The High Cost of Covering Up a Breach
While searching for a topic to share with you this month, we did our normal searches – payment card breaches, top breaches of 2018, causes of payment card breaches, you know, the usual. And, as usual, we got a long list of major retailers who’ve been breached, ranging from Target to Macy’s to Cheddars. What wasn’t usual was that there were no new breaches reported. Now, we’re not naïve enough to think there won’t be one any day now, but it’s nice to see the pace slowing down.
That being the case, we’ve turned our attention to the cost of data breaches. It was reported this week that Uber, having been accused of intentionally concealing a data breach in 2016, has agreed to pay $148 million to settle the investigation. The settlement payment will be split among the states. According to the New York attorney general, it’s the largest ever multi-state data breach settlement.
"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra said in announcing the settlement. "The company failed to safeguard user data and notify authorities when it was exposed."
The Federal Trade Commission investigated allegations that the ride-share company violated breach notification laws by intentionally withholding information about the breach, when hackers stole the personal information of 57 million users. Uber did not disclose the breach until late 2017, when it was also revealed that Uber had paid the hackers $100,000 to destroy the data.
In addition to the hefty financial payout, Uber has agreed to develop and implement a corporate integrity program for employees to report unethical behavior. Uber also has agreed to adopt model data breach notification and data security practices, and to hire an independent third party to assess its data security practices.
Another Day, Another Restaurant Breach
Cheddar’s Scratch Kitchen announced this month that they’ve joined the long, growing list of restaurants who’ve fallen victim to hackers. On August 16th, 2018, federal authorities notified Darden of a possible incident. At that time, they hired a third-party investigator and it was determined that they were in fact breached.
While the incident is still under investigation, it’s currently thought to have occurred between November 3, 2017 and January 2, 2018, and to have exposed payment card data for as many as 567,000 customers in 23 states. It is widely believed that an old Point-of-Sales system allowed hackers access to Cheddar’s old network. This network was permanently disabled in April of 2018.
Cheddar’s Scratch Kitchen is owned by Orlando based Darden Restaurant Inc, which owns other well-known restaurants including Olive Garden, Bahama Breeze, Longhorn Steakhouse, and The Capital Grille. Darden purchased Cheddar’s Scratch Kitchen in April of 2017, and it’s believed that the breach occurred prior to their systems being upgraded and integrated with Cheddar’s current system.
Card-Not-Present Fraud Continues to Rise
Macys.com and bloomingdales.com, both owned by Macy’s, are some of the most recent companies to fall victim to a breach via “account takeover fraud”. On June 11th a cyber threat alert tool that Macy’s utilizes detected suspicious login activity for many of their customer’s online accounts.
After further investigation, they found that a third party used current customer’s usernames and passwords to access their online shopping accounts from April 26th – June 12th. This gave the unauthorized third-party access to these customers’ names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Investigators for Macy’s said that the usernames and passwords did not come from Macy’s, so the third-party gathered this information elsewhere.
Macy’s blocked accounts with suspicious activity and sent emails to those customers informing them of the breach and that their accounts would continue to be blocked until they changed their passwords. They also recommended to these customers that if they used the same password for any of their other online accounts, they should be changed immediately.
With card-not-present fraud increasing since the implementation of EMV, the threat to e-commerce companies, and consumers, has also increased. Disabling access to accounts until passwords is changed is a good first step, but it’s also closing the barn door after the horses have escaped. Many security experts recommend implementing two-factor authentication as a means of restoring consumer’s trust in online shopping, and to make it more difficult to hack in to the accounts.
A New Twist on Breaches?
We are seeing more and more breaches that do not involve financial data, but rather are aimed at extorting money from the company breached in order to prevent the leakage of their customer’s personal data.
Earlier this month the well-known ticket website Ticketfly, which is owned by Eventbrite, had to shut down their site due to a data breach. The breach exposed more than 26 million customers’ names, addresses, email and phone numbers according to their press release. According to Ticketfly, a third-party forensic company was able to confirm that neither passwords nor credit card information had been compromised.
The hacker responsible for the breach sent an email to Tickefly informing them that a security flaw had been found and if ransom of 1 Bitcoin, (worth $7,500 at the time), was paid, a security fix would be provided. When the email was ignored, the hacker breached the site. On May 31st, the hacker using the handle IsHaKdZ, overtook the website’s homepage and put up the V character from the film V for Vendetta. This character is an anarchist that violently protests the government and is characterized by a Guy Fawkes mask. This takeover caused the site to be shutdown.
Upon further investigation, the company found that their customers’ personal information had been uploaded to a public server in plain text. The hacker has threated to release more information if the company does not meet ransom demands.
Just this week, Adidas warned millions of US customers of a potential data breach. A press release announced that an “unauthorized party” claims to have acquired customer data from its U.S. website. According to a preliminary investigation, the data is not believed to include credit card data.
What’s different in these scenarios is that breaches are typically found by the victim of the breach after the fact, when it comes to light either from a notification from law enforcement, customers, or their acquirer if payment card data is involved. In these cases, they’re being told by the hacker that they have their data, and in Ticketfly’s case, threatened with exposure if ransom isn’t paid.
While we all can agree that it may never be possible to stop all breaches, Online Trust Alliance reports that “93% of all breaches in 2017 could have been avoided with simple cyber hygiene practices, such as regularly updating software, blocking fake email messages, and training employees to recognize phishing attacks”.
