![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
The number of cards compromised is at least 10x the number reported (fewer than 25,000), according to Brian Krebs. An analysis has been done of the zip codes of the cards stolen that are available for sale, and it looks like every SB store in the USA was compromised, just like Target.
A similar analysis was done on the Target breech cards, matching the zip codes of the stores with the zip codes of the site selling the cards, they found that the selling site had the zip code of the card, with a 99%+ correlation between store zip and customer zip. The reason for also including the zip code information is that the banks didn't want to inconvenience their customers so close to Christmas, so they geo-fenced the cards, meaning that the stolen card info could be used within the customer's home zip code area.
http://krebsonsecurity.com/2014/03/zip-codes-show-extent-of-sally-beauty-breach/
A similar analysis was done on the Target breech cards, matching the zip codes of the stores with the zip codes of the site selling the cards, they found that the selling site had the zip code of the card, with a 99%+ correlation between store zip and customer zip. The reason for also including the zip code information is that the banks didn't want to inconvenience their customers so close to Christmas, so they geo-fenced the cards, meaning that the stolen card info could be used within the customer's home zip code area.
http://krebsonsecurity.com/2014/03/zip-codes-show-extent-of-sally-beauty-breach/
no subject
Date: 2014-03-27 12:56 am (UTC)no subject
Date: 2014-03-27 04:36 pm (UTC)I see 'our institutions handling it seamlessly' as having a couple of problems. First, not all financial institutions are created equal. Our local bank has, IIRC, six offices. I know they have a small IT department which might also be doing their risk monitoring to try to pre-emptively detect fraud. And if you're at a big bank like B of A or Chase, they've done so seriously dumb ass stuff in the past: I remember one where you could browse your credit card online, and your credit card number was part of the URL! You could walk through other people's purchase/payment history by incrementing your URL. And then you have the ethics of big banks to deal with, if such a thing bothers account holders.
I don't trust my local bank, though my wife's account (now our joint acct) is through them. I once tried to get in to their online access and found it crashed, with an error that showed they were using Borland's Paradox as their back-end DB. Totally unacceptable. Then they upgraded their system and after a large number of calls to try to keep my password working, ultimately found out that not only did your pwd have to be longer than eight characters, it also had to be shorter than twelve, yet tehy didn't have an error message saying that your pwd was too long. That's when I ditched them and went with a regional bank that has served me pretty well.
There's only one thing that my local bank does that I really like: when you sign up for your acct, or add someone to them, they take your picture and it is displayed for the teller whenever you do a transaction. I think that's an excellent, cool idea that all banks should do. That, and they have a branch in Cloudcroft, about a mile from our house.
no subject
Date: 2014-03-27 06:48 pm (UTC)