Cloud Computing - Scoping Matters

Cloud services are a great tool for companies of all sizes because they provide access to the latest computer technologies without putting a financial strain on the business to make costly computer investments.  While these companies offer low-cost options for businesses, many of them do not realize that they still have responsibilities regarding payment card information. 

According to Jim Reavis, CEO of the Cloud Security Alliance, “Limiting exposure to payment data reduces the chance of being a target for criminals.  Proper scoping of cloud environments is critical to achieving this goal.”

A misconception many businesses have is that by using a cloud service provider they have no responsibility for data security.  This couldn’t be further from the truth.  Payment card data security is typically a shared responsibility.  Cloud scoping requires that all people, processes, and technologies used that interact with payment card data be identified. 

Jim goes on to say “Cloud computing can be very secure when best practices are employed and all stakeholders understand their shared responsibility, which is learned through proper scoping. While companies of all sizes use the cloud, the knowledge gap is most evident with smaller businesses, which put them at risk of suffering a security incident. We are all in this together.”

To comply with PCI requirements for using a service provider, responsibility for data security must be clearly defined so that both the merchant and the service provider are aware of their responsibilities and requirements.  The merchant must also monitor the service provider’s PCI compliance validation status on an ongoing basis to ensure that they are PCI compliant.

Work From Home Security Awareness Training

Well over a year into the COVID-19 pandemic, many businesses continue to operate from home offices.  The PCI Security Standards Council, (the Council), estimates that 25-30% of the workforce will still be working from home several days a week at the end of 2021.  In the rush to set up remote work environments last year, many businesses overlooked cybersecurity best practices, leaving them vulnerable to attackers.  With more and more businesses opting to continue working from home, it’s important that any gaps in security are closed. The Council has developed a 45-minute training course designed to help businesses work from home securely.

According to Travis Powell, the Council’s Director of Training Programs, “This training has been designed for all employees, regardless of technical experience. The 45-minute training has been setup as an engaging, self-guided, computer-based training, with content related knowledge checks throughout the training. We designed the training in such a way that no previous knowledge of the PCI Data Security Standard (PCI DSS) is required. In fact, no in-depth knowledge of cyber security is required. We wanted to ensure this training provides basic security awareness and practices to the broader learn more about this new training and the importance of prioritizing security in the remote workforce.

To read more from Travis, go to

In order to make this training available to all merchants who need it, the Council is offering it at a very low price:

  • $35 USD/per person for 1-99 employees
  • $25 USD/per person for 100+ employees
  • Customizable options for organizations seeking to train 500+ employees

For more information, and to register for the training, merchants can go to

New Retailer Added to the Long List of Breaches

Fashion clothing line retailer Guess has joined the list of companies that have suffered breaches in 2021.  The company announced mid-July that they discovered unauthorized access to some of their systems from February 2, 2021 to February 23, 2021.  Quick detection limited the loss of personal information to just 1,300 people, but the compromised information included account numbers, debit and credit card numbers, social security numbers, access codes, and personal identification numbers.

According to Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, a provider of change management software, "There is a fairly large amount of unanswered questions in this breach notification and the event itself. Why sensitive personal information like SSNs or account details was stored in clear text is one of them. That some data sets were apparently incomplete indicates a lack in managing clean and lean data of its customers. Being stock listed, it will be interesting to read through filings for additional details and whether SEC will ask for more details. Measures to avoid such an incident, companies should make sure to have the essential controls in place."

BleepingComputer believes that the ransomware gang, DarkSide, is most likely the party behind the Guess attack.  DarkSide appears to have been shut down following their cyberattack on the Colonial Pipeline, at which time law enforcement seized portions of their infrastructure.

While this cyberattack may seem small when compared to other attacks, any breach will cause damage to a company.

Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, “Disclosure of the GUESS breach reminds us that not all ransomware attacks are big and ambitious. They come in all shapes and sizes and are as much a fact of life on the digital landscape as fender-benders on the freeway. We’re on the way to a more secure digital future, but in the meantime every business must realize what GUESS learned the hard way: all are potential targets. When all adopt a security-first IT philosophy emphasizing better attack detection, better quality of life will follow.”

PCI DSS v4.0 is Coming Your Way

After a lengthy delay caused by the pandemic, the PCI Security Standards Council is finally on track to release the long-awaited v4.0.  Much has changed in the payments industry since v3.0 was released in November of 2013, and while there have been updates made to that version, the Standards have lagged behind.

The PCI Counsel plans to release the draft of v4.0 for community feedback in early Q1 of 2022.  They want Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs) and Participating Organizations to have time to preview the draft before it is released since it is going to be a significant revision.  The plan is to officially launch        v4.0 in March of 2022.  The timeline they have released includes a transition period of 18 months, which will give organizations time to become familiar with the new standards and to update their documents, such as SAQs, ROCs, and AOCs.  During this 18-month period versions 3.2.1 and 4.0 will both be active; v3.2.1 will be retired at the end of the transition period.  There will also be requirements that are “future-dated” in v4.0 to give companies time to implement the new requirements.  It appears the “future dated” requirements could be extended to Q1 of 2025.


An Inauspicious Start to 2021

2021 is showing signs of setting a record for the highest data breach volume. In January alone, more data records were compromised than in all of 2017. Imperva, a cyber security company, recently published a report that revealed a total of 878.17 million data records were compromised worldwide in January 2021.  There were 826.53 million records compromised in 2017, with an average number of 1.7 million records per breach.

Report author Ofir Shaty, Imperva security analyst technology lead, said:

“We can estimate that year-over-year we will see around three times more records stolen annually [in 2021],” “The constant increase in data breaches is a result of multiple factors,” he wrote. “We are living in a digitalization era in which more services are consumed on a daily basis with the majority of them online.” “More businesses are migrating to the cloud, which makes them more vulnerable if not done carefully.”

While most of the information stolen in breaches tends to be personally identifiable information, (PII), Imperva reports that 9.2% is payment card data.  Payment card data remains the main target for cyber criminals because of the high demand for it on the Dark Web. 

As we know, 2020 had a huge impact on businesses around the world.  Brick and mortar businesses suddenly went from face-to-face transactions to offering curbside pickup, delivery options, and online ordering.  With businesses desperate to survive, and little to no time to make the transition, many were left open to security breaches.

Based on current trends, Shaty predicts that 2021 will see approximately 1,500 breach incidents with a total of 40 billion compromised records and an average of 26 million compromised records per breach.

Another EMV Deadline Has Come & Gone

Visa first announced plans to migrate to EMV chip transactions ten years ago, in 2011.  Recognizing that it would take longer for fuel pumps to be capable of complying, the date was extended, first to 2017, then 2020, and finally, to April of 2021.  As another date has come and gone, it’s estimated that roughly half of all US fuel pumps have yet to be upgraded. 

The benefit to upgrading pumps is clear.  Counterfeit fraud rates declined 22%, and counterfeit fraud dollars declined by 32%, during the first ten months of 2020 according to Visa. At the end of February 2021, VisaNet reported that approximately 51% of transactions processed through fuel pumps in the US were EMV.

Low conversion rates, already blamed on the limited number of technicians available to go on-site, have been further impacted by Covid.  Debbie Guerra, the executive vice president at ACI Worldwide said,

“While EMV compliance is a major undertaking, and one that requires a significant capital investment, there is no doubt that the pandemic also played a big role in some fuel merchants’ inability to meet the April deadline. With overall diminished resources due to the pandemic and slow testing and certification, which is typically done in person, merchants have certainly been challenged,”

The ACI survey results indicate that it may be a while before the stations they surveyed will be EMV compliant.  Half of the 52% that are not fully compliant said they do not know when they’ll be able to become compliant. 