Baby Back Ribs with a Side of Breach?
Brinker International, owner of Chili’s Bar and Grill, announced earlier this month that they recently discovered that they have been the victim of a credit card breach. At the time of the press release, Chili’s had not yet determined the full extent of the breach. They do believe that the breach was caught relatively quickly, estimating that it occurred during March and April of this year.
It appears that malware infected their POS system, which compromised payment card data from customers making in store purchases. The information compromised most likely included credit or debit card numbers, cardholder names, and potentially expiration dates and CVV codes. Fortunately, Chili's doesn't collect personal information like Social Security numbers, state or federal IDs or birthdates, so that information was not included in the breach. The company is currently working with law enforcement and a third-party forensics team to determine the full scope of the breach.
"This is another example of the new normal. However, it once again reinforces the need for organizations to deploy a multi-layered approach to protecting their cyber-posture," Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin, told eWEEK, a trusted information resource in the IT industry.
"Although Chili's itself may implement best-in-class security, they must also ensure that their vendors do the same," Kumar said.
eWEEK goes on to report that Chris Roberts, chief security architect at Acalvio, said he assumes that Chili's was PCI-DSS compliant and yet it was still breached. It's still too easy to tamper with PoS systems as there are still many issues, such as lack of patching and insecure defaults, Roberts said.
"Frankly, it's still too easy to gain access to PoS systems in restaurants," Roberts told eWEEK. "Access to a PoS system and its ability to repel malware is still not where it needs to be."
For organizations looking to improve PoS security, there are several things that can be done, according to Erin Swanson, senior director of marketing at Demisto. eWEEK reports that Swanson recommends training staff to better identify typical fraudulent activity, safeguarding POS equipment and surrounding areas, and installing security cameras to deter thieves in the first place.
Secret Service Warns of Chip Card Switch
The U.S. Secret Service has alerted financial institutions to a new scam involving chip cards. Thieves have developed a way to switch the chip in valid cards with an invalid chip. Once the card is activated, they go on a spending spree.
Brian Krebs, of Krebs on Security, reports that thieves use these steps to steal, and modify, the cards.
1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.
2. The chip is removed from the debit payment card using a heat source that warms the glue.
3. A new, invalid, chip is inserted on the payment card, and the card is repackaged for delivery.
4. The stolen chip is inserted on an old payment card in the crook’s possession.
5. The corporation receives the debit payment card without realizing the chip has been replaced.
6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.
7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.
One would think it would be easier to just use the cards they intercept from the mail; however, they usually do not have the privileged information needed to activate the cards. Doing it this way, the actual user activates the card, and then the thieves take over.
Book a Breach with your Travel?
Orbitz announced that a breach was discovered on March 1, 2018. They believe that, as a result of this breach, as many as 880,000 customers may have had their personal information compromised. The breach affected information stored on their legacy consumer platform, as well as information stored on their travel partners’ sites, including the amextravel.com website. In addition to credit card numbers, attackers also had access to phone numbers, email addresses, birth dates, gender, and physical and billing addresses. It is believed that information stored from Jan 1, 2016 through Jun 22, 2016 on their consumer platform, and Jan 1, 2016 through Dec 22, 2017 on partner platforms is at risk.
While Orbitz did not disclose the cause of the breach, industry executives believe either an Orbitz partner is to blame, or that an internal staffer's credentials were compromised.
"Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.' It's not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn't provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.
However, Perry Chaffee, VP of strategy at authentication company WWPass, believes that the information was stored in a database that was most likely accessible to "trusted" admins who may have been compromised without their knowledge, and that database was probably also accessible on the back end.
“According to Verizon's DBIR, there's an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack. There's a 19 percent chance that access resulted from a more complex back-end attack, but I'd be more focused on the 4/5 chance that an admin's password was guessed, stolen, intercepted, or cracked,” he said.
The breach has not only exposed personal and payment data, it’s had an effect on Expedia, Orbitz’s parent company. As of March 26, 2018, Expedia stockholders have seen their shares drop 3% since the announcement was released.
A New Malware Threat on the Horizon
Investigators at Forcepoint, a data-security service provider in Austin, Texas have uncovered a new POS malware strain that is able to hide itself in code used when surfing the Internet. This malware, named UDPos by Forcepoint, uses domain name server (DNS) technology to conceal itself in the data that is sent when a computer looks for an Internet address. According to Luke Somerville, Forcepoint’s Head of Special Investigations, this malware was created to look at a computer’s memory and any other programs running to find magnetic-stripe data. He also believes that point-of-sales systems that rely on a Windows-based operating system are the most vulnerable.
Somerville goes on to say “UDPoS appears to have drawn inspiration from several other POS malware families, so while none of the individual features are entirely unique the combination of them appears to be a deliberate attempt to draw together successful elements of other campaigns. The malware contains a hard-coded list of AV and virtualization products to detect (a common feature of many strains of malware) but owing to a coding error only appears to look for the first item in this list.”
Somerville said it's unclear whether this is a reflection of the malware still being in the relatively early stages or just a developer's error. While researchers haven’t been able to confirm who is behind the malware, they are working to build awareness of the exploit to help protect others. Likely targets include POS terminals in in large chains such as retailers, hotels, and restaurants.
“As distributed enterprises, retail and hotel chains have hundreds and thousands of sites with POS devices at the register and mobile: this is a big business problem for enterprises as well as small businesses,” Somerville said. “A good firewall would detect and prevent the DNS exfiltration, and thoughtful patching and administration practices would stop the fake service pack being installed.”
