be more like "wtf."
but Goldman wont take your call if you are sub $100MM in revenue (probably need way more than that). So you set up your partnership early in your company life then if the relationship is working fine why would you pay hundreds of thousands or millions of dollars and rebuild your integrations just to have a larger bank partner that none of your users will ever know you are using
That is one of the more clear (and opinionated, but IMO correct) summaries of how we got here that I've seen -- thank you!
Another aspect are all the cartel-like programs of banks overall (and the banking regulators) to keep even well-capitalized fintechs from offering these services directly. For e.g. Mercury they could probably be entirely fine without the high debit card fees.
This doesn't seem to describe either Wise (international transfers, not an account) or Mercury (business banking where you can get your money out in a bunch of ways that do not involve debit cards).
Now that rates are higher, another fintech “opportunity” is anything that lets you sit on a large amount of money for a few days and collect 5% on it.
Of course, some fintechs actually are providing a legitimate service. I’d like to see them partnering with a legitimate bank directly instead of using an intermediary like Synapse which just dumped all the money in one FBO account.
Fintechs partner with banks like evolve to do the actual banking.
So when you open an account with mercury, under the hood they’re opening an bank account with a bank and sending transactions through it.
There’s a lot of kyc/kyb regulation around financial services. Eg banks can’t provide services to certain people. So the underlying bank needs to know who you are.
> Why not partner with a major bank, or Column?
Column didn’t exist when mercury was founded. And it’s not that easy to secure a banking partner. Its not like signing up for a free checking account.
> but I'm really confused as to why they always choose the most random obscure bank. Why not partner with a major bank.
Because major banks won't support startups looking to compete with them. Why would JPM, BoA, etc. service Mercury who is going after their SMB business banking vertical? Banking is a cartel in the US. The bank lobby makes it as hard as possible to compete with them.
You're right. For the argument for the other side, the top four largest banks—JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo—collectively hold approximately 43% of all deposits in the United States, and in some ways they are self regulating or have a revolving door with their regulators. But we certainly have a lot of banks and anyone can buy a small one and give the banking business a shot.
After Wise moved away from Evolve to Community Federal Savings Bank, they gave me new account details that included an address in New York.
Looking that up on Google Maps and Street View, it appeared to be a small branch in Brooklyn, on a street that looked immediately familiar to me as the starting area in Grand Theft Auto IV.
Column does not offer many of the options that other bank providers do, is fairly expensive, and may not have been in existence when Mercury chose their vendor. Evolve is not a "random obscure bank" - it is a bank that pivoted to have a main business model of providing b2b platform banking instead of consumer banking.
The major banks don't get into this game because the regulations on banks get much stricter the larger you get. So the fintechs are incentives to partner with "small" (this means sub $50 Billion in AUM) banks to deal with the minimum amount of necessary compliance (still a LOT of compliance working with small banks)
> With Stripe Treasury, platforms can offer their users interest-earning accounts eligible for FDIC insurance in minutes, enabled by Evolve Bank & Trust.
parnering with these sorts of companies and providing banking services/underwriting is a complex product line of its own. The major banks aren't necessarily in that market or open for partnerships. And being big doesn't mean they'd be better at it - Goldman's partnership with apple is an example of the big bank not exactly getting it right. These are very complicated negotiated partnerships, not exactly plug and play lol.
Wise also previously used Evolve, so it's not exactly random. One imagines the fact that it's cheap explains why it was used by these services and at least partially why it got hit by ransomware.
Evolve is the bank that actually holds the assets for Synapse, the money-transfer company that shut down recently. That was on HN a few days ago.[1] Are these incidents related?
The data breach did not cause the collapse of Synapse. Synapse has been a slow rolling collapse for the past 2ish years due to horrible management. Ultimately Synapse imploded when Mercury left Synapse as a BaaS provider to partner directly with Evolve BT. The Synapse collapse definitely put Evolve into the spotlight as someone with a ton of turmoil, lack of sufficient oversight and insufficient technological governance.
Evolve is an otherwise obscure bank chartered in Arkansas but headquartered in Tennessee (a little sketchy) that has over-leveraged itself. This is why it was hit with a Cease and Desist from the FDIC. The C&D also probably contributed to them becoming a target for LockBit.
Evolve is also the underlying bank for Stripe Treasury, although to my knowledge, their have been no new partnerships with them. I have heard the number 2 thrown around. Of note, Shopify is the main person for whom this was built and uses this.
Consequently if you have submitted KYC/KYB information for Shopify, Mercury, Yotta, Dave, any other past Synapse partners, or some Modern Treasury partners your data was breached. This seems to be the primary information shared along with account and routing numbers. This becomes problematic especially as part of the check involves external account and routing numbers along with SSN of any UBOs.
Fintechs do not partner with small banks because of debit card fees but because of Dodd Frank regulations (primarily).