To help eligible business owners who’ve yet to upgrade their pumps to process EMV transactions combat fraud at the pump in the meantime, Visa Transaction Advisor has been automatically enabled for one year. Visa Transaction Advisor is invisible to the cardholder while providing a layer of fraud protection to the merchant. 

PCI Security Council Releases Updated Secure Software Lifestyle Standard

Responding to the increasing number of attacks targeting third-party payment applications, the PCI Security Standards Council published an update to the PCI Secure Software Lifecycle Standard last month. 


“This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment,” Emma Sutcliffe, senior vice president, Standards Officer for PCI Security Standards Council said in a prepared statement.


Evolving security threats require frequent, on demand, updates to software.  The PCI Secure SLC Standard v1.1 is designed to make it easier for developers to follow the Secure Software Lifecycle Standard by ensuring that proper assessment procedures are in place throughout the development lifecycle.  Historically, updates had to be certified as being in compliance before they could be released, significantly slowing implementation. With this change, developers are only required to demonstrate compliance annually, allowing them to issue updates much quicker.


“We knew we needed an updated standard that provided more flexibility in creating lifecycle security controls around payment data within applications and enables developers to come to market faster with applications and updates even as security threats evolve,” says Troy Leach, senior vice president and engagement officer for the PCI Security Standards Council. 


One of the more serious threats that the new Standard can address is digital skimming.  Digital skimming allows hackers to steal card data as the consumer enters it into a web form, or via a mobile app, making it more difficult to detect since the data is stolen before it reaches the merchant’s server.  “Attacks against payment data are becoming more sophisticated and harder to detect,” Leach says. “The updated standard puts an application through rigorous testing to assure users it is secure. Once that methodology is in place, over time it will become an easier and more robust way for developers to follow the standard.” 


With the implantation of the new Standard, the PCI Security Council will retire the Payment Application Data Security Standard, (PA-DSS) in October of 2022.

Here, Let Me Pop the Trunk

Thieves have had a field day exploiting the covid-related e-commerce boom and have now added a new trick - taking advantage of curbside-pick up.  With a huge number of merchants now using this to attract retail customers who are uncomfortable shopping face to face, this has become an easy target for thieves because of the lack of controls in place. 

According to Julie Conroy, the research director for Aite Group, “there is a whole class of merchants that have had to contend with e-commerce and card-not-present transactions that never had to prior to the pandemic, so it’s no surprise that this type of fraud is rising,” Conroy says. “We are constantly hearing from merchants [that] there has been a 25%-to-30% uptick in card-not-present transactions during the pandemic and that card-not-present fraud is rising at a commensurate rate.”

The Aite Group projects that there will be $7.9 billion in card-not-present loses in 2021, up from an estimated $7.2 billion in 2020.  Another e-commerce fraud being used is enumeration fraud. For this method of fraud, automated programs are used to try different combinations of payment data from e-commerce transactions to identify the account number, CVV2 code, and/or expiration date.

According to Visa Inc.’s Biannual Payment Ecosystem Report, “threat actors adapted to the Covid-19 pandemic by illicitly creating and subsequently using Covid-19-related merchant names to conduct enumeration attacks, as well as targeting donation related merchants.”

Point-of-sale malware attacks are also rising. With this method, thieves target e-commerce merchants to obtain compromised payment accounts by sending a merchant a phishing email that launches the malware into the merchant’s POS system when opened or when the merchant clicks on a link in the message.    

“These types of attacks are a throwback to the days before chip cards, when mag-stripe data was stolen for counterfeit cards,” says Conroy. “Today, counterfeit cards can only be used at merchants that don’t have terminals with chip readers or online merchants that don’t require a CVV2 number.  Another problem around POS malware is that criminals typically target small merchants for attack and then repackage the data into a large bundle for sale on the dark Web. When the data is sold in bulk, it becomes difficult to detect the actual point of compromise," Conroy says.

New Year, New Breach

New year, new breach are not words that are unfamiliar to us.  We’ve come to expect that a new breach will be announced at the beginning of each year, it’s just a question of who will be the “lucky” one to kick things off.  Bonobos, a men's clothing retailer, appears to hold that honor for 2021.

Bonobos started out selling online only, then expanded to include brick and mortar locations, ultimately opening 60 stores.  In 2017, Bonobos was bought by Walmart for $300 million, with the expectation that Bonobos’ clothing would be sold on Walmart’s site. Earlier this month, Bonobos notified customers that they were the victim of a massive breach.  The exact time frame of the breach is not yet known, but some of the data stolen dates back as far as 2014, with some data from as recent as July of 2020.  The company learned of the breach after an attacker known as ShinyHunters dumped Bonobos’ database to a free hacker forum.  ShinyHunters is well known for hacking online services and selling databases that have been stolen.

The attacker released 70 gigabytes worth of data, including customer addresses, phone numbers, partial credit card numbers, order information, and password histories.  Thus far, they have found that 7 million customer phone numbers and addresses have been stolen, 1.8 million customers have had account information, including passwords, compromised, and 3.5 million partial credit card numbers have been stolen.

Bonobos said that the information was not accessed from their system.  It was accessed from the external cloud platform they use to back-up their files.  Once again, failing to ensure that vendors with whom sensitive data is shared has resulted in a breach that has compromised customer information.

Falling Compliance Rates Amid Increasing Breach Risk

As the pandemic rages on, payment card security continues to be a challenge.  Unfortunately, it’s a challenge many organizations are failing to meet.  This year’s Verizon Data Breach Investigations Report found that for the third year in a row compliance is on the decline, with a 27.5% drop since 2016. 

Payment card data continues to be one of the most lucrative targets, accounting for 9 out of 10 data breaches by cybercriminals.  In the retail industry, 99% of breaches were focused on stealing payment card data for criminal purposes. 

The report goes on to state that on average only 27.9% of global organizations maintained full compliance with the PCI DSS.

“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

With companies transitioning to remote working environments almost overnight, the increased burden of ensuring that all those new work “locations” are operating in a secure environment, may mean further drops in compliance rates for 2020. 

As far as specific problem areas go, the biggest areas of non-compliance were as follows:

PCI Version 4.0 to Take a Flexible Approach to PCI Compliance

Covid-19 has forced many businesses to significantly change their business model.  One of those changes is that more employees who have access to payments data are working from home.  Shifting to home from the office/storefront, coupled with travel restrictions, has made it difficult, if not impossible, for onsite inspections to take place.  Recognizing that changes to the payment landscape equal changes to the merchant’s capability to comply, the PCI Security Standards Council has announced plans to make the next version of the security standard more reflective of changes in the workplace.

“With more employees working remotely, there needs to be a new approach to protecting payment data,” says Troy Leach, senior vice president for the PCI council. “The standard also needs to recognize there may be circumstances that prevent an assessor from conducting an onsite assessment, such as travel advisories or restrictions relating to coronavirus, and that result in the assessment being conducted remotely.”

None of this means that standards are being lowered – no matter where the work is being done, there are always steps that can be taken to maintain a secure environment.  Those steps include reviewing security policies with employees, and checking audit logs for any changes that may have created a vulnerability.   “Our aim is to rethink how remote assessments are performed without increasing the risk of the assessment” says Leach.

“Most PCI data-security standard requirements are a demonstration of a process,” says Leach. “As the work environment changes, [data-security] processes must change with it.” 

Leach went on to say that making adjustments to accommodate remote workers is not expected to be a temporary trend.  Many companies have already made plans to continue to work remotely even after the pandemic ends.   Making sure that employees who continue to work from home understand how to protect data long term will require continuing education, as well as independent testing to verify that the remote workplace is secure.