Forcepoint was not able to identify its origin, where it’s being sent from or which type of organizations are the intended targets. Sommerville stated, “It seems as if the authors of this family of malware did their research, looked at what was successful in other POS malware families, and put it all together in a successful campaign.”
Last month marked the fourth anniversary of the Target breach, which ultimately was found to involve as many as 40 million credit and debit cards. Since then, we’ve seen cyber criminals shift from targeting big box retailers to going after small to mid-sized merchants.
Four years later, not much else has changed. The largest sellers of stolen cards still index most of their cards by zip code, though not the one you’re probably thinking. Rather than the zip code of the billing address, they use the zip code of the hacked store where the card was physically swiped. Why? Because buyers of this data tend to prefer cards issued to people in their geographic area – use of those card numbers in the same geographic area as the hacked store tends to set off fewer alarm bells at the issuing bank, since it’s likely that the consumer lives in the same area as the breached store.
Brian Krebs, with KrebsonSecurity, reports “popular carding store Joker’s Stash had just posted a new batch of cards dubbed “Dynamittte,” which boasted some 7 million cards advertised as “100 percent” valid — meaning the cards were so fresh that even the major credit card issuers probably didn’t yet know which retail or restaurant breach caused this particular breach.
Translation: These stolen cards were far more likely to still be active and useable after fraudsters encode the account numbers onto fake plastic and use the counterfeits to go shopping in big box stores.”
Krebs went on to say, “I pinged a couple of sources who track when huge new batches of stolen cards hit the market, and both said the test cards they’d purchased from the Joker’s Stash Dynamittte batch mapped back to customers who all had one thing in common: They’d all recently eaten at a Jason’s Deli location.
Jason’s Deli is a fast casual restaurant chain based in Beaumont, Texas, with approximately 266 locations in 28 states. Seeking additional evidence as to the source of the breach, I turned to the Jason’s Deli Web site and scraped the ZIP codes for their various stores across the country. Then I began comparing those ZIPs with the ZIPs tied to this new Dynamittte batch of cards at Joker’s Stash.
Checking my work were the folks at Mindwise.io, a threat intelligence startup in California that monitors Dark Web marketplaces and tries to extract useful information from them. Mindwise found a nearly 100 percent overlap between the ZIP codes on the “Blasttt-US” unit of the Dynamittte cards for sale and the ZIP codes for Jason’s Deli locations.”
When reached for comment, Jason’s Deli confirmed that they were notified in late December that they’d been the victim of a breach. The investigation is ongoing and no further information has been announced.
Krebs concludes that “by moving down the food chain to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target) — and by mixing cards stolen from multiple breaches — the fraudsters have made it less likely that breaches at chain stores will be detected and remediated quickly, thereby prolonging the value and use of the stolen cards put up for sale in underground marketplaces.”
2017: Another Year Plagued by Breaches
Like those before it, 2017 was a year plagued by breaches, resulting in huge losses of personal and payment card data. In 2017, we saw more sophisticated types of ransomware used, with millions of people having their personal identification information stolen.
As we end the year, Verizon’s Data Breach Investigation Report notes the following:
- 75% of breaches were perpetrated by outsiders
- 62% featured hacking
- 81% leveraged stolen or weak passwords
- 51% involved malware
- 66% of malware was distributed via infected email attachments
- 95% of phishing attacks that led to a breach were followed by some sort of software installation.
The report also noted that 61% of the businesses breached this past year were those with under 1,000 employees.
The fact is, simply by following common security guidelines like creating strong passwords, and properly training of employees to be cautious when opening emails and requiring proper identification from anyone giving them instructions to download software, or swap out equipment, most breaches are avoidable.
The team at MAXpci wishes everyone a Happy New Year
filled with good health, prosperity and happiness.
Night before Christmas or Nightmare?
As retailers are gearing up for the holiday, so are hackers - and e-commerce may be the big ticket this year. More than 50% of consumers are expected to shop online this holiday season. According to Adobe Analytics, e-commerce spending in the U.S. alone is expected to top $100 billion dollars, an increase of 14% from 2016.
According to the Cybercrime Report released by ThreatMetrix, the 3rd quarter of 2017 saw a 32% increase from the beginning of the year for cyberattacks worldwide with roughly 171 million attacks taking place. Could this be the result of the Equifax breach that put 143 million consumer’s information at risk? Certainly that information makes it easier for criminals to access consumer accounts.
The ThreatMetrix report goes on to list five reasons why there is such a high threat ofe-commerce attacks in the 4th quarter:
- Transactions are expected to be at an all-time high. As the volume of sales increase, so does the threat. Illegal transactions and chargebacks grew to 31% during the holiday season of 2016, costing merchants 7.5% of the revenue.
- Mobile transactions account for 52% of online transactions. Because many people store their card information on retailer sites and in apps, they’re an easy target for cybercriminals with stolen login credentials.
- Returning customers are high during the holiday season and user authentications systems aren’t able to recognize if the user if legitimate or not.
- Same-day deliveries make it easy for thieves too. With very short lag time between purchase and delivery, retailers don’t often have the opportunity to catch fraudulent charges.
- Gift cards open many doors for thieves too since they are able to monetize them by selling them for cash.
This holiday season could turn out to be very lucrative for hackers, while proving troublesome for retailers, particularly those selling online.
