Credit Cards Compromised

[JakeBrake]

Don't blame Target. I haven't been to Target in months, but last week I Discovered $9K of fraudulent charges on my Discover Card. I suspect a local restaurant, but I have no evidence to back that up yet. Discover says that I'm not responsible for the fraudulent charges. Discover closed that account and sent me a new card the next day. They said that because of the amount ($9K) They will probably want a police report. They will let me know. The fraudulent charges were made to online retailers all over the USA.

I manually enter all my transactions into Quicken every evening, Then, I download online every evening. If any downloaded transaction doesn't match my manually entered transactions, I immediately investigate. That's how I Discovered the fraudulent charges.

Interestingly, the perpetrator had changed my account mailing address and contact phone number. The fraudulent mailing address and phone number were legitimate USA numbers. So, If Discover had called about the unusual charges, they would have been talking to the perpetrator. The Discover representative had to check my records before the fraudulent changes to establish my identity. The fraudulent charges and the changes to my account were all made the same day online. My account spending limit had not not been reached.

[audreyh1]

If this didn't occur at point of sale, but rather downstream from it, then why is sensitive info like CVC and PIN being passed downstream? Can't the POS terminal verify the transaction and not save those numbers? Poor security design. I guess they don't expect hackers?

[Alan]

Quote:

Originally Posted by audreyh1 Didn't know that. I am occasionally asked for it at point of sale. If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.

If the code is a CSC code printed flat (not embossed) on the back of the card then that code is not embedded in the magnetic strip. Not sure what the CVV codes in the article above that was stolen was referring to.

Quote:

The second type of CSC is a three- or four-digit value printed on the front of the card or on the signature strip on the back. It is not encoded on the magnetic stripe but is printed flat, not embossed like the card number. American Express cards have a four-digit code printed on the front side of the card above the number. MasterCard, Visa, Diners Club, Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip.[3] This has been done to prevent overwriting of the numbers by signing the card.

Quote:

As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed.[4] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

Card security code - Wikipedia, the free encyclopedia

[walkinwood]

Maybe this Target incident will provide the impetus to move to smart cards in the US.

[Chuckanut]

From the Consumerist blog

Quote:

The card numbers are being sold in batches of one million each, and commanding prices of $20 to $100 per card (so, $20 million to $100 million per batch).

More information from the guy who broke the story is here:
Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security

Quote:

his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

Quote:

Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

Quote:

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

[rbmrtn]

And now the email from Target explaining the problem and warning is being copied as a phishing scam

http://www.marketwatch.com/story/sca...dist=afterbell

[sengsational]

Those that DID get hit with unauthorized charges (from Target or TJ Max or any of the other places that have insufficient technology protections) from get hit with inconvenience of straightening-out those transactions. But EVERYBODY with any kind of plastic gets hit with the cost of these breaches. Usually, the money from those unauthorized transactions is gone-gone, and that makes for higher fees to retailers. And of course they need to pass-on those costs to consumers. We all pay when a retailer can't secure their data.

Why-o-why doesn't the US adopt chip and pin?

[eridanus]

The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F

[REWahoo]

I see an announcement that starting December 21, Target retail stores will take 10% off storewide due to the recent in-store security breach.

A Message from CEO Gregg Steinhafel about Target

Suggestion: If you take them up on the offer, don't use plastic to pay for it.

[Midpack]

I wonder if Square (I have used) and/or eWallet (not used yet, but looking forward to it if secure) are any more secure?

[audreyh1]

Quote:

Originally Posted by eridanus The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?). PCI compliance score = F

So - here we have a merchant that was ignoring PCI compliance for whatever reason.

All the criminals had to do was keep targeting merchants until they found one with poor compliance.

Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!

[aja8888]

Quote:

Originally Posted by audreyh1 Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!

Probably the same guys that designed the ACA website...

[Alan]

Quote:

Originally Posted by sengsational Why-o-why doesn't the US adopt chip and pin?

October 2015 is the deadline for merchants, and I'd read somewhere else that a year later for pay-at-pump gas stations.

U.S. rolling out chip card technology, ever so slowly

Quote:

Concern about the upswing in credit card fraud is one reason U.S.-based card issuers, financial institutions and retailers have set a deadline of October 2015 to put an EMV payment system in place. That's when liability for counterfeit fraud shifts from the issuers to merchants and their acquirers if their equipment does not support EMV.

[ERD50]

Quote:

Originally Posted by eridanus The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?). PCI compliance score = F

Quote:

Originally Posted by audreyh1 So - here we have a merchant that was ignoring PCI compliance for whatever reason. All the criminals had to do was keep targeting merchants until they found one with poor compliance. Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!

Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50

[audreyh1]

Quote:

Originally Posted by ERD50 Are you jumping to conclusions? It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place). -ERD50

Yes, in my case I was definitely jumping to conclusions.

Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.

Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.

And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.

[MichaelB]

Quote:

Originally Posted by audreyh1 Yes, in my case I was definitely jumping to conclusions. Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level. Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules. Yes, I'm assuming it was hacked "downstream" from the terminals.

I recall a breach a few years ago with IBM POS terminals where the application SW was storing customer information that was specifically prohibited in the agreement with the CC company. It would not be a surprise to find out this still happens. This is a world of little regulation and no requirement for disclosure, so we have no way to know.

[Rustward]

Quote:

Originally Posted by ERD50 Are you jumping to conclusions? It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place). -ERD50

You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.

[Chuckanut]

Quote:

Originally Posted by audreyh1 And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.

According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.

[audreyh1]

Quote:

Originally Posted by Chuckanut According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.

1700 of them?

"Made its way" implies it was downloaded somehow I suppose.

Certainly if the system was hacked in such a way that malware was downloaded to the POS terminals all bets are off in terms of any type of security.

[MRG]

Quote:

Originally Posted by Rustward You make a very good point, ERD50. Until we know what happened, we do not know what happened. I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate. It is so easy to be an internet expert these days. If anyone thinks it is so easy, just go try it in real life, and report your experience.

It ain't easy. Our systems were supposed to adhere to PCI, even though they had nothing to do with CC. What a challenge, the audit firm had windows experience, we didn't run on windows. Then the tech teams had to attempt to figure out how to comply with an issue that couldn't happen on these type systems.

I worked on SSAE and SOC audits, they were about as much fun as having your teeth ground off.

Have to agree with ERD50, and Rustward, the exact issue hasn't been published. Now audits like SSAE do adress controls to prevent unauthorized acesss. There's a difference between a control and its implementation.

MRG