“This was something that was being discussed prior to the pandemic,” says Leach. “Covid-19 just accelerated the discussion, because remote work will continue to be the norm for the foreseeable future.”   

 “The disruption from the Covid-19 pandemic is changing the payment industry,” says Leach. “That’s why version 4.0 of the standard is going to be more flexible.”

Subscription Boxes: More than You Bargained For?

Over the past few years, various online subscription box companies have emerged and many have become extremely popular.  What’s not to love about paying a set monthly fee, and receiving a box of surprise items based on your likes?  FabFitFun suffering two Magecart attacks in a four-month period may take some of the enjoyment out of those boxes filled with surprises.

FabFitFun subscription service released a notification informing their customers that they suffered the initial attack between April 26, 2020 and May 14, 2020, then the second from May 22, 2020 until August 3, 2020.  During these time frames, there was an active skimmer running on their payment page which exposed emails and passwords for PayPal or Apple Pay, along with names, addresses, payment card account numbers, card expiration dates, and card verification codes.

            While it is not unusual for hackers to attempt a Magecart reinfection, it is unusual that they were successful.  That indicates that the company did not take the proper steps to secure their data when the first breach was discovered in mid-May, which left their cardholders vulnerable until August 3, 2020, angering many of their customers.  One customer not only got angry, she took action – Cheryl Gaston alleges in a proposed class action suit filed this month in the US District Court for the Central District of California that the retailer acted negligently and violated the Colorado Consumer Protection Act when it failed to safeguard customer data.

Allegations made in the filing include:

16. Defendant does not claim that it abides by the Payment Card Industry Data Security Standard (“PCI DSS”) compliance, which is a requirement for businesses that store, process, or transmit payment card data.

17. The PCI DSS defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions. Businesses that fail to maintain PCI DSS compliance are subject to steep fines and penalties.

18. As formulated by the PCI Security Standards Council, the mandates of PCI DSS compliance include, in part: Developing and maintaining a security policy that covers all aspects of the business, installing firewalls to protect data, and encrypting cardholder data that is transmitted over public networks using antivirus software and updating it regularly.

Based on information released to date, it appears unlikely that the hackers would have been successful in stealing this data had FabFitFun been PCI compliant.

Are Hackers Lying in Wait?

The law of supply and demand is as true in cybercrime as it is in business.  With many brick and mortar businesses locked down or closed, counterfeit cards are not as “useful” as they were prior COVID-19.  Gemini Advisory, a cyber intelligence firm based in New York that closely tracks dark web stores that traffic in stolen card data, reports that the decrease in demand has resulted in significantly lower prices in the underground.  Stas Alforov, Gemini’s director of research and development, told KrebsOnSecurity “Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world.”  Alforov said the average price for card-present data - card numbers stolen from hacked brick-and-mortar merchants with the help of malicious software installed on point-of-sale (POS) devices - has dropped significantly since the beginning of 2020.

With the increase of online sales this year, the demand for stolen “card-not-present” data has remained high.  Gemini found prices for this data have actually increased slightly since the beginning of the year.

What does the increasing shift to card not present fraud coupled with significantly fewer transactions being processed by smaller online retailers mean?  Andrew Barratt, an investigator with Coalfire, a cyber forensics firm, reports a new COVID-19 dynamic going on with e-commerce fraud that is making it harder for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops. “One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”


A basic anti-fraud process known as “common point of purchase” or CPP analysis, involves comparing transactions run on fraudulent cards to determine the merchant location that was targeted.  With fewer transactions, this has become much more challenging, particularly at smaller retailers

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”


Barratt suspects that hackers are essentially biding their time, waiting for smaller online merchants to see an increase in volume, putting the hackers in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts.

“These intruders may have a beachhead in a number of small and/or middle market e-commerce entities and they’re just waiting for the transaction volumes to go back up again and they’ve suddenly got the capability to have skimmers capturing lots of card data in the event of a sudden uptick in consumer spending,” he said. “They’d also have a diverse portfolio of compromise so could possibly even evade common point of purchase detection for a while too. Couple all of that with major shopping cart platforms going out of support and furloughed IT and security staff, and there’s a potentially large COVID-19 breach bubble waiting to pop.”

COVID Creates New Opportunities for Thieves

COVID-19 may have diverted thieves’ attention away from brick and mortar theft, but it has not stopped them from attacking companies.  Since the beginning of the pandemic there has been an increase in email phishing attacks, but one group of bold thieves are taking phishing to a new level.  They are marketing a voice phishing service, also known as vishing, to steal VPN credentials from unsuspecting employees. These attacks typically start with a paid request from thieves to target specific companies, or employees.  A typical vishing group requires at least two people.  One person will have a one-on-one phone call with the unsuspecting target, while their co-conspirator uses the compromised credentials to log into the company’s actual VPN in real-time.  From there, they can take control of the company’s website and email accounts.

The attackers go to great lengths to make this scheme seem believable.  They start by creating phishing sites that mimic the company they are attacking.  These sites usually include the company’s name followed or preceded by terms such as VPN, ticket, or portal.  The sites often include working links to the company’s own internal online resources.  To increase the feel of “legitimacy”, attackers will often then create LinkedIn profiles, and connect with other employees within the targeted company to increase believability.  They’ve even managed circumvent some types of multi-factor authentication because their fake sites can be setup to request the one-time code.

Once the site is created, they move on to contacting the merchant on the phone.  The thieves typically target new hires because they are not as familiar with other employees.  They will pose as someone from the company’s IT department with the goal of convincing the employee to provide them with their VPN credentials, or to have the employee input the credentials into the bogus site they created.  Once the thieves are in, they quickly try to locate any digital information that can be used for quick financial gain.

What’s a merchant to do?  This is where security training is crucial.  Constantly reinforcing security policies with employees and educating them on the importance of securing all information, prevents thieves from exploiting employees and gaining access to financial data.

The Importance of Two Factor Authentication

Due to the global pandemic, many people have turned to using online grocery shopping services to keep themselves safe from being exposed to Covid-19 at their local grocery stores.  One of these services, Instacart, has seen its customer base grow significantly since March when the pandemic caused shutdowns across the United States and Canada.  While they’ve been scrambling to hire hundreds of thousands of people to keep up with the increased demand, it appears that thieves decided to help themselves to their data.

On July 22, 2020, BuzzFeedNews announced that Instacart may have suffered a breach.  The names, the last four digits of credit card numbers, and order histories of almost 300,000 Instacart customers were found in two stores on the Dark Web. An Instacart spokesperson released a statement to BuzzFeedNews denying a breach.

“We are not aware of any data breach at this time. We take data protection and privacy very seriously,"

Since news of the potential breach was announced, Instacart has stated that they believe the accounts were accessed thru credential stuffing.  Credential stuffing is a type of cyberattack that uses stolen login credentials from one site or service to attempt to access various other sites and services.

This loss of data could have been avoided, had Instacart had two-factor authentication in place.  Using two factor authentication adds an additional layer of security, which many thieves would not have been able to penetrate.  Even though Instacart states, “We take data protection and privacy very seriously", it has been reported that they do not support two-factor authentication, and when asked about their plans for implementing it, they have no comment.

Hackers Exploit Retailers During Early Days of Covid-19 Crisis

Just as the US is seeing new surges in Covid-19 cases, there are concerns that merchants may soon see a surge of data breaches.  When retailers were forced to close the doors of their brick and mortar locations, with little-to-no advance notice, back in March and early April, they were sent scrambling to adapt to a “new normal”.   Efforts were devoted to finding ways to process contactless payments, make contactless deliveries, and generally stay in business.  While they were busy trying to survive, hackers were quietly planting malware to allow them to skim payment card details.


