Octopus Overlords

coopasonic wrote:

Isgrimnur wrote:Chip cards are supposedly only exposed when they're used at a non-chip-reading terminal, where they fall back to card swipe. Of course, there's no way to verify the chip for an online purchase. And I doubt selling home scanners for secure online processing will be very viable.

RSA-like token/app could be a solution for online or some other kind of one time use code. Why is my World of Warcraft account more secure than my credit card?

*Mini-rant warning*

To be honest - the reason is lack of a standard. There is no industry-wide standard for it and developing it (if there was any interest in it) would take years. The banks honestly don't care much about the fraud since they almost never are on the hook for it. Heck when was the last time a bank was even mentioned prominently in these breaches? They are mentioned peripherally at best. The merchant almost always eats the loss and also takes the PR hit.

I.E. the banks have set up a pretty sweet deal for themselves. This is all IMO obviously but the banks have set up a security standard (PCI) that isn't at all about security - it is about the thinnest excuse to enforce contractual terms around data breach in their favor. I'd feel safe asserting that no organizations (who are required to) are ever 100% compliant with PCI standards and they know it. Whenever there is a breach - someone comes in whose mission is to essentially prove how the merchant was not really PCI compliant so that they can shift liability to the merchant and fine them on top. This is supposed to scare everyone else into taking security seriously. However in the end everyone is essentially shooting for the low bar to be certified as compliant since no one actually believes they'll get hit. Apparently it shouldn't matter that every one of the breached organizations passed PCI audits for years or that the upcoming 3.0 revision does not even address the methods used by hackers over the last 2 years or that the next revision is scheduled to come out in 3 years. It is a joke and chip and pin is not going to change the landscape much at all IMO.

Timeline

October 1, 2015 – Liability will shift to acquirers for domestic and cross-border counterfeit fraud card-present POS transactions if the merchant does not have an EMV-enabled POS device.

If the card loss isn't your fault, you still have the current protections in place.

Isgrimnur wrote:Could have been Dairy Queen, too.

Not unless my card was stolen. Haven't been to Dairy Queen in years. I have been to Home Depot at least 4 times this summer though.

In early August my corporate card bought a plane ticket in Sao Palo, Brazil. It also either pre-paid airline baggage fees or sent a package somewhere - it wasn't clear.

I hadn't used the card since February except for an accidental swipe at an Arby's (card looks like my personal one).

Krebs

This morning, KrebsOnSecurity pulled down all of the unique ZIP codes in the card data currently for sale from the two batches of cards that at least four banks have now mapped back to previous transactions at Home Depot. KrebsOnSecurity also obtained a commercial marketing list showing the location and ZIP code of every Home Depot store across the country.

Here’s the kicker: A comparison of the ZIP code data between the unique ZIPs represented on Rescator’s site, and those of the Home Depot stores shows a staggering 99.4 percent overlap.
...
Here is a list of all unique ZIP codes represented in more than 3,000 debit and credit cards currently for sale on Rescator’s site (Rescator limits the number of cards one can view to the first 33 pages of results, 50 cards per page). Here is a list of all unique Home Depot ZIP codes, in case anyone wants to double check my work.

In all, there were 1,822 ZIP codes represented in the card data for sale on Rescator’s site, and 1,939 unique ZIPs corresponding to Home Depot store locations (while Home Depot says it has ~2,200 stores, it is safe to assume that some ZIP codes have more than one Home Depot store). Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores.

Finally, there were 127 ZIP codes for Home Depot stores that were not in the list of ZIPs represented in Rescator’s card data. However, it’s important to note that the data pulled from Rescator’s site is almost certainly a tiny fraction of the cards that his shop will put up for sale in the coming days and weeks.

Neat. So another breach at the source of a PoS system?

Looks like it and there still will not be any sort of requirement to deal with it inside of PCI certification. Security folks at organizations will only have to hope they can persuade the powers that be that the risk of loss is real and get the dollars to protect those assets properly.