Are Hackers Gearing up for the Holidays?
In just the past two months, three major businesses have announced that their POS systems have been breached.
Sonic was the first to announce they were breached in mid-September when many cards used at their locations were found being sold on an underground site. With close to 3,600 locations across the US, the number of cards compromised may be significant. They have already seen a 2% drop in their stock price since the announcement.
Hyatt Hotels announced in mid-October that the POS system used to manually enter or swipe credit card information at the front desk of 41 properties in 11 countries was breached earlier this year. This comes just two years after their last breach, which affected 250 properties in 50 countries.
The most recent announcement came from Whole Foods Market, which is now owned by Amazon. The POS systems at their “taprooms and full table-service restaurants” at 56 locations have been breached. Fortunately these POS systems are not connected to their checkout systems, which should reduce the impact of the breach to some extent.
POS systems continue to be the target of hackers because they continue to be the most vulnerable to attack. Visa’s requirement that merchants purchasing a POS system from a third party vendor use a Qualified Integrator and Reseller to install the system securely is one step towards securing these systems and reducing the threat of a breach.
PCI Compliance is on the Rise
Verizon Enterprise measures the overall compliance status of merchants in the hospitality, retail, information technology and financial-services sectors annually. Based on measurements by their qualified security assessors who perform PCI assessments, the overall PCI compliance rate increased from 42.9% in 2015 to 59.1% in 2016.
As we’d expect, merchants reported that meeting the requirements of section 11 is still the most vexing part of completing PCI Compliance. Requirement 11 involves testing, which includes internal and external vulnerability scans and penetration testing. Ron Tosto, Verizon’s global PCI manager, says, “Between the confusion and then fixing and retesting, an organization can have a tough time getting through the process,” and he is correct. Completing most SAQs is fairly easy for most merchants. Successfully setting up systems and networks that are PCI compliant continues to be both the most challenging, and the most important. Hackers who are looking to exploit vulnerabilities in systems don’t discriminate – they don’t typically know if they’ve breached Target, or the corner market until they’ve been collecting card data for some time.
While the Owner's Away the Hackers Will Play
We recently had a call from a merchant saying that she believed her system had been breached. While most merchants learn of a breach when their acquirer notifies them, in this case the merchant discovered the breach first.
Two days into her vacation, the store owner received a call from one of her teenaged employees. The employee had downloaded a software update from their "billing" company. The employee said she'd been reluctant to do it, but the person who called from the billing company convinced her to download it by saying that the store wouldn't be able to process credit cards if she didn't. As luck would have it, the teenager's dad handles tech support for the store, and warning bells went off as soon as he heard what she'd done. He immediately discovered that the update had installed the ransomware"Wannacry" on the system, and his quick actions prevented it from doing any damage.
In this case, the merchant had done everything right - they were PCI compliant, their scans passed, and they were confident that the store staff was trained to spot fraud. Unfortunately, hackers are quite good at what they do, and can fool unsuspecting employees all too often.
Every year millions of payment card numbers are stolen, typically throughskimming, hacking into a network or infecting POS systems with malware. Once thieves have the payment card information, they do what's referred to as a "credit card dump" - the process of "dumping" the card numbers to a site that allows other crooks to use the information to create counterfeit cards or use the numbers to make purchases, which they will sell or return for cash.
The sites where information is dumped are known as "dump sites". Thieves use Bitcoins to buy card numbers. The sites are commonly named after iconic American figures. American figures are used because most buyers tend to be American, so it offers recognition; because many of these sites are hosted on Russian servers, it's also a not-so-subtle jab at the US. Examples includeMcDumpals, that uses the Ronald McDonald character, Uncle Sam's Dump Shop, and the newest up and coming site, Trump's-Dumps, which promises to "make credit card fraud great again".
Trump's-Dumpsadvertises that it has more than 133,000 card numbers for sale. Pricingranges from under $10 worth of Bitcoin to over $40. The prices are based on which bank issued the card, the geographic location of the cardholder and whether it's a premium, prepaid, business or executive account.
The obvious question is why aren't these sites taken down by law enforcement? The reality is that most illegal sites have numerous domains, so if one is taken down, the owners simply move to the next domain. Law enforcement agencies simply cannot keep up.
As long as there is money to be made selling stolen payment card data, it will be in high demand and thieves will continue to find ways to steal it. Merchants can take an active role in trying to prevent their customers' card information from being stolen by maintainingcompliance with PCI compliance requirements.
Ransomware Will Make You "Wannacry"
There is a new type of ransomware that is threatening cybersecurity in countries all around the world. Ransomware has been around for years, but this new creation, known as Wannacry, is different from the rest. Ransomware is software that enters a computer and holds the data on it for ransom. Wannacry is unique because the malicious software has been attached to a worm that is able to spread itself through company networks by using vulnerabilities in Windows computers.
This newly created ransomware can encrypt 176 different types of files and it attaches .WCRY to the file. Once the files have been encrypted, the user is asked to pay a $300 bitcoin ransom. According to the ransom note, if the user doesn't pay the $300 within 3 days the amount will double, and if not received within 7 the data will be deleted. When the ransom note is delivered, there is a Bitcoin wallet address for each infected computer, which then defaults to 3 hard coded addresses due to a glitch in the code. Using 3 Bitcoin addresses makes it impossible for the attackers to identify which computer made the payment, so the chances of getting the files back are very slim. This is why most computer professionals will recommend not paying the ransom.