One retailer to fall victim to this is Claire’s, a jewelry and accessories retailer.  Claire’s, along with Icing, their sister company, announced that they have been the victim of what is believed to be a Magecart attack. Magecart attacks are typically initiated by hackers who use malware to insert harmful code into a company’s website. Once they insert their own code within the website’s existing code, it can then be used to gather information entered during the checkout process without making any change to the transaction process.


In this case, the Magecart attack began skimming payment card information from Claire’s’ website around April 20, but it is believed to have been inserted as early as March 20, the day after Claire’s physical locations were closed due to Covid-19. The combination of an increase in online traffic and a reduced workforce available to oversee any possible threats, allowed hackers to skim payment card data for nearly two months before it was discovered by researchers at Sansec, a security firm.  While the investigation is still ongoing, Claire’s has determined that no in-store transactions were compromised.


“Any crisis is a green light to cybercriminals and scammers,” said Jim Van Dyke, CEO of Breach Clarity, a San Francisco fraud prevention and detection technology firm. “COVID-19 has created an enormous amount of uncertainty and chaos at a scale we’ve not seen before. People are scared, anxious and desperate for anything that might help them through this troubling time. That makes them incredibly vulnerable. And, if you consider their private information is floating around the dark web, just waiting to be purchased by an opportunistic scammer, it’s the perfect storm.”

PCI Security Standards Council Delays Version 4.0

In light of changes and delays brought on by the COVID-19 pandemic, the PCI Security Standards Council has announced that they are delaying the release of version 4.0.  This version was originally expected to be released late this year, with a one-year window for merchants to comply with the new standards.  In order to allow sufficient time for the Council to review comments generated by the Request for Comment issued previously, as well as another that they expect to issue in October of 2020, they have announced that PCI DSS version 4.0 will be published sometime in 2021, with a two year window to comply with the new standards.

As a reminder, the PCI Security Standards Council has released a resource guide, found at to help small merchants keep their customers’ payment data secure in this rapidly changing environment.

In addition to this resource for small merchants, the Council has established resources for all COVID-19 updates, which can be found by going to

Protect Yourself, Protect Your Network

Over the last few weeks, companies across the US have found themselves forced to set up remote access to systems to allow employees to work from home.  While some companies have maintained a remote work environment for years, many businesses have had to scramble to comply with government orders that have typically been issued with little to no advance warning.  Even companies who have previously maintained a remote workforce have been faced with the challenge of having as much as 100% of their workforce working from home.  Inevitably, with the lack of ramp up time, coupled with the general anxiety of coping with a pandemic, this translates into opportunities for hackers to access far more networks than ever before.  While this may not seem to be a huge risk for many companies, let’s not forget that the Target breach did not originate with them, it began by hackers accessing an HVAC company that happened to have remote access to Target’s stores. 

Businesses should be more vigilant than ever to protect against network intrusions, phishing campaigns, and bogus requests for financial data. Crooks are taking advantage of COVID-19 fears, rapidly changing work environments, and a distracted workforce to trick individuals into clicking on links, visiting websites and opening emails that contain malware. The threats come from a number of sources, including targeted attacks against the health and life sciences industry, and bad actors posing as CDC or WHO representatives. 


Fortunately, just as washing our hands reduces the risk of getting COVID-19, there are basic security steps that can be taken to also reduce the risk of cyberattacks:


  • Never open attachments in unsolicited emails.
  • Never click on links in unsolicited emails.
  • Never provide personal or financial information in response to online solicitations or unsolicited email.
  • Educate yourself on how to spot phishing attacks, including sophisticated messages and spoofed emails.
  • Use only trusted sources like verified government websites for COVID-19 information.
  • Never donate to charities without first verifying their authenticity.
  • Never download unauthorized or unsupported software on any device used to access company networks.
  • Be sure that software and settings on all devices used to access company networks are secure and regularly updated with all security patches.
  • Update home Wi-Fi routers to the latest firmware and use strong Wi-Fi passwords


Our country is facing an unprecedented time. The MAXpci team sends our very best wishes to every one of you, your family and friends.  Stay home and stay healthy.  Together, we will get through this.


With Automation Comes Increased Risk

Application program interfaces, also known as APIs, are becoming increasingly popular because they automate the process of sending information between different platforms.  Crooks agree.  They are also becoming increasingly interested in this process, because it provides them another means of gaining access to data.  So much so that Akamai Technologies reports that criminals launched more than 16.6 billion attacks against the points of access in API connections between December 2017 and November 2019. 

Criminals use a method known as credential stuffing to attempt access to APIs and other web-based applications.  Credential stuffing uses stolen username and password combinations from a previous breach to attempt to gain access to other accounts.  Yet another reason not to use the same credentials for multiple accounts.

With APIs catching the interest of so many criminals, how does a merchant protect themselves?  Steven Ragan, security researcher from Akamai has recommendations that fall in line with PCI standards.

“Payments companies can take several steps to protect their API connections. Limiting the rate of access and protecting the APIs directly is a start.  Enabling and enforcing strong multifactor authentication processes is another layer of defense,” Ragan says. “In addition, education about the use of password managers, multifactor authentication tools, and phishing is [another] step.”

Wawa Stolen Card Numbers for Sale on the Dark Web

Last month we reported that Wawa had suffered a breach that lasted over nine months.  Once the malware was found, it was quickly contained; however, the damage was already done. The breach exposed debit and credit card numbers, expiration dates, and cardholder names of customers that made purchases at any Wawa.  On Monday, January 27, 2020, a popular underground crime shop known as Joker’s Stash claimed to have 30 million records for sale, many of which can be traced back to purchases made at Wawa.  This batch of cards has been named “BIGBADABOOM-III” by Joker’s Stash.

Wawa released a statement to KrebsOnSecurity regarding the claim by Joker’s Stash.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data. We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

A New York-based fraud intelligence company, Gemini Advisory said the largest amount of card information for sale traced back to Wawa customers in Florida and Pennsylvania.  Gemini Advisory also said that only a small portion of the 30 million cards they claim to have, are currently for sale.  Joker’s Stash will not release too many cards at one time because it will drive down the selling price.  Currently, the price is $17 per card with some international cards selling for as much as $210 per card.

It’s estimated that this breach will cost Wawa millions of dollars in fines.  The total impact remains to be seen; there has already been one class action suit filed against the company.


Data Breaches: Are we our own worst enemy?

Wawa ended the year joining the ever-growing ranks of large companies that suffered a breach in 2019.  On December 10, 2019 the company’s Chief Executive, Chris Gheysens, released a statement informing customers that malware had been discovered.  The malware is thought to have exposed credit card data from March 4th to December 12th of this year.  Gheysens stated that “potentially all Wawa in-store payment terminals and fuel dispensers” were impacted.  The malware was contained on December 12th, two days after it was discovered.

Even before Wawa’s announcement, 2019 was trending to become the worst year on record for data breaches.  There has been a 33 percent increase from 2018, according to Risk Based Security.  ScoreSense reports 5,200 breaches to date in 2019, with nearly 8 billion records exposed. 

The root cause of these breaches is what many find both surprising and frustrating.  Inga Goddijn, the Executive Vice President of Risked Based Security, said in a recent report,

“As we look over the experience of 2019, what stands out is that we are often our own worst enemy.  Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year.”


The MAXpci Team Wishes Everyone a

Happy & Safe New Year!

PCI Compliance: An Elusive Goal?