Home Depot, on their website, hasn't even pubicly admitted they had a breach.
They are "investigating".

Funny how CNN and other media are reporting about their breach, the breached credit
and debit cards are on sale on the net, but Home Depot hasn't admitted that their security
was compromised.

They have to be careful since this is a material finding. It'll affect their stock, there is legal liability, etc. Other people can speculate all they want - they need facts before they disclose.

JSHAW wrote:Home Depot, on their website, hasn't even pubicly admitted they had a breach.
They are "investigating".

Funny how CNN and other media are reporting about their breach, the breached credit
and debit cards are on sale on the net, but Home Depot hasn't admitted that their security
was compromised.

fuckity fuck fuck fuck. I've CC using and Home Depot a lot lately.

However my zip code is not listed. That's a good thing right?

Is your ZIP the same as your store's ZIP? Also, not being in the stolen card dump's list means little, as it may be deeper in the list.

Get your free year of credit monitoring here.

Krebs article with the same link.

Already signed up. I was hoping for one of these deals.

Just got notice from my credit union that they're lowering the daily purchase limit for all debit cards to $500 as a direct result of all these breaches. So a total of $1000/day limit ($500 debit, $500 ATM/cash).

Due to the recent increase of retail payment systems data breaches...

Goodwill had a compromised 3rd-party CC processor for certain stores. It's not nationwide, but they do have an impacted store list up.

American Income Life

ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number.
...
Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.
...
Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jimmy John's

The sandwich chain Jimmy John's confirmed Wednesday that hackers stole customer debit and credit card data from 216 of its stores, making the company the latest in a string of cyberattacks against major retailers and restaurants.

We should be thankful they have apparently failed to hack Taco John's.

JP Morgan Chase

Names, addresses, phone numbers and email addresses of the holders of some 83 million households and small business accounts were exposed when computer systems at JPMorgan Chase & Co were recently compromised by hackers, making it one of the biggest data breaches in history.

The bank revealed the scope of the previously disclosed breach on Thursday, saying that there was no evidence that account numbers, passwords, user IDs, birth dates or Social Security numbers had been stolen.
...
The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank's online and mobile sites, according to a bank spokeswoman.

Kmart shops hit by payment card hack attack

Another week another retailer hacked.

Cash registers at 1,200 Kmart stores were infected with malware that scooped up payment card numbers for over a month, reports the retailer.

HOLY COW! Wow!!

There are still 1200 K-Mart stores left?!?

Yes

At February 2, 2013, the Company operated a total of 1,221 Kmart stores across 49 states, Guam, Puerto Rico, and the U.S. Virgin Islands. This store count consists of 1,196 discount stores, averaging 94,000 square feet, and 25 Super Centers, averaging 168,000 square feet.

The Meal wrote:HOLY COW! Wow!!

There are still 1200 K-Mart stores left?!?

Not for much longer.

Northeast area Staples

Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

staplesAccording to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

The following isn't about a broad data breech, but an instance where two factor authentication failed.

The Value of a Name

bebe

Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores.
...
The bank found that all of the cards had been used at Bebe Stores in the United States between Nov. 18 and Nov. 28. It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014.
...
There is no data to suggest that the apparent card breach at Bebe extends to the company’s online store. The items for sale at Goodshop are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards.

Park 'N Fly

Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. The security incident, if confirmed, would be the latest in a string of card breaches involving compromised payment systems at parking services nationwide.

Former employees suing Sony over their massive breach.

Isgrimnur wrote:Northeast area Staples

Turns out the list of stores is much larger than just the Northeast.

OneStopParking.com

Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking.com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot.
...
This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, this KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service. Sometime over the past few days, Park-n-Fly announced it was suspending its online service.
...
Last month, SP Plus — a Chicago-based parking facility provider — said payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were hacked to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime store called Goodshop.

In Missouri, the St. Louis Parking Company recently disclosed that it learned of breach involving card data stolen from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014.

