Latest credit breaches: Kmart and Dairy Queen

[thewayne]

Sears Holdings just announced it, no indication as to how many cards or a date range but they are saying that no cards are yet being used fraudulently. We'll see how long that holds true. They're also saying only Track 2 data was compromised, so no personal identity info stolen that could promote ID theft, just simple credit theft. It was a point of sale hack, so either the same group that did Target/Michaels/Home Depot/etc or someone using the same malware package.

The Dairy Queen breach was suspected in August but only now confirmed, no indications how long or how many cards were compromised. This one was a cash register compromise, so probably a different batch of crooks.

I just had my card replaced because of the Home Depot hack, we use Kmart as my wife's pharmacy and both of us have used our cards there. So if our cards ever stop working, now we know why, and at least it's a good thing that our bank is actually being preemptive.

http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/

Comments

[porsupah.livejournal.com]

You'd think, by now, there'd be far greater support for one-time use card numbers. Yet, from all I can tell, they've only been sporadically available in the US, and virtually never in the UK. Presumably, the fraud costs aren't large enough to warrant the changes in architecture. =:P

Still, maybe that's how things will indeed evolve - Apple Pay, f'rex, is based on tokens, so the information transferred at the time of transaction doesn't include the card number. With NFC finally being effectively mandated in the US shortly, perhaps the state of card processing will be dragged forward from this mire of "16 digits" "oh, plus these 3" "ah, no, you'll need a password too, and be able to give us three characters from it".

[thewayne.livejournal.com]

I think the problem with one-time card nums is an architectural one, not unlike IPv4. I don't know the exact structure of card numbers, but I know the first four or more are the issuing merchant info, followed by the rest identifying the account. So you have a finite number remaining to identify the user account. I first heard of one-time numbers long before the likes of Amazon appeared and it never seemed to catch on. And now we have this mess.

I once heard of an interesting methodology that superficially seems good to me. All electronic, all with high crypto. I'm making a purchase at a merchant, the merchant sends me a packet identifying the transaction number and price, I transmit a packet that encapsulates that and authorizes it, it goes to my bank to authorize payment, which sends it to the merchant's bank and transfers the payment electrons. The merchant doesn't hold my payment account info, nor does the merchant's bank. Confirmation of payment flows back down the chain, and everything is solid, signed, crypto.

The problem is updating infrastructure, no one wants to pay the money, so they add layer upon layer of creaking and teetering old code. Look at how long IPv6 is taking for universal adoption, and how many security vulnerabilities are still being found in v4.

[silveradept]

Is this basically what we can look forward to for the foreseeable future? Everyone having credit data compromised regularly by thieves?

[thewayne.livejournal.com]

I think we'll definitely be seeing more of this for the next 18 months, until the mandated USA chip & pin get a chance to settle in. I think we'll also see more people switching to cash transactions, which will mean more profit for retailers and will also make banks higher value targets to try and slip in to the ATM networks, so we'll find out how good their security is. And as Chase just got taken for some 40 million accounts, I think we know the answer to that.

[silveradept]

Yeah. There's something to be said about how all these measures and protection elements seem to just shift focus instead of actually reducing the amount of crime and its possible payouts.