Thirteen years after the PCI DSS debuted in 2006, more than half of all merchants are still either unwilling or unable to meet all the standards to achieve full compliance.  In fact, according to a global study done by Verizon, compliance rates in 2018 were at their lowest since 2013, with only 36.7% of companies reviewed being compliant.  Compliance rates have been on the decline over the last few years – in 2016, 55.4% of merchants reviewed were compliant. 

Verizon’s annual report indicates that the location of the company can determine their PCI status.  Verizon says 69.6% of assessed Asia-Pacific organizations were in full compliance last year compared with 48% for the Europe/Middle East/Africa region and just 20.4% in the Americas.  Rodolphe Simonetti, the Global Managing Director for Security Consulting at Version stated in a press release:

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences. We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”

With the anticipated release of 4.0 in late 2020, the PCI Security Council is expected to provide more flexibility and support for merchants, as well as recognize contactless payment options now in use.

The team at MAXpci wishes you a Happy Thanksgiving!

The Holidays are Coming: Hackers are Ready, are Your Merchants?

Every year around this time, retailers are preparing for the holiday season.  The high sales numbers that they depend on to carry them through the year make them very attractive targets for thieves.  With EMV adoption rates continuing to slowly climb, hackers continue to focus on eCommerce as their target.  Digital skimming, also known as e-skimming, continues to be the “new” big thing.  As the season begins to kick off, the FBI reports seeing many e-skimming cases opening across the bureau.  According to an October alert, "Any business accepting online payments on their website is at risk of an e-skimming attack".  Dave Lewis, global advisory chief information security officer at Ann Arbor-based Duo Security, stated, "This is the natural evolution of the attacker," he said. "Nowadays, they understand these websites are processing millions of dollars in transactions."

Thieves running digital skimming operations monitor and study how a company’s payment page looks and operates, so their code is able to blend in with normal payment processing.  This helps to avoid detection for longer periods of time.  The scammers access the e-commerce platform thru any vulnerability they can find.  Many times, they will use this vulnerability to re-direct a consumer to a malicious domain where the card information can be captured and sent to a remote server.  Since the information is stolen in real time, thieves know that the card is live and active.  Having a live card makes the information more valuable.  One live card number can sell for up to $4; since hundreds of thousands of card numbers are typically sold at one time, it’s easy to see why thieves engage in this type of theft.

There are several steps merchants can take to guard against an attack – including having regular vulnerability scans run, resolving any issues found, and ensuring that they are truly PCI compliant.  Just checking the Yes box does nothing - thieves continue to easily exploit systems by using easily guessed passwords.  When even companies the size of Equifax are using “admin” as a password, thieves know that there are more companies out there that can be easily breached. 



As Payment Data Security Changes, So Do the Security Standards.

The PCI Security Standards Council is preparing to release its first major revision to the SAQs in several years.  For the first time, the Council is offering multiple opportunities for feedback from members of the payment industry prior to publishing the new version. “Payment-data security is changing, and we want to make sure that the PCI standards going forward are adaptable with the new technologies being deployed in the payment industry,” Troy Leach, chief technology officer for the Wakefield, Mass.-based Council, tells Digital Transactions News. “At the same time, we want to make (industry) feedback more transparent.”

With ever-changing technology in the payments space, the PCI Council recognizes there isn’t a one-size-fits-all approach to data security, and their goal is to allow greater flexibility to payments providers in order to meet security objectives.  “The plan is to make the standard more dynamic so that this standard and all other standards that evolve from it will be adaptable to the next generation of payment technologies,” says Leach.

The new version isn’t expected to be released before the end of 2020.  As has been the case in the past, merchants will have time to transition to the new requirements.

A minor revision, planned for the end of this year, is the addition of a standard for contactless payments used on mobile devices.  This method has been gaining momentum, especially after many mass transit agencies started using it to accept fares. 

Just When You Thought It Was Safe.

In 2018, we were faced with breaches at such large companies as T-Mobile, Facebook, Saks and Marriott; according to recent reports from Risk Based Security Inc., a Richmond, Virginia analytics and consulting firm that specializes in data protection, 2019 isn’t going any better.  During the first half of 2019 3,813 breaches were reported, up 54% from this time in 2018.  The number of exposed consumer records, over 4.1 billion, is an increase of 52% over the same time in 2018.  In 2019, over 78% of the records exposed to date stem from just 8 breaches.

Hacking continues to be the leading culprit, accounting for 82% of reported breaches.  Inga Goddijn, executive vice president at Risk Based Security stated, “While hackers tend to avoid banks, card issuers, and payment processors because of their usually strong cybersecurity, merchants remain a prime target because of the access they have to cardholder data within their systems. Retailers, online retailers, and gas stations remain prized targets because they accept credit cards,” Goddijn tells Digital Transactions News. “While they are aware of the risk, they don’t necessarily have unlimited resources to apply to cybersecurity like other businesses.”

The biggest threat to merchants is employees failing to properly secure information.  To date in 2019, 149 breaches that exposed more than 3.2 billion records were due to databases and other services that were misconfigured.  Goddijn went on to say, “There is so much complexity to information technology when it comes to defending the system that no one is immune. But the thing is, hackers only have to be right once, whereas security has to be right all the time. What’s clear, is that despite the awareness of the issue among business leaders and the best efforts of defenders, data breaches continue to take place at an alarming rate,” Goddijn says. “Once again, we are on track for another worst year on record for breach activity.”

The MAXpci Team wishes you a Happy and Safe Labor Day!

Small Businesses are Large Targets

Everyone knows that a credit card breach is bad for business, but exactly how bad is it?  According to Kaspersky Lab, the average cost in the US when a small business suffers a breach can be as high as $117,000.  Small businesses are targeted in 70% of breaches, forcing roughly 60% of them to close their doors within 6 months of the attack.

While criminal attacks account for 47% of all breaches, more than half are caused by human negligence and system glitches.  It’s estimated that human negligence is the cause of 1 in every four attacks. 

The costs breakdown for the most common breaches are:

  • Criminal Attacks                   $156 per record
  • Human Negligence              $126 per record
  • System Glitches                   $128 per record

There are many costs that make up these figures.  The cost of notifying cardholders whose information has been compromised is just one.  Step one in the case of any suspected breach is engaging auditors to perform the forensic audit to determine if a breach has occurred, and, if so, what caused it.  From there, merchants can face industry fines and penalties, card replacements costs, the cost of IT upgrades, additional security monitoring, legal costs, and the hardest cost to quantify and survive – the loss of business. 

When a merchant identifies a breach before it’s detected by others, it’s typically contained 60% faster than if the breach is uncovered by outsiders.  Unfortunately, Trustwave reports that only 40% of breaches are discovered by the merchant; most of commonly the breach is detected by merchant banks, the card brands, or other agencies within the financial industry.

Outsourcing, Friend or Foe?

LabCorp and Quest Diagnostics recently made headlines when they revealed that they’d been breached.  What wasn’t in the headlines is that these companies themselves were not breached - a third-party collections company they both use suffered the breach.  LabCorp and Quest Diagnostics are the two largest medical testing companies in the United States.  Until recently, they both partnered with the American Medical Collection Agency (AMCA) a debt collection company.  It was AMCA that suffered the breach, which compromised 12-million customers information from Quest Diagnostics and 7.7 million of LabCorp’s.  From August 1, 2018 thru March 30, 2019, patients’ names, birthdates, addresses, phone numbers, service dates, provider’s information and balance information was exposed.  LabCorp has stated that roughly 200,000 of their patients also had their credit card or bank information compromised. 

There are many valid reasons why businesses choose to use a third-party to process their transactions, not the least of which is that it lightens their load for PCI compliance.  Unfortunately, it puts them in a very vulnerable situation when something like this happens. While a third-party may be responsible for the breach, the damage is done to the business’ reputation to a far larger degree than to the service provider’s reputation.  They tend to be largely invisible to the cardholder.  In this specific case, AMCA filed for Chapter 11 protection earlier this month, blaming the loss of business, coupled with rising expenses attributed to this breach as the reasons for liquidating.

