Sally Beauty hack: tremendously under-reported

[thewayne]

The number of cards compromised is at least 10x the number reported (fewer than 25,000), according to Brian Krebs. An analysis has been done of the zip codes of the cards stolen that are available for sale, and it looks like every SB store in the USA was compromised, just like Target.

A similar analysis was done on the Target breech cards, matching the zip codes of the stores with the zip codes of the site selling the cards, they found that the selling site had the zip code of the card, with a 99%+ correlation between store zip and customer zip. The reason for also including the zip code information is that the banks didn't want to inconvenience their customers so close to Christmas, so they geo-fenced the cards, meaning that the stolen card info could be used within the customer's home zip code area.

http://krebsonsecurity.com/2014/03/zip-codes-show-extent-of-sally-beauty-breach/

Comments

[silveradept]

It seems that these days, everyone should plan for having their information stolen at some point in their lives, and that our institutions should just handle it seamlessly when it happens.

[thewayne.livejournal.com]

There are so many points where information can be compromised that it does seem inevitable. If it hasn't happened to you yet, the odds are increasing that it probably will. And it might have happened and you never noticed: there was a scam, and it may be on-going, where they charge something to your account that's $9.84 or very close to it. An odd amount, and below $10. If your account is shared with a spouse or other, you might just assume that it's a valid charge. The group running this scam makes millions from people being casual about $10.

I see 'our institutions handling it seamlessly' as having a couple of problems. First, not all financial institutions are created equal. Our local bank has, IIRC, six offices. I know they have a small IT department which might also be doing their risk monitoring to try to pre-emptively detect fraud. And if you're at a big bank like B of A or Chase, they've done so seriously dumb ass stuff in the past: I remember one where you could browse your credit card online, and your credit card number was part of the URL! You could walk through other people's purchase/payment history by incrementing your URL. And then you have the ethics of big banks to deal with, if such a thing bothers account holders.

I don't trust my local bank, though my wife's account (now our joint acct) is through them. I once tried to get in to their online access and found it crashed, with an error that showed they were using Borland's Paradox as their back-end DB. Totally unacceptable. Then they upgraded their system and after a large number of calls to try to keep my password working, ultimately found out that not only did your pwd have to be longer than eight characters, it also had to be shorter than twelve, yet tehy didn't have an error message saying that your pwd was too long. That's when I ditched them and went with a regional bank that has served me pretty well.

There's only one thing that my local bank does that I really like: when you sign up for your acct, or add someone to them, they take your picture and it is displayed for the teller whenever you do a transaction. I think that's an excellent, cool idea that all banks should do. That, and they have a branch in Cloudcroft, about a mile from our house.

[silveradept]

I think I meant "refund/put in dispute suspicious charges automatically, notify automatically, upgrade security every time someone appears to have been breached". Functional things that work for consumers, instead of hiding or sweeping things under the rug.