thewayne: (Default)
The only good thing to say is that it appears that they have done the sensible thing of isolating their corporate network from their payment terminal network. The penetration happened approximately six months ago but was just detected in January. They're in the process of investigating and cleaning up their act.

Target, when they were hacked a few years ago, had not separated their network. Testers were able to access 2,000 cash registers by compromising a digital scale at a deli counter.

The sad thing is that almost all initial infections that lead to these breaches can be avoided by one thing: do not give users administrator access to their computers! There is no good reason why they should, and if you have software that requires admin to run, then you need to hold the vendor's feet to the fire and force them to fix their bad code so it does not!

The other is for Microsoft to get off their butt and fix their stupid macro system! Macros hidden in Word document and Excel spreadsheets is how most of these infections get started. This article has an excellent example: email received by a hotel that says we have a dozen people arriving for a week and this document contains the specifications of the rooms that we need. No hotel is going to hesitate opening a document that promises booking a dozen rooms for multiple days. Apparently the scammers will go to the trouble of creating a web site to add verisimilitude so that the email doesn't arrive from a Gmail account. It all looks above board, so why not open the email?
thewayne: (Default)
Needless to say, it hasn't stopped while I haven't written about it.

The latest victims, and I mean corporations, are Arby's fast food (I hesitate to call them a restaurant) and Holiday Inn hotels. Arby's says the malware that stole credit cards was limited to their corporate stores, over a thousand locations of their 3,300 locations in the United States. Of course it's entirely possible that some of their franchisees have been compromised, especially if there are big corps with many locations that use a third-party credit card processing solution.

And it is a BIG breach. The president and CEO of the National Association of Federal Credit Unions is saying the number of cards is in the "hundreds of thousands". So that malware, since remediated, has been sitting there for a while. Arby's did not previously announce the hack at the request of the FBI while they were still investigating it.

Someone posted a comment/question asking if a specific location was compromised, I posted this reply:
Call them and ask them if they're a corporate store or a franchisee. If the former, then probably yes. I'm going to be doing that Monday with my semi-local store. Regardless, watch your bank account online for probe charges: a charge for $1-4 from cities and businesses that you don't do business in/with.

A friend of mine was hit by the Wendy's hack. He's on the road a lot and I told him about the probe charges. Sure enough, they appeared on his credit card. Fortunately when the serious charge appeared, he was in a town that had an office for his credit card and he was able to get a replacement sent there.

The Holiday Inn hack was very specific, it targeted just a few hotel restaurants and bars in high-profile and high-dollar areas in San Francisco, San Jose, Chicago, etc. The malware was present from August to December 2016. It was not found on the hotel's front desk systems.
thewayne: (Cyranose)
This one is slightly different. The thieves were more careful with how they're using the cards, and credit unions are being hit hard. One CU manager mentioned in the story said that they've gone through half their budget for credit fraud for the year -- IN JANUARY.

I have lunch at Wendy's once or twice a week, and I always use my debit card. I haven't seen any activity on my account since the information about the breech surfaced a month and a half ago, still, I should either start carrying more cash for lunch or use my credit card more. The credit card is still vulnerable to data breeches such as this, but American law gives you stronger protection and reduced liability for a credit card versus a debit card. The problem with going to cash for such transactions is that my bank doesn't have a branch or ATM down here, so I'd be getting nibbled by out of network fees.
thewayne: (Cyranose)
Back in June, many news sources reported that OPM got hacked and basically if you applied for a job with the Federal government in the last 20 years, your information was compromised.  Didn't matter if you were a park ranger or an office admin or what, you were compromised.  A more recent revelation is that fingerprint scans were also compromised.  Bruce Schneier has a recent post about this and the risk of trusting centralized, networked, databases with our information.

Now for a slight diversion.

Salon had a recent article about how a certain KGB agent was amazing at correctly identifying CIA agents in foreign countries.  He applied basic common sense and deduced certain patterns: CIA agents when they were undercover at an embassy always had offices in the secure part of the embassy, always took over the apartment that their predecessor had, did not attend certain functions, when they had meetings out of town they were almost always at night during certain hours.  But the most important tell of all is that their biographies had gaps.  A non-spy in the State Department had a complete and easily verified biography.  Spies did not, theirs had gaps.