Low and Slow is the Way to Go

Historically, hackers have focused most heavily on stealing payment card data from retail stores.  Recent trends indicate that may be changing.  Hackers have begun targeting online stores because they tend to go unnoticed for longer periods of time, giving them access to more information.  In the past, the average price for card data stolen from online retailers, known as CVVs, ranged from $2-$8, versus $15-$20 for card data stolen from brick and mortar stores, known as dumps. Since the EMV shift, the demand for CVVs has risen to the point that hackers have a hard time meeting the demand.  With demand greater than supply, the prices for CVVs are now more in line with dumps.  Stas Alforov, Director of Research and Development for Gemini,  a company that monitors many underground stores that sell stolen credit card information,  reports that “the demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up. A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud. There is a lot more incentive now than ever before for thieves to compromise e-commerce sites.”

Thales eSecurity reports that 50% of all medium and large online retailers surveyed admitted to being hacked last year.  This number is two times higher than the results from the previous year.  With the value of the data increasing, online retailers are going to have to be more vigilant than ever to protect their data.

Eating Out Can Cost You in More Ways Than You Think

It seems calories aren’t the only thing diners need to worry about when eating out.    The restaurant industry’s heavy reliance on POS systems continue to make them easy targets for hackers.  Earl Enterprises recently found out just how easy.  KrebsOnSecurity contacted them in February of 2019 to alert them to a suspected breach after noticing that roughly 2 million payment cards sold on the Dark Web appeared to belong to their customers.

Earl Enterprises officially acknowledged that they were in fact breached nearly two months after being notified that their chain Buca di Beppo may have been breached.  They also disclosed that other chains they own were breached as well, including Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.  The cause of the breach was malicious software installed in the POS system at certain restaurant locations.  The investigation revealed that the breach lasted from May 23, 2018 to March 18, 2019 and card numbers, expiration dates and in some cases, card holder’s names were compromised. 

The easy access to POS systems that hackers are enjoying highlights the importance of ensuring that POS systems are installed securely.  The card brands began requiring that merchants use Qualified Integrator Resellers to install new systems for just that reason.  Quarterly vulnerability scans help to ensure that they remain secure, and alert the business to any vulnerabilities that need to be remediated to prevent a breach.

Data Breach More Devastating than a Natural Disaster?

According to the AppRiver Cyberthreat Index for Business, small-and-medium sized businesses, (SMBs), feel that a data breach of any kind would be more devasting than floods, fires and transit strikes combined. 

More than half of the SMBs surveyed fear that a successful breach would likely end their business, with a data breach being the single most feared and payment data being the second. Over 70% of all SMBs report at least one attempted cyberattack last quarter; that’s not surprising considering that SMBs are the target of 2 out of every 3 cybercrimes.  Most are concerned that disgruntled employees will be the source of the attack, and 45% say they are vulnerable to threats because of their lack of readiness. 

Despite the level of concern expressed, they aren’t always vigilant about protecting themselves.  According to the survey, a whopping 70% of respondents said they logged onto public WiFi, with 58% saying they do it frequently.  Public WiFi is not a safe internet connection and can significantly increase the risk of being breached.

The Kaspersky Lab reports that SMBs are right to be worried about the impact of a security breach - the cost of a breach was roughly $117,000 in 2017.  Troy Gill, the senior security analyst at AppRiver stated that “6 in 10 U.S. SMBs go out of business within six months of a successful breach”.  That figure could potentially have a crippling impact on our economy since The U.S. Small Business Administration reports that SMBs employ nearly half the nation’s work force. 

High Tech Skimmers Now Send Card Data Via Text

The U.S. Secret Service warned field offices this month about a new type of skimmer being used at gas pumps.  These skimmers are being found inside contactless payment terminals at the pumps.  While skimmers being found at gas pumps is nothing new, the method of communication that’s being used is - payment card data is now being sent via text message.  The new skimmer has a mobile phone component built in to allow it to communicate anywhere in the world that cell data is available.

In the past, thieves using regular Bluetooth skimmers had to return to the compromised station to download the card data.  With these more advanced skimmers, they never have to run the risk of returning.  Traditional Bluetooth skimmers were also found in several of the pumps at compromised stations. It is believed that that these skimmers sent the information to the device inside the NFC reader to transmit the information via text message, allowing thieves to access data from several pumps at once.

It is imperative that gas stations keep their software and hardware up to date, to be sure they’re taking advantage of the highest level of security available.  They also need to be vigilant about physically inspecting equipment to detect any modifications.

Resources for Merchants

Over the years, the PCI Security Council has published a number of bulletins aimed at helping smaller merchants navigate the challenges of becoming, and staying, PCI compliant.  One of the many challenges every merchant faces is wading through the myriad of companies who may be involved in their payment processing network, and ensuring that the vendors they use are doing their part to keep their data secure.  We often hear “well, I assume so”, in answer to questions about the security of service providers who are handling merchant data.  This is definitely an instance where assuming can do more than make a you-know-what out of you and me – it can leave them vulnerable to a breach.

One bulletin, designed to help smaller merchants understand where the data security responsibilities lie based on how they process transactions, and how to be sure that they’re selecting vendors who are approved to handle their data, is the “Questions to Ask Your Vendors”.  This bulletin is available to anyone, and is found at

Another bulletin that may be helpful to your merchants is “Guide to Safe Payments”, available at  This was developed as a resource to provide merchants with simple guidance for understanding the risk to small businesses, and security basics to protect against payment data theft.

The Council announced earlier this month that they have released standards for software developers.  In a press release dated January 16, 2019, the Council announced:

 PCI SECURITY STANDARDS COUNCIL PUBLISHES NEW SOFTWARE SECURITY STANDARDS —New PCI Standards for Software Vendors to Drive Development of Secure Software Solutions for the Next Generation of Payments; Payment Application Data Security Standard (PA-DSS) to be Retired in 2022— WAKEFIELD, Mass., 16 January 2019 — Today the PCI Security Standards Council (PCI SSC) published new requirements for the secure design and development of modern payment software. The PCI Secure Software Standard and the PCI Secure Lifecycle (Secure SLC) Standard are part of a new PCI Software Security Framework, which includes a validation program for software vendors and their software products and a qualification program for assessors. The programs will be launched later in 2019.

The full text of the release can be found at, or by going to and selecting Newsroom.

For those of you in the path of the polar vortex – be safe, and keep warm!

Four Years?!?

Marriott International recently disclosed that hackers had accessed the reservation system of many of its chains since 2014 and that as many as 500 million customers had their personal data exposed.  The breach occurred in the system for the Starwood properties, a subsidiary of Marriott that includes the St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotel chains. The information exposed in this breach includes names, addresses, card numbers, passport numbers, travel locations and arrival/departure dates of their customers. 

The company was first notified on September 8th, when an internal security tool flagged the unauthorized party.  The hacker had accessed the information, encrypted it and tried to remove it.  It took until November for Marriott to have the information decrypted.  Bonnie Kim, a Marriott spokeswoman, said that they encrypt credit cards number, but she would not comment on whether they encrypt the personal information of their customers. Full encryption is recommended by security experts.  They did admit that they can not rule out the possibility that the encryption keys were taken by hackers.  Matthew D. Green, a Johns Hopkins University cryptographer said, “The fact that they can’t rule out that the keys were taken sounds like a problem”.