Wow, Mercury’s account and routing numbers were all leaked, along with all KYC info? Is there a way to confirm that?
Their email made it sound much less serious.
(Apropos nothing, sorry about your motorcycle accident — I hope you’ve recovered well. Thank you for this comment; the severity of this breach wasn’t apparent till now.)
Is now afraid to get on my motorcycle today. If you linked an external account, then most likely. However, it is my understanding that Mercury had a very relaxed KYC and I would suppose their user are not impacted by external accounts. The more likely victim of external accounts are B2B participants of partners of Evolve. This would most likely be true for Shopify. FWIW, routing numbers are public.
Other data included in the hack is Evolve's emails in the form of outlook data files. Affirm is another definite impacted individual. VA loan data is probably also included in this hack.
Doubtful, if only because data breaches never(?) kill companies.
Thanks for pointing that article out. It made me reconsider whether it’s wise to keep money in Mercury.
EDIT: this rabbit hole goes deep. https://techcrunch.com/2024/05/16/a-us-trustee-wants-trouble... "San Francisco-based Synapse, which operated a platform enabling banks and fintech companies to develop financial services, was founded in 2014 by Bryan Keltner and Pathak. It was providing those types of services as an intermediary between banking partner Evolve Bank & Trust and business banking startup Mercury, among others."
Mercury is by far the best bank I’ve ever used. But they’re not actually a bank, just a partner to one, and the foundations seem shakier than they appeared.
I hadn’t really stopped to consider "what if Mercury goes out of business?" till now. Silicon Valley Bank seemed like a one-off disaster, but now I’m not so sure.
Is there any bank that isn’t awful? Even just reliable wire transfers was beyond the capabilities of US Bank, for example, and it was a business account.
The question is, if you have money stuck in Synapse, were records at Evolve that would help retrieve it compromised?
"The collapse of middleman Synapse has revealed fintech’s promise of safety as a mirage. More than 100,000 Americans with $265 million in deposits have been locked out of their accounts."[1]
Evolve has problems: Fed report on Evolve: "Examinations conducted in 2023 found that Evolve engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships. In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers."[2]
The combination of a collapse on the fintech side, bad risk management on the bank side, and a "hack" looks bad. It also raises the possibility that the "hack" might be an inside job to cover up theft. We've seen that happen in crypto land more than once.
Mercury itself is not FDIC insured. If Mercury collapses, your money is not insured. If Evolve collapses, your money is insured. That's the official stance.
The majority of the banking industry is built on Cobol. Open Banking is the only real path forward. The issue of the US vs EU open-banking is the number of community banks.
The, unfortunate, most reliable banks from a technology/data perspective are ones that are large enough to be loathsome to deal with. Think JP Morgan, BoA.
Even banks of that size, Comerica, have had massive ledgering issues recently, so they are not immune.
Some reputable players in the BaaS industry are Unit, JP Morgan, Jack Henry, Moov(Massive plug for them), VGS (works with Visa and MC btw). If your neo-bank works with them, I would trust my money there. I do trust my money with one of those partners.
This gets into the nuances of fintech, BaaS and neo-banking. A consumer cannot reasonably be expected to understand these. The industry and regulators have effectively stated as such. Your money is, indeed, technically FDIC insured to 250k. It is not insured against the collapse of an intermediary party such as Mercury. FDIC insurance ONLY covers the collapse of a chartered US bank.
The real question for these third party services is whether each customer has a separate bank account. If there's one bank account per customer, and the third party service goes down, accessing the money probably isn't too bad. You can deal with the bank. They have regulators and obligations.
If it's one consolidated account, then it probably takes a bankruptcy court to untangle the mess.
Regarding FBOs, that is exactly what is happening with Synapse/Evolve. Customer funds and corporate funds were all comingled and reconciled across an inaccurate ledger held within an FBO. Whether the inaccuracies belong to the bank, or to Synapse is where the debate lies. What is also incredibly suspect in this case is that Mercury was able to transfer (IIRC) 49 million USD of money from Synapse's established FBO with Evolve to Evolve directly (under the ownership of Mercury). The ability for Mercury to have moved these funds is a massive red flag.
Regarding regulators and obligation -- in any of these relationships the bank is ultimately responsible/liable for any AML/TFL, money, etc... irregularities. A BaaS provider can effectively do everything wrong to the point its underlying bank is shut down, and switch to a different partner bank.
> Regarding FBOs, that is exactly what is happening with Synapse/Evolve. Customer funds and corporate funds were all comingled and reconciled across an inaccurate ledger held within an FBO.
Ugh. The bankruptcy court has to bring in forensic auditors, they try to reconstruct who owns what, and it takes a long time to sort things out. The bank's responsibility is only to have the total amount on deposit available to the bankruptcy court.
This is a really good argument for not using such a service.