Back to the OPM hack.

Two days ago, several news sources reported that the CIA was pulling their agents out of China.  The OPM hack compromised the full information of over 20,000,000 Federal employees, including CIA agents.  China is believed responsible for this hack, so they have all this information.  And basically the CIA knows that China now knows all its agents and has the fingerprints for most of them.

If you know who works for the State Department, and you know "Bob" came in to the country allegedly working for State yet he is not on the list of known State employees, he's probably a spy.  So the CIA pulled them before they could get caught or in trouble.

If China really wanted to screw with us, they'd shop that list around and sell it to Russia, North Korea, etc.

In other glorious news, Experian was hacked again.  This time a specific server or dataset was compromised, and it belonged to the cell phone carrier T-Mobile.  If you applied for a T-Mobile line from September '13 to September '16, the following info was compromised: "Social Security numbers, dates of birth and home addresses."  But that's only for 15,000,000 people, so no worries.

It is important to remember that it was not T-Mobile that was hacked, it wsa the credit reporting agency/data aggregator Experian that was hacked.  When you applied for cell service, you fill out an application and it's run through Experian to determine if your credit is sufficient to pay for a contract.  Common sense would say that after the credit is approved or denied, a summary should be passed on to T-Mobile, a notation made on the person's credit report, and the application should be purged.  But apparently that wasn't good enough for Experian and they decided that they needed to keep the actual application.

Oh, well.
thewayne: (Cyranose)
A "gang" who claims to be an international syndicate but is more likely a small group, paid for a couple of criminals to lob Molotov cocktails at a company who discovered a Trojan that the gang developed to compromise ATMs. They sent threats to the security researchers, giving them a deadline to remove the research from their web site, and when they didn't, some punk ran up to a building and threw a single firebomb, then ran away. The damage was minimal.

This was all going on in Kiev, St. Petersburg, and Ukraine.

In another story, Brian Krebs spent time in Mexico recently. There's been a huge increase in ATM skimmers and malware that they can apparently order the ATM to spit out money.
thewayne: (Cyranose)
October 1 is the deadline for merchants to be switched over to the new readers in the USA, otherwise they can be liable for any theft that takes place. But what is utterly ridiculous is that THEY DID A HALF-ASSED IMPLEMENTATION OVER HERE. No, correct that, quarter-assed. They would have to improve their implementation to be half-assed. THEY DO NOT REQUIRE A PIN! So if someone lifts your wallet and you have an EMV card, they can spend their way to heaven until you cancel the card.

I am curious how European cards, which have PINs, will work over here. Likewise, I wonder how our PINless EMV cards would work in Europe.
thewayne: (Cyranose)
This is why we can't have nice things. You can't trust major merchants like Target and Home Depot and Nieman Marcus to keep their systems secure. Mom & Pop companies can't afford a proper IT department, so they go to a POS vendor, only in this case POS doesn't mean point of sale.

In this particular case, to quote from Krebs post, "NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

The acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada."

So we're screwed, but the truth is that we've been screwed for years. Use cash when you can, use a bona fide credit card when you can't as you have better laws behind you for recovering stolen funds.

The saddest thing is that the one improvement that U.S. banking could make to really make life hard for these criminals is to implement Chip & PIN. Every card has a crypto chip, and you have to enter a PIN number. Two factor security. If your card is stolen or forged and they don't know the PIN, they can't use it. So American banking is doing a half-assed implementation and putting in the crypto chip, but no PIN. Also no signature required. So no verification whatsoever. The reasoning is probably that they don't want to burden people with remembering a PIN, which we've been doing for 25 years anyway.

thewayne: (Cyranose)
For $10-$27 a card, you can get a new (stolen) credit card for a loved one!

The breech seems to have been between November 18 and 28, but it is unclear if it might have started earlier or possibly still be on-going. Bebe decided they didn't want to talk to Krebs, so apparently they're still in denial. Evidence suggests that this was another card reader compromise and that their online store was not breeched.