So far, the information taken hasn’t been located in criminal marketplaces on the Dark Web. This lack of information has cybersecurity experts debating if the hackers were just criminals looking to sell the information, or if they were nation-state hackers. Security expert Matt Tait, a former British intelligence officer, said it was unclear whether the hackers were spies or mere criminals, though he suspected Marriott was a victim of a nation-state attack because the access lasted for so long without triggering suspicion.  The information exposed in the reservation system could give nation-state hackers information on high profile targets including diplomats, spies, military officials and business executives.  The information accessed not only tells a great deal about a person’s lifestyle and relationships, it also gives advance notice of a person’s location.

While this may be the largest breach the hospitality industry has seen to date, it is not the first. Thieves have attacked this industry for years.  Edward Hasbrouch, a San Francisco- based travel writer and consumer advocate stated, “The travel industry has been grossly negligent compared to many industries when it comes to data privacy and security.”  Gates Marshall, CompliancePoint’s, Director of Cyber Services, shared his thoughts on this industry’s security, “The industry is behind in a lot of ways”.  The government has not set security regulations for this industry, but after this massive breach certain officials have asked for stricter regulations regarding consumer data privacy.  Attorney General’s from three states, New York, Maryland and Pennsylvania have already had their offices open investigations into the breach at Marriott.

Leeny Oberg, Marriott’s CFO, said on December 5th that it is too early estimate the cost of this breach, but according to Bloomberg Intelligence they could face up to $1 Billion in fines and legal costs.  They should also expect to see a drop in their stocks.

The MAXpci team wishes you a Happy and Prosperous New Year!






Why Big Businesses Think They Can Afford a Breach

There’s a 50% chance that your personal data was compromised in the Equifax data breach that exposed 143 million records.  If by chance your data wasn’t exposed then, it almost certainly was when Google and Facebook were breached.  Even consumers who shy away from social media and online shopping aren’t immune from risk since retailers ranging from Target to Michael’s to Home Depot were also breached in the last few years.  Unless you’re paying cash, in person, for every purchase and every expense, there’s a risk every day of having your personal information exposed, which begs the question – why don’t big businesses do more to prevent a breach?  Simply put, the cost of protection may not be worth it to them.


Ponemon Institute and IBM’s 2018 data breach study showed that on average a data breach costs a large company $7.91 million in the US. This expense includes IT expenses, insurance, notifications and lost customers.  This sure sounds like a lot to us, but for a company with annual revenues of over $500, it’s quite possibly less than they spend on toilet paper.


For many, the actual cost of cybersecurity outweighs the cost to prevent a possible breach.  According to O. Sami Saydjari, author of Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time, it’s impossible to be 100% secure, so companies have to make an investment decision.  Saydjari also says in his book that cybersecurity budgets are usually 0.1 % of total revenue – roughly the same as the cost of being breached.

Burgerville Serves a Side of Breach

Burgerville, a Washington-based burger chain, disclosed earlier this month that they’ve joined the ever-growing list of victims of a credit card breach.  Burgersville believes that anyone that paid with a payment card between September 2017 and September 2018, could be affected.  While they did not release the number of customers believed to be affected, they did share the information that was compromised - names, card numbers, expiration dates and the CVV numbers.  In other words, everything needed to use the cards.

The company was first alerted by the FBI about the breach on August 22, but held off disclosing the breach in order to assist the FBI with an active investigation.  What’s a bit unusual about this breach is that they believe they know who stole the data - an Eastern European cybercriminal gang known as Fin7.  This group is believed to be responsible for having stolen more than 15 million card records in 47 states.  They have also been linked to major breaches at Chipotle, Arby’s, Chili’s and Red Robin.  In August, Federal prosecutors indicted three Ukrainians members of Fin7 for their connection to the hack at Burgerville.   Unfortunately, while they may be off the streets, that does nothing to negate the effects of the breach.  The stolen payment card information was almost certainly already sold when they were apprehended. 

Now that Burgerville has shut down the access and secured their systems, they face a new battle.  Almost immediately after the breach was disclosed, one of their customer’s, Cassandra Nelson, filed a class-action complaint in Multnomah County court in Oregon.

Nelson alleges that her financial card information was compromised by Burgerville after purchasing food from their Portland metro area locations. It also alleges that the restaurant “collected and stored credit and debit card information” in its POS systems.


“In an attempt to increase profits, Burgerville negligently failed to maintain adequate technological safeguards to protect plaintiff’s information from unauthorized access by hackers,” Nelson’s complaint states. 


In the complaint, Nelson also alleges that Burgerville violated Oregon law by not informing customers as soon as it learned about the hack. Nelson is seeking monetary damages and a full accounting of how hackers gained access to customer information.


While it remains to be seen how this suit will be resolved in the courts, it’s a very clear message that cardholders are tired of having their financial information at risk and intend to hold merchants accountable.


The High Cost of Covering Up a Breach

While searching for a topic to share with you this month, we did our normal searches – payment card breaches, top breaches of 2018, causes of payment card breaches, you know, the usual.  And, as usual, we got a long list of major retailers who’ve been breached, ranging from Target to Macy’s to Cheddars.  What wasn’t usual was that there were no new breaches reported.  Now, we’re not naïve enough to think there won’t be one any day now, but it’s nice to see the pace slowing down. 

That being the case, we’ve turned our attention to the cost of data breaches.  It was reported this week that Uber, having been accused of intentionally concealing a data breach in 2016, has agreed to pay $148 million to settle the investigation. The settlement payment will be split among the states. According to the New York attorney general, it’s the largest ever multi-state data breach settlement.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra said in announcing the settlement. "The company failed to safeguard user data and notify authorities when it was exposed."

The Federal Trade Commission investigated allegations that the ride-share company violated breach notification laws by intentionally withholding information about the breach, when hackers stole the personal information of 57 million users.  Uber did not disclose the breach until late 2017, when it was also revealed that Uber had paid the hackers $100,000 to destroy the data.


In addition to the hefty financial payout, Uber has agreed to develop and implement a corporate integrity program for employees to report unethical behavior.  Uber also has agreed to adopt model data breach notification and data security practices, and to hire an independent third party to assess its data security practices.


Another Day, Another Restaurant Breach

Cheddar’s Scratch Kitchen announced this month that they’ve joined the long, growing list of restaurants who’ve fallen victim to hackers.   On August 16th, 2018, federal authorities notified Darden of a possible incident.  At that time, they hired a third-party investigator and it was determined that they were in fact breached.

While the incident is still under investigation, it’s currently thought to have occurred between November 3, 2017 and January 2, 2018, and to have exposed payment card data for as many as 567,000 customers in 23 states. It is widely believed that an old Point-of-Sales system allowed hackers access to Cheddar’s old network.  This network was permanently disabled in April of 2018. 

Cheddar’s Scratch Kitchen is owned by Orlando based Darden Restaurant Inc, which owns other well-known restaurants including Olive Garden, Bahama Breeze, Longhorn Steakhouse, and The Capital Grille.            Darden purchased Cheddar’s Scratch Kitchen in April of 2017, and it’s believed that the breach occurred prior to their systems being upgraded and integrated with Cheddar’s current system.

Card-Not-Present Fraud Continues to Rise and, both owned by Macy’s, are some of the most recent companies to fall victim to a breach via “account takeover fraud”.  On June 11th a cyber threat alert tool that Macy’s utilizes detected suspicious login activity for many of their customer’s online accounts.

After further investigation, they found that a third party used current customer’s usernames and passwords to access their online shopping accounts from April 26th – June 12th.  This gave the unauthorized third-party access to these customers’ names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Investigators for Macy’s said that the usernames and passwords did not come from Macy’s, so the third-party gathered this information elsewhere.