Anyone know where you can look up the breach data to see what data they have on you? Even after contacting Wise it is absolutely unclear what data they shared in detail, especially on business accounts.
I submitted a data information request and they sent me all what they sent Evolve. It includes both my company address, mobile number, email address and a copy of the ID document.
I have no clue why the submitted mobile number and email address as part of KYC.
This thread seems as good a place as any to ask. I have a Mercury account for a now defunct/non-existent company, but Mercury refused to close my account. Unfortunately that means I was exposed in this breach. What is the best way to get them to actually close my account? I no longer even have access to the account because it's tied to a domain and email that no longer exist. The business entity was shut down correctly, so it legally no longer exists. Should I just let this ride?
My original plan was just to ignore it, but thanks to this breach I guess I can't continue to ignore it.
If you can you re-register the domain and email address, that would be a convenient shortcut.
But more generally, they will need business closure docs, including asset disposal. The defunct account will become property of the asset receiver(s).
If there's enough money in the account to bother, hire a lawyer to remind them how things work.
If there isn't enough money in the account, then you were right to ignore it in the first place. The damage from this leak was not (especially) predictable, but regardless it's done now, and won't get any worse.
There was like $17 in the account when I tried to close it, so I am completely unconcerned with the money. My bigger concern is that their lax security will result in someone trying to fraudulently transact with the account and somehow that will come back to bite me.
In a few days after this breach, my Mercury.com Business card (issued by Evolve) was fraudulently charged by Noon.com, Vodafone UK, and Prezzee for close to US$4,000.
As the article explains any Wise (a fintech popular for travel debit cards and cheap intl money transfers) that had USD balance was exposed with the breach.
…and Wise is the company that used to be known as “TransferWise”.[1] So it’s possible there are a few people who had an old transferwise account lurking around somewhere that now have had their deets stolen and haven’t even realised yet.
That doesn’t seem right to me. Wise moved away from EBT a year or so ago. They may not be done moving away from them but my Wise USD balance is not with EBT anymore and they confirmed by email I was not affected by the breach.
How did you get them to confirm for you? The best I got was
“Right now, we know it is possible some of your personal information may have been breached. We do not have further details to share, but we encourage you to stay vigilant in monitoring your financial activity.
Please be advised that Wise remains secure, as is your account. This breach did not impact our systems. However, keep an eye on any suspicious activity and make sure to report it.”
There’s been a data breach at Evolve Bank & Trust.
Evolve Bank & Trust is a regulated bank that we worked with from 2020 until 2023 to provide your old USD account details. They’ve recently been affected by a data breach and some of your personal information may have been involved.
This personal information does not include copies of any of the identification documents you’ve shared with us — these have not been shared with Evolve Bank & Trust at any point.
Your Wise account is safe
We no longer work with Evolve Bank & Trust, and have already strengthened our security measures. We’ve also started a thorough investigation into this data breach and can confirm that it has not impacted our systems. This means:
• your Wise account credentials, including your password, are safe, and you can use your account as normal
• you can continue to use your USD account details — these are no longer connected to Evolve Bank & Trust
• you can continue to use any Wise cards you may have as they were not impacted by this issue – your card number and PIN are safe
I received the same thing. What they don’t say is if your routing/account number used in transfers to/from your Wise account has been leaked. Same for any KYC info that the bank might need, such as name or SSN.
The EBT routing and account numbers are no longer valid since they migrated so even if they leaked that is irrelevant. But you’re right about personal data, I suspect names leaked.
I've asked them:
a) _what_ details may have been involved. Currently the criminals know more than we do.
b) why EBT had any data if Wise stopped working with then in 2023.
I'd except there to be a fairly strong obligation (probably on both parties) under GDPR to ensure that EBT destroyed that data.
Yeah I think Wise new about this long before it became public. We had our USD receiving account details shut down with like 2 weeks notice which caused massive cashflow problems as we had to get all customers to redo payments.
And I know some people had it at like 1-2 days notice. I blamed wise at the time but I guess their hands were tied if they knew about this but weren't allowed to talk about it.
Wise sent me an email this month that there was a breach at Evolve but all ties were broken with them and no data was affected. But these random rise of fraud txn were saying otherwise. Also, thankfully, the txns were declined due to insufficient fund(I only use wise during travelling and add fund before departure) which gets me extra worried that those might have gone through if I had funds even when all of those cards were frozen[1].
[1] This is my typical habit after getting one of my real credit card with very high limits getting charged thousands of Euros while I was out sick in hospital for a month and then getting greeted by all these charges while I was barely able to sit still and still recovering. Thankfully, my creditcard provider accepted my paperwork and removed(reversed?) those txn and immediately sent me a replacement card in a week and disabled my hacked card. Since then, I always keep my CC frozen and only use proxy(Wise) when doing txn online with limited balance.