One thing that I don't know since I don't know anyone who shops there is how valuable the cards are. If Bebe is a high-end store, the cards could be worth a lot. Also, the cards are up for sale in a hitherto not known carder forum, so the stolen card retailers have another store that you can buy from.

UPDATE: Bebe confirmed the breech.

"Bebe stores said its investigation indicates that the breach impacted payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014. The data may have included cardholder name, account number, expiration date, and verification code." They claim the breech has been stopped.

So at least they caught it before Black Friday, that greatly reduces the number of compromised cards.
thewayne: (Cyranose)
Sadly, it looks like Security By Obscurity is still the mode they want to play, so expect more compromised retailers this season.
thewayne: (Cyranose)
A bank in New England got took for $120,000 in fraudulent C&P charges emanating from Brazil. The issue? The bank haven't issued any C&P cards yet.

One part of C&P is a built-in counter that is part of the transaction data stream. If your bank receives a second transaction with the same counter number, you know it's fraudulent. But since it's not implemented, it's largely ignored. Apparently some criminals in Brazil bought a bunch of Home Depot stolen cards, got ahold of a credit card terminal, and manipulated the data stream to cram the cards through. The bank recovered about $80k of the stolen money and is trying to get the rest back. Meanwhile, Mastercard is saying that they're responsible for the remainder.

After the Home Depot theft, the bank decided not to re-issue potentially compromised cards as they represented a fairly large portion of their customer base. I would guess that they're reconsidering that right now.

There's no doubt that C&P will greatly reduce fraud, but it's not easy to implement, so chances are that we'll see as much and maybe more as it begins to be rolled out next year. In the case of this New England bank, an upstream provider authorized the charges when the bank's systems were offline and couldn't directly authenticate the transactions.

ETA: Bruce Schneier wrote about C&P attacks a while back, it's called a Pre-Play Attack.
thewayne: (Cyranose)
Does this qualify as irony? Apparently someone exploited a weakness in their internet shopping cart code and compromised some 5,000 cards from mid-April to mid-June this year.
thewayne: (Cyranose)
This is very limited, the theft specifically struck three states (NY, NJ, PA) and only about eleven stores. Very little information is available, though it appears to be a cash register malware attack. I'm thinking that maybe it was detected early before the fraudsters could roll out a larger scale breech. Still, I'm sure this will force a chain-wide audit, which consists of some 1,800 stores across the USA.

No mention as to how many cards were compromised or how long the breech lasted.
thewayne: (Cyranose)
Sears Holdings just announced it, no indication as to how many cards or a date range but they are saying that no cards are yet being used fraudulently. We'll see how long that holds true. They're also saying only Track 2 data was compromised, so no personal identity info stolen that could promote ID theft, just simple credit theft. It was a point of sale hack, so either the same group that did Target/Michaels/Home Depot/etc or someone using the same malware package.

The Dairy Queen breach was suspected in August but only now confirmed, no indications how long or how many cards were compromised. This one was a cash register compromise, so probably a different batch of crooks.

I just had my card replaced because of the Home Depot hack, we use Kmart as my wife's pharmacy and both of us have used our cards there. So if our cards ever stop working, now we know why, and at least it's a good thing that our bank is actually being preemptive.
thewayne: (Cyranose)
First, Apple. Today they released a patch for OS-X to fix Bash, the question is how complete is the patch. Everything that I've heard thus far is that the patches for various *nix distros are partial and that a further patch will be required. So I don't know where that stands. I was not able to find the patch in Mac's Update service, but the direct links in the article worked fine. No computer restart required.

Now, Jimmy John's sandwich shop hack. 216 JJ's were compromised, the number of cards stolen is not mentioned in the article. Here's the problems, and I'm using the plural purposely. First, it was a service vendor, Signature Systems, that was compromised, so another 100 mostly mom & pop operations were also affected. They're spread all over the USA, no significant geographic clumping.

But the fun doesn't end there, oh no! Anyone who processes credit cards has to be certified to be PCI-compliant, there are different levels of certification depending on how what your credit card volume is. The auditor company who certified Signature Systems is the only auditor to have their accreditation CANCELLED by the processing card industry.