There are a few steps that can be taken to protect your computers from any type of attacks, including Wannacry, and many of these steps are required to be PCI Compliant.
- Always keep your antivirus up-to-date and make sure it runs on a regular basis to help protect your computer from attackers.
- Install recommended updates to your operating system and other software because these will include important security patches for new vulnerabilities.
- Never open emails with attachments if you are not certain of their legitimacy.
- Backing up important data and making sure it's protected and stored offline is one of the most effective ways to protect your files because it can then be restored once the infection has been removed.
- Using a cloud service may also help to protect your files.
While you may not be able to completely protect your computers from attackers, preventative measures are the best course of action.
Penny Wise, Pound Foolish?
InterContinental Hotel Group, (IHG), announced earlier this yearthat a dozen properties were breached during the fourth quarter of 2016. That number increased significantly In April when they announced that the number of properties affected was actually over 1,000.
According to their investigation, malware used to access payment card data was found in registers accepting card present payments at franchises without a secure payment solution.
IHG hasn't yet released the exact number of properties affected, but they did make a state lookup tool available. Christian Sonne, founder of Geeks By Nature, researched the lookup tool and found that 1,175 properties across the US and Puerto Rico were on the list as of April 19th. His breakdown is:
- Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crown Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3)
These numbers may continue to rise as the investigation continues.
POS systems are often breached due to improper installation and maintenance. "Plug and Play", while popular with most of us, all too often has meant open ports and insecure settings at the merchant level. The PCI Security Council now requires that merchants use Qualified Integrators and Resellers, (QIRs) to install and maintain systems. While using a QIR is an added cost, it is less expensive than the costs the merchant faces in the event of a breach. A full list of approved QIRs can be found at
A Liability Shift of Another Kind
Breaches at large merchants like Target and Home Depot are splashed across the news and the internet, but very little is said about breaches at smaller merchants. The lack of publicity tends to lead the average merchant to believe they're not vulnerable. They have the "why would anyone want to hack in to the corner store, we're too little" mentality. Turns out nothing could be further from the truth. Recent forensic evidence has shown that smaller merchants remain the target of hackers. According to Visa, small merchants account for 93% of breaches, with up to 80% of those breaches occurring because of "insecure POS implementation and servicing by integrators and resellers." Investigators have found that insecure remote access is also one of the biggest security risks to these merchants, and is what often leads to a breach.
In an effort to reduce the number of breaches caused by insecure POS implementation and service, Visa now requires all level 4 merchants that use third parties for their POS application and integration to use Payment Card Industry (PCI) approved Qualified Integrators and Resellers (QIRs). A list of approved QIRs is available on the Security Council's website at
With this new requirement comes a potential layer of protection for the merchant. If a QIR installs and services the POS system, and there is a breach, early indications point to the QIR being held financially liable for the breach. If it is found that the merchant did not use a qualified QIR, a penalty may be imposed for non-compliance, in addition to the fines and fees associated with the breach itself.
Newton's Third Law
As technology has changed, so too has the way merchants process their transactions. Most of these changes have resulted in improvements. With internet-based processing, transactions are approved faster, merchants save money on their phone bill, and recurring transactions are easier to manage. However, as Isaac Newton taught us, for every positive there is a negative; in this case, the negative is the risk the merchant faces if their system is vulnerable to attack.
No merchant ever wants to be told they've failed a scan. For most merchants, this means time away from running their business, and possibly hiring someone to come on site and correct the vulnerabilities. All in all, they see it as a costly disruption, and often take the stance that it's a nuisance and just one more fee to pay. Recently, a chain of restaurants in Florida suffered a breach. After undergoing a forensic audit at each location, it was determined that all but one of their locations had been breached for anywhere from 12 to 21 months. During that time, they completed two SAQs, but for the entire duration of the breach, their scans failed.Had they paid closer attention to the failed scans, and addressed the vulnerabilities that were found, the breach may have been avoided. At a minimum, the breach would have been caught, and shut down, much sooner than 21 months, and a whole lot of money, later. Instead, scan findings were ignored, and thieves were able to grab payment card data for over 21 months without being detected.
No one enjoys hearing that a scan has failed, but it's much better to hear it from a scan vendor than to hear it from their processor. The processor notification is typically accompanied by a demand for a forensic audit, followed by a very large bill.
EMV Deadline Extended at the Pumps
Visa and MasterCard recently announced an extension of the EMV deadline for gas pumps. While they were previously required to have EMV readers installed by October 2017, as were other retailers, they now have until October of 2020 to become EMV compliant. In a statement released by Visa, it wasacknowledged that it would take longer for automated fuel dispensers/pumps (AFDs) to meet the EMV requirements because of the infrastructure of the pumps and the specialized technology needed. The National Association of Convenience Stores estimates that gas station owners will spend approximately $30,000 per location to install EMV readers and that the shift could end up costing the fuel industry over $4 billion to accommodate these changes.
According to Visa, fraud at fuel pumps currently make up 1.3% of card fraud in the US; with this extension, this number may increase. The Department of Consumer Protection reports that skimmer-related fraud at gas pumps doubled in 2016 compared to 2015. We have seen this in the headlines too, 2016 has been the year of skimmers at gas pumps. Visa has stated that they will continue to work with merchants, issuersand acquirers in dealing with AFD fraud and they will monitor the AFD fraud trends, as well.
