Goodwill hack lasted 18 months
Sep. 18th, 2014 11:08 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneApparently a number of Goodwill stores all had their credit card processing done by one company, and that was the infiltration point. The vendor claims that only 25 cards have been used fraudulently since the compromise, a number that I'm frankly dubious of. But there are a couple of things to remember, and that is that Goodwill purchasers are not always high-value people, so it's quite possible that when word got out at how low of credit limit the cards typically were, they just gave up on the batch. Still, I find the number dubious.
The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:
The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s name.cconsulting.com
Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).
This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.
And in the case of the Goodwill breech, only track 2 info was being sold.
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:
The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s name.cconsulting.com
Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).
This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.
And in the case of the Goodwill breech, only track 2 info was being sold.
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2014-09-22 05:08 pm (UTC)no subject
Date: 2014-09-27 10:49 pm (UTC)I think this is a thing that needs to be forced at the US Congress level, that notification be required regardless of which track is compromised.
no subject
Date: 2014-09-28 11:50 pm (UTC)no subject
Date: 2014-09-27 09:49 pm (UTC)(Echoing back to my last entry's note about how "chip & pin" was absent in the US and Canada, but rolled out everywhere else, on the basis that transactions tended to be batched in much of the world, so the higher level of security was more profitable)
Regardless, that length of notification's ridiculous. Those involved in the exploit's concealment should be ashamed. (Not to mention the perpetrators)
no subject
Date: 2014-09-27 10:47 pm (UTC)It won't happen, but a man can dream.
From what I've read on Kreb's site, C&P won't eliminate fraud, but it'll severely curtail it. Obviously end-to-end encryption won't solve it as the Target malware got in to the POS system at the card reader level, before encryption would kick in. C&P should eliminate 'card present' transactions, but I don't know if it'll do anything against internet purchase fraud. Well, we'll have it mostly everywhere over here in about a year, so we'll see what happens.