But wait, there's more! In addition to the auditor losing their certification and going out of business, one model of cash register system installed by Signature Systems was not certified as of late October 2013, and many systems were installed after that date! Even though lawsuits would be flying around regardless, these are going to be interesting because clearly Signature Systems was grossly negligent.

And finally, my wife and I had an interesting experience in Las Cruces last week. While we were in town, every time I used my card on my wife's account, it was declined. We called the bank and we had a very healthy balance in the account, unfortunately my wife left her wallet at home, so we had to use my cards. Fortunately my account's card worked fine. We thought maybe it was because we were 100 miles from home, but we're frequently in 'Cruces, so it was odd. When we got back to Alamogordo that night, it was declined yet again at a bookstore (three Eric Clapton CDs). As it happened, the clerk also worked at the issuing bank, and she said a whole bunch of cards had been cancelled because of the Home Depot breech. Checked my mail the next day and there was a brand new, bright shiny card. The old one met the shredder. I got my Amazon account reconfigured, received a text message from DirecTV and got them reconfigured, and I think I'm now good.
thewayne: (Cyranose)
Apparently a number of Goodwill stores all had their credit card processing done by one company, and that was the infiltration point. The vendor claims that only 25 cards have been used fraudulently since the compromise, a number that I'm frankly dubious of. But there are a couple of things to remember, and that is that Goodwill purchasers are not always high-value people, so it's quite possible that when word got out at how low of credit limit the cards typically were, they just gave up on the batch. Still, I find the number dubious.

The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:

The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s

Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).

This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.

And in the case of the Goodwill breech, only track 2 info was being sold.
thewayne: (Cyranose)
The thieves are exploiting weak bank phone voice response systems to reset the PINs then use the forged cards in ATMs. Some are also calling the bank direct using MagicJack phone numbers and telling them they're traveling in Italy, so one bank obligingly increased the daily withdrawal limit and it lost $300,000 in two hours.
thewayne: (Cyranose)
It could go back to April or May of this year, and it looks like all stores were affected, which means a main server breech. And it was probably the same group that did Target et al.
thewayne: (Cyranose)
Looks like. In the case of DQ, it looks a lot like the breech of the Jimmy John sandwich chain and the car wash in the east, probably a remote access hack of franchisees who use a common point of sale system getting compromised.

I've never been to Jimmy John's, but I do to go DQ a couple of times when I'm in Phoenix. I'm safe, I always pay cash.

One thing that I like is the mention of weak and easily guessed passwords. While a password and a direct hack of your account is the least likely way that your information will be compromised because criminals are looking for mass amounts of information that they can profit from, thus going after large dumps, it's still important to use strong passwords and to not re-use passwords on important systems.
thewayne: (Cyranose)
The info on Albertsons is just emerging and it involves all of their properties, so this looks like a breech in their datacenter like Target. His discussion of carding is quite interesting as it hits on two points that I thought were pretty amazing. One is that the rate of attacks seems to be going up and it probably because the USA hasn't instituted Chip & Pin, which most of the first world has done. Thus, America is a vulnerable market, and since Mastercard & Visa have stated an October 2015 deadline for merchants to implement C&P, the criminals have a narrowing window of opportunity to exploit and try to get rich easily.

The fact that the USA is the only country in the G20 to not have implemented C&P I thought was quite interesting.

But his second point blew me away: he thinks the market for stolen card dumps is saturated. Krebs estimates that only 2-4% of the cards stolen in the Target breech were actually used for fraud, based on numbers that were reported to him when he called some banks that were victimized. The process for taking the card data, coding it on to a new card, then buying merchandise, selling it, and transferring the money takes a lot of work and with the volume of cards stolen in the breeches, the criminals don't have enough infrastructure to convert the stolen info to money in their pocket.

Which isn't to say that they're going to stop stealing credit card info, just that there is a difference between the number of cards stolen and the number used for fraud.
thewayne: (Cyranose)
The basic symptoms are like the Target et al hacks of late, but the curious part is that most of the JJ stores are independent they largely use the same point of sale system. So again, it's an breech upstream of the actual merchant.

July 2017

23 4567 8
910 11 1213 14 15
16 17 18 19 202122


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2017 12:51 pm
Powered by Dreamwidth Studios