While this extension is enormously helpful to those in the fuel industry, it does give thieves another three years to exploit this opportunity. During this time there are steps that merchants can take to try to stay a step ahead though. As part of maintaining PCI compliance, merchants should monitor pumps and all processing equipment to ensure that no skimmers have been added, no equipment has been replaced, and there is no evidence of tampering.
The MAXpci team wishes you a Happy and Healthy New Year!
Skimmers, Skimmers, Everywhere are Skimmer....
Thieves have once again taken advantage of older technology, this time to install skimmers. Skimmers were recentlyfound at several gas stations in the metropolitan DC area. The skimmers were found at one location in northern Virginia during a regular maintenance check, as required for the merchant's PCI compliance review. This makes the 10th location in the area attacked since June of this year. The common thread between all of the locations is that all of the gas stations use older terminals in their pumps, and police believe this is the main reason thieves targeted these locations.
Skimmers not only allow thieves to gain payment card information that is stored on the magnetic strip, some also have cameras, allowing thieves to steal the PIN as well. Fairfax County police reports that payment card information stolen in these cases has already been used to withdraw cash from area ATMs.
The recent release of PCI DSS 3.2, which went in to effect today, places even more emphasison making sure that merchants are being vigilant about their terminals and POS systems in hopes of making it more difficult for thieves to modify them and access sensitive data.
The staff of MAXpci wishes everyone a Happy and Safe Halloween!
New Season, New PCI Version
The PCI Security Standards Council has released a new version of the PCI DSS that will take effect on October 31st. The Council is continuing to release updates more frequently than in the past, but with fewer changes for merchants to address. Reflecting the increase in the number of breaches being reported by service providers, the changes in this version are largely aimed at service providers.
Listed below is a summary of the changes in this version:
- Section 3.3 Updated requirement to clarify that any displays of PAN greater than the first six/last four digits of the PAN requires a legitimate business need. Added guidance on common masking scenarios.
- Section 3.5.1 New requirement for service providers to maintain a documented description of the cryptographic architecture.
- Section 6.4.6 New requirement for change control processes to include verification of PCI DSS requirements impacted by a change.
- Section 8.3.1 Addresses multi-factor authentication for all personnel with non-console administrative access to the CDE.
- Section 8.3.2 Addresses multi-factor authentication for all personnel with remote access to the CDE (incorporates former Requirement 8.3).
- Sections 10.8, 10.8.1 New requirement for service providers to detect and report on failures of critical security control systems.
- Section 18.104.22.168 New requirement for service providers to perform penetration testing on segmentation controls at least every six months.
- Sections 12.4 New requirement for service providers' executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program.
- Sections 12.11, 12.11.1 New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures.
This version must be in place no later than October 31, 2016, though PCI compliance vendors may put it in place earlier. Any merchants in the process of completing their SAQ when the version is updated will be required to start over using the new version. If your PCI compliance vendor does not have a plan in place to notify them prior to the change, you may want to do so yourself so the merchant can either make it a priority to complete the SAQ they're working on now, or begin fresh with a new SAQ.
Macro Breach at MICROS?
Most large companies breached today share one thing - their systems were accessed by exploiting vulnerabilities in a third-party connection, also known as remote access.Remember Target? Remote access acts as a virtual back door into a company's main system, giving hackers access to any data held on that system. If one POS system is a target, gaining remote access to a POS vendor is a gold mine - it givesthieves access to credit card data for any merchant that uses that POS system to process. The most recent breach occurred at Oracle, with thieves gaining access to their MICROS POS system. As one of the top three POS vendors globally, this breach has put 330,000 merchant locations at risk.
Oracle has not yet shared much information regarding this breach, drawing criticism from both customers and industry experts. Many MICROS users are left vulnerable by Oracle's silence because they do not know how to determine if their systems have been breached. Oracle did acknowledge the breach, and issued an FAQ regarding it. In this FAQ, they stated that they believe the Carbanak Gang, a Russian cyber crime group,is responsible for the breach and they ask that all customers reset their customer portal passwords. The FAQ also states that their corporate network and other services were not impacted; however, a source in Oracle's Hospitality Division told Krebs On Sercurity that the breach first started in their Manassas, VA point-of-sales data center, one of Oracle's major data centers that work with their hospitality clients to manage their POS devices. Gartner Analyst Avivah Litan, believes that abused credentials stolen from the MICROS portal breach could be the link in many of the recent hotel and retail POS hacks.
"This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider. "I'd say there's a big chance that the hackers in this case found a way to get remote access" to MICROS customer's on-premises point-of-sale devices."
News of this breach led Visa to issue a security alert on August 12th, instructing all companies that use MICROS to change the password on any account that gives MICROS access to their system, and to check their devices for malware or unusual activity.
The PCI Security Council addresses this often exploited vulnerability in the newly released version, 3.2, which goes into effect in October of 2016. Multi-factor authentication is now a requirement for anyone with administrative access to environments handling payment card data. This requirement previously applied only to remote access from untrusted networks. "A password alone should not be enough to verify the administrator's identity and grant access to sensitive information," said PCI Security Standards Council CTO Troy Leach. "We've seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data."
Did Thieves Take a Slice Out of Cici's?