Chick-Fil-A

Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation.
...
My suspicion is that — if confirmed — this breach will be found to have impacted only a subset of Chick-fil-A’s 1,850 locations in 41 states and the District of Columbia. In that respect, it would be much like the breaches first reported in this blog earlier this year at other fast food chains — Dairy Queen and Jimmy Johns. In both of those breaches, the stores impacted were franchises that outsourced the management of their point-of-sale systems to specific third party companies.

Book2Park.com breach

Book2Park.com, an online parking reservation service for airports across the United States, appears to be the latest victim of the hacker gang that stole more than a 100 million credit and debit cards from Target and Home Depot. Book2park.com is the third online parking service since December 2014 to fall victim to this cybercriminal group.
...
Contacted about the apparent breach, Book2park.com owner Anna Infante said she was not aware that hundreds — if not thousands — of her customers cards were for sale online. But she said a technology firm the company contracts with did recently discover and remove malicious files that were somehow planted on Book2park’s Web server.

Seems like the Parking services have been "Targeted" recently.

Marriotts run by White Lodging Services Corporation

In January 31, 2014, this author first reported evidence of a breach at some White Lodging locations. The Merrillville, Ind. based company confirmed a breach three days later, saying hackers had installed malicious software on cash registers in food and beverage outlets at 14 locations nationwide, and that the intruders had been stealing customer card data from these outlets for approximately nine months.

Fast-forward to late January 2015, and KrebsOnSecurity again began hearing from several financial institutions who had traced a pattern of counterfeit card fraud back to accounts that were all used at nearly a dozen Marriott properties across the country.

Banking sources say the cards that were compromised in this most recent incident look like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky. Those same sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The legitimate hotel transactions that predated fraudulent card charges elsewhere range from mid-September 2014 to January 2015.

This is NOT good: Anthem Blue Cross/Blue Shield (Wellpoint) -

Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history.

The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.

Anthem said there is no evidence that credit card or medical information was compromised.

Up to 70 million in the Anthem breach. A huge deal not only because of the size but because even names, DOB, SSNs, and other ID numbers are technically PHI. While I'd still bet dollars to donuts that it was a financial heist, the potential is frightening.

NBC was reporting the Chinese were suspected to be behind it.

Urban Institute Hacked: Up To 700,000 Nonprofits Affected After Tax System Breach

A prominent Washington, D.C. think tank has been hacked, compromising email addresses, passwords and other information of hundreds of thousands of charitable organizations that use its system for filing taxes.

The Urban Institute released a statement Tuesday saying that its National Center for Charitable Statistics had been accessed by hackers, who breached usernames, passwords, IP addresses and other account data.

The Hill reports that up to 700,000 organizations that use the system could be affected, but there is no evidence that tax filings were compromised, and no Social Security or credit card numbers were in the system.

LawBeefaroni wrote:Up to 70 million in the Anthem breach. A huge deal not only because of the size but because even names, DOB, SSNs, and other ID numbers are technically PHI. While I'd still bet dollars to donuts that it was a financial heist, the potential is frightening.

8.8-18.8 Million non Blue Cross/Blue Shield customers also potentially at risk in the Anthem/Wellpoint hack:

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Developing: Natural Grocers

Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”

In response to questions from KrebsOnSecurity about a possible security breach, Lakewood, Colo. based Natural Grocers by Vitamin Cottage Inc. said it has hired a third-party data forensics firm, and that law enforcement is investigating the matter.
...
According to a source with inside knowledge of the breach, the attackers broke in just before Christmas 2014, by attacking weaknesses in the company’s database servers. From there, the attackers moved laterally with Natural Grocers’ internal network, eventually planting card-snooping malware on point-of-sale systems.

Natural Grocers said that while its investigation is ongoing, the company has accelerated plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that provides point-to-point encryption and new PIN pads that accept secure “chip and PIN” cards.