Brian Krebs, of KrebsOnSecurity.com, is reporting that CiCi’s Pizza may be one of the most recent merchants to have suffered a breach in 2016. CiCi’s Pizza, a chain of restaurants located in 35 states, has neither confirmed nor denied that they were breached, but Krebs feels it's more likely than not that they were. This breach differs from most. It’s suspected that the thieves posed as technical support specialists for Cici’s POS system, Datapoint, which allowed them to insert malicious botnet malware into the system. Brian reports that he first became aware of the breach after numerous contacts at financial institutions reached out to him regarding fraud patterns that stemmed from cards used at various CiCi’s restaurants across the country.
Despite Cici’s reluctance to confirm the breach, all signs point to them. At least half of the 100 compromised systems found on a botnet admin server are running a malware in the Windows process called cicipos.exe. Other evidence that supports a breach at CiCi’s is the control panel for this botnet, which reveals the full card holder data. With this information, Krebs was able to confirm that many of the individuals affected had been to a CiCi’s location on the same day their data was stolen. To further suggest Cici’s POS system has been breached, there were notes made by employees referencing upcoming shift information and issues that the next shift workers needed to resolve. This information is present because this botnet appears to be powered by Punkey, which is a POS malware that records keystrokes, along with the credit card data. This POS malware has been the malware used in most of the breaches over the past two years, including Target and Home Depot.
Recent changes to PCI standards included requirements that merchants maintain processing equipment inventory records, visually check physical equipment for signs of tampering, and verify the identity of anyone coming on site to access processing equipment. Perhaps the next version should include the requirement that merchants verify the identity of tech support specialists before allowing them access to their systems.
Everyone at MAXpci wishes you a Happy and Safe 4th of July!
Even EMV Can't Stop Crooks
Two Walmart stores in the US recently discovered that they'd been the victims of thieves who installed skimmers on their payment terminals. In early May, a Walmart located not far from our office in northern Virginia found credit card skimmers placed on payment terminals in the self-checkout lines; just last week more were found at a Walmart in Fort Wright, KY. The skimmers used in Virginia were detected after at least 37 customers reported that they were hit with large ATM withdrawals after shopping at that Walmart. It is not known exactly how long the skimmers at that location were in place, but authorities say it could be as long as two to three months. Skimmers similar to the ones used at Walmart were found in some Safeway locations earlier this year.Despite the push for greater EMV acceptance in the US, thieves were able to take advantage of the many consumers without chip cards.
Skimmers have been around for years, and have been used to steal payment card data at both merchant locations and banks. Anywhere a mag stripe can be swiped, a skimmer can steal the data - including the PIN. Newer skimmers include working chip card slotsto make them harder to spot. Skimmers are easy to come by. For less than $300, you too can buy one over the Internet, a small price to pay for the large amounts of money thieves stand to gain in these cases.
This case demonstrates that EMV does not prevent all fraud, and will not thwart all criminals. Many merchants still do not use EMV terminals, and as many as 40% of consumers still do not carry chip cards, even though we are roughly 8 months past the October 1st deadline. In reality EMV will only slow down thieves. There are already EMV kits circulating on the black market that claim to be able to circumvent EMV chip cards. It is only a matter of time before these are not just claims. Despite the continued success of these crooks, maintaining PCI compliance, and using EMV-compliant payment terminals, does go a long way towardshelpingmerchants protect themselves from breaches.
Where There are Breaches There are Feds
With more and more federal agencies and courts becoming involved with trying to prevent breaches and dealing with the aftermath, are changes on the horizon for level 4 merchants?
In March, the Federal Trade Commission showed an interest in PCI compliance when it issued orders to nine QSAs requesting they provide information regarding how they audit merchants' compliance. The following QSAs were requested to provide details about their assessment process, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments; and information on additional services provided by the companies, including forensic audits.
Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust)
Payment expert, and former QSA, Jeff Man, believes that the FTC's interest in PCI compliance may be linked to the increased number of breaches at Level 4 merchants over the years, and questions about whether current PCI compliance requirements are sufficient. While Level 4 merchants are not required to have compliance audits now, this may be an indication that that may be changing in the future.
The courts are also becoming more active in how they handle lawsuits after a breach has taken place. In years past, class action lawsuits were filed; however, once the merchant proved that no harm had come to the plaintiffs due to the breach, the suits have typically been dismisssed due to the Supreme Court's 2013 ruling in the Clapper vs. Amnesty International case. This ruling stated that in order to meet constitutional requirements to sue in federal court, plaintiffs have to allege they are at imminent risk of suffering a concrete injury. As of last year, this is no longer the situation. In July of 2015 the 7th U.S. Circuit Court of Appeals ruled that a class action suit against Neiman Marcus could move forward. The court panel felt that the theft of customers' financial information was enough to satisfy constitutional standing requirements, even after the Clapper case.
Chief Judge Diane Wood wrote, "The Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur."
This was seen again last month when the panel ruled to allow the class action suit against P.F. Changs to move forward again, stating that there is "substantial risk of harm" in the future for the plaintiffs.
With the threat of more rigorous requirements, and now the addition of class action lawsuits against breached merchants, it is more important than ever for merchants to take every action possible to keep their data secure, including completing their PCI compliance requirements.
Beware the Danger of Breach Fatigue
A term, coined to describe a consumer's apathy regarding breaches -"breach fatigue" - refersto a mentality that causes consumers to become blase about security breaches. Because of this, they tend to do less to protect themselves and their sensitive information. Since breach fatigue causes many peopleto feel that theyhave little to no control over the security of their own data, they tend be less likely to take breaches seriously or to take extra steps to protect their information. This type of complacency is exactly what thieves hoped would happen.
In a study done by the The Ponemon Institute for the RSA (a subsidiary of EMC Corporation), 45% of the 1,000 consumers that respondedsaid that recent breaches did not affect their credit card or debit card use. Nearly one in four consumers feelthat breach notificationsare not important; when asked why, 65% stated that it was due to the inability to stop security breaches.
Unfortunately, studies like this reinforce the notion that the hackers have won this battle. With a price tag in the billions, this is a fight we cannot concede.
Time isn't the Only Thing Changing...
Visa recently announced changes to PCI compliance requirements for level 4 merchants and their acquirers. Up to now, all merchants have been required to be PCI compliant, but enforcement of that requirement was done at the acquirer level. Some acquirers required reporting and levied fines, some simply stated that all merchants must be compliant and left it to their banks and ISOs to provide a program, or not. Some ISOs, used this as a tool to entice merchants away from processors who required them to be PCI compliant, and billed them for non-compliance. Effective January 31, 2017, Visa will require all acquirers toannually validate that their level 4 merchants are PCI compliant.
Continuing their initiative to boost compliance and reduce risk, Visa has also announced that, effective January 31, 2017, merchants using third parties for POS and terminal installationsmust use only certified professionals. Recent forensic investigations have found that small merchants remain a target of hackers attempting to compromise payment data. Additionally, investigators have identified links between improperly installed POS applications and merchant breaches. Using organizations that have completed the PCI SSC QIR, (Qualified Integrators and Reseller), training program helps improve security by ensuring that payment applications and terminals are installed and integrated properly to mitigate breaches and facilitatePCI compliance. Integrators and resellers that complete the program are included on the PCI SSC's online list of approved qualified providers, making it easy for acquirers and merchants to identify and select a partner.
EMV: Class Action Suit
B&R Supermarket, doing business as Milam's Market, and Grove Liquors,filed a lawsuit this month alleging violations of the Sherman Antitrust Act, violations of the Clayton Antitrust Act, and California's Cartwright Act and Unjust Enrichmentagainst the following:
VISA, INC., VISA USA, INC, MASTERCARD International Incorporated, American Express Company, Discover Financial Services, Bank of America, Barclay's Bank Delaware, Capital One Financial Corporation, Chase Bank USA, National Association, Citibank, PNC Bank National Association, USAA Savings Bank, U.S. Bancorp National Association, Wells Fargo Bank, EMVCo, LLC, JCB Co. LTD and Unionpay
According to the complaint filed, the defendants did everything they were supposed to do to comply with the EMV shift. They purchased new card readers and trained their staff to use them, but though they were ready on their part, they never had anyone come out to EMV certify them.
The complainant was quoted as saying, "while very large retailers such as Target, Walmart, and others quickly had their EMV-processing systems 'certified'-thus sparing them the liability shift-the members of the Class are at the mercy of defendants," the complaint states. "Merchants like Milam's Market and Grove Liquors have no control over the certification process. All they can do is request certification and wait for it to occur. And no one can say when that will be."
According to the lawsuit, the complainant claims to have accumulated 88 chargebacks for fraudulent transactions totaling $9,196.22 from MasterCard and Visa since the liability shift, plus $5.00 chargeback fees for each item. The merchant complaint also suggests that merchants receive no compensation for the change to the business relationship, which they had no voice in.
"Merchants were not consulted about the change, were not permitted to opt out, were not offered any reduction of the interchange fee, the merchant discount fee, the swipe fee - or any other cost of accepting defendants' credit and charge cards. This is in contrast to the United Kingdom and Australian markets where merchantswere giveninterchangeconcessions which helped share the costs of fraud and purchasing and deploying new hardware and software."
"In exchange for this newly bestowed, unavoidable liability, Milam's Market, Grove Liquors and the Class members have received... nothing," the complaint says. "Interchange fees, which defendants have said exist in part to pay for fraud, are still paid for by the merchant, and have not decreased. The liability shift was unilaterally imposed to the benefit of defendants, with no compensation, consultation or consideration of any kind made to the Class members."
B & R Supermarkets is asking the court to certify the lawsuit as a class action suit and also for a preliminary injunction, which would order card issuers and networks to halt the liability shift until class members who have tried to comply with the shift are able to become certified.
When contacted about the impending lawsuit; Seth Eisen a MasterCard spokesperson said, "We're currently reviewing the claims. What I can say at this point is what we've said since introducing our roadmap in early 2012. There was never a requirement for any party-issuer or merchant-to move to EMV. Using insights from merchants, issuers, and others, our roadmap and the related liability shift provided incentives to prompt for the most secure ways to pay. We have and continue to work with parties across the industry-merchants, issuers, processors, manufacturers-to assist in this migration."
If the court approves this suit as a class action lawsuit, it's likely that many of the level 3 and 4 merchants that are having difficulty being EMV certified will join. This could turn into one of the largest lawsuits the payment cards industry has faced.
The MAXpci team enjoys meeting and interacting with people from all over the country at industry events. Please drop by our booth if you are attending any of these events. We look forward to meeting with you.
Northeast Acquirers Association
Southeast Acquirers Association
Midwest Acquirers Association
Western States Acquirers Association
To schedule a meeting with us at any of these events, please contact us at sales@MAXpcicomply.com.