Macy’s blocked accounts with suspicious activity and sent emails to those customers informing them of the breach and that their accounts would continue to be blocked until they changed their passwords.  They also recommended to these customers that if they used the same password for any of their other online accounts, they should be changed immediately.


With card-not-present fraud increasing since the implementation of EMV, the threat to e-commerce companies, and consumers, has also increased.  Disabling access to accounts until passwords is changed is a good first step, but it’s also closing the barn door after the horses have escaped.  Many security experts recommend implementing two-factor authentication as a means of restoring consumer’s trust in online shopping, and to make it more difficult to hack in to the accounts.

A New Twist on Breaches?

We are seeing more and more breaches that do not involve financial data, but rather are aimed at extorting money from the company breached in order to prevent the leakage of their customer’s personal data. 

Earlier this month the well-known ticket website Ticketfly, which is owned by Eventbrite, had to shut down their site due to a data breach.  The breach exposed more than 26 million customers’ names, addresses, email and phone numbers according to their press release.  According to Ticketfly, a third-party forensic company was able to confirm that neither passwords nor credit card information had been compromised.

The hacker responsible for the breach sent an email to Tickefly informing them that a security flaw had been found and if ransom of 1 Bitcoin, (worth $7,500 at the time), was paid, a security fix would be provided.  When the email was ignored, the hacker breached the site.  On May 31st, the hacker using the handle IsHaKdZ, overtook the website’s homepage and put up the V character from the film V for Vendetta.  This character is an anarchist that violently protests the government and is characterized by a Guy Fawkes mask.  This takeover caused the site to be shutdown.

Upon further investigation, the company found that their customers’ personal information had been uploaded to a public server in plain text.  The hacker has threated to release more information if the company does not meet ransom demands. 

Just this week, Adidas warned millions of US customers of a potential data breach.  A press release announced that an “unauthorized party” claims to have acquired customer data from its U.S. website. According to a preliminary investigation, the data is not believed to include credit card data. 

What’s different in these scenarios is that breaches are typically found by the victim of the breach after the fact, when it comes to light either from a notification from law enforcement, customers, or their acquirer if payment card data is involved.  In these cases, they’re being told by the hacker that they have their data, and in Ticketfly’s case, threatened with exposure if ransom isn’t paid.

While we all can agree that it may never be possible to stop all breaches, Online Trust Alliance reports that “93% of all breaches in 2017 could have been avoided with simple cyber hygiene practices, such as regularly updating software, blocking fake email messages, and training employees to recognize phishing attacks”. 


Baby Back Ribs with a Side of Breach?

Brinker International, owner of Chili’s Bar and Grill, announced earlier this month that they recently discovered that they have been the victim of a credit card breach.  At the time of the press release, Chili’s had not yet determined the full extent of the breach.  They do believe that the breach was caught relatively quickly, estimating that it occurred during March and April of this year.

It appears that malware infected their POS system, which compromised payment card data from customers making in store purchases.  The information compromised most likely included credit or debit card numbers, cardholder names, and potentially expiration dates and CVV codes.  Fortunately, Chili's doesn't collect personal information like Social Security numbers, state or federal IDs or birthdates, so that information was not included in the breach. The company is currently working with law enforcement and a third-party forensics team to determine the full scope of the breach.

"This is another example of the new normal. However, it once again reinforces the need for organizations to deploy a multi-layered approach to protecting their cyber-posture," Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin, told eWEEK, a trusted information resource in the IT industry.

"Although Chili's itself may implement best-in-class security, they must also ensure that their vendors do the same," Kumar said.

eWEEK goes on to report that Chris Roberts, chief security architect at Acalvio, said he assumes that Chili's was PCI-DSS compliant and yet it was still breached. It's still too easy to tamper with PoS systems as there are still many issues, such as lack of patching and insecure defaults, Roberts said.

"Frankly, it's still too easy to gain access to PoS systems in restaurants," Roberts told eWEEK. "Access to a PoS system and its ability to repel malware is still not where it needs to be."

For organizations looking to improve PoS security, there are several things that can be done, according to Erin Swanson, senior director of marketing at Demisto. eWEEK reports that Swanson recommends training staff to better identify typical fraudulent activity, safeguarding POS equipment and surrounding areas, and installing security cameras to deter thieves in the first place.  

Secret Service Warns of Chip Card Switch

The U.S. Secret Service has alerted financial institutions to a new scam involving chip cards.  Thieves have developed a way to switch the chip in valid cards with an invalid chip.  Once the card is activated, they go on a spending spree.

Brian Krebs, of Krebs on Security, reports that thieves use these steps to steal, and modify, the cards.

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The chip is removed from the debit payment card using a heat source that warms the glue.

3. A new, invalid, chip is inserted on the payment card, and the card is repackaged for delivery.

4. The stolen chip is inserted on an old payment card in the crook’s possession.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.

One would think it would be easier to just use the cards they intercept from the mail; however, they usually do not have the privileged information needed to activate the cards.  Doing it this way, the actual user activates the card, and then the thieves take over.

Book a Breach with your Travel?

Orbitz announced that a breach was discovered on March 1, 2018. They believe that, as a result of this breach, as many as 880,000 customers may have had their personal information compromised.  The breach affected information stored on their legacy consumer platform, as well as information stored on their travel partners’ sites, including the website.  In addition to credit card numbers, attackers also had access to phone numbers, email addresses, birth dates, gender, and physical and billing addresses.  It is believed that information stored from Jan 1, 2016 through Jun 22, 2016 on their consumer platform, and Jan 1, 2016 through Dec 22, 2017 on partner platforms is at risk. 

While Orbitz did not disclose the cause of the breach, industry executives believe either an Orbitz partner is to blame, or that an internal staffer's credentials were compromised.

"Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.' It's not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn't provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at

However, Perry Chaffee, VP of strategy at authentication company WWPass, believes that the information was stored in a database that was most likely accessible to "trusted" admins who may have been compromised without their knowledge, and that database was probably also accessible on the back end.

“According to Verizon's DBIR, there's an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack.  There's a 19 percent chance that access resulted from a more complex back-end attack, but I'd be more focused on the 4/5 chance that an admin's password was guessed, stolen, intercepted, or cracked,” he said.


The breach has not only exposed personal and payment data, it’s had an effect on Expedia, Orbitz’s parent company.  As of March 26, 2018, Expedia stockholders have seen their shares drop 3% since the announcement was released.

A New Malware Threat on the Horizon

Investigators at Forcepoint, a data-security service provider in Austin, Texas have uncovered a new POS malware strain that is able to hide itself in code used when surfing the Internet.  This malware, named UDPos by Forcepoint, uses domain name server (DNS) technology to conceal itself in the data that is sent when a computer looks for an Internet address.  According to Luke Somerville, Forcepoint’s Head of Special Investigations, this malware was created to look at a computer’s memory and any other programs running to find magnetic-stripe data. He also believes that point-of-sales systems that rely on a Windows-based operating system are the most vulnerable.

Somerville goes on to say “UDPoS appears to have drawn inspiration from several other POS malware families, so while none of the individual features are entirely unique the combination of them appears to be a deliberate attempt to draw together successful elements of other campaigns. The malware contains a hard-coded list of AV and virtualization products to detect (a common feature of many strains of malware) but owing to a coding error only appears to look for the first item in this list.”

Somerville said it's unclear whether this is a reflection of the malware still being in the  relatively early stages or just a developer's error. While researchers haven’t been able to  confirm who is behind the malware, they are working to build awareness of the exploit to help protect others. Likely targets include POS terminals in in large chains such as retailers, hotels, and restaurants.

“As distributed enterprises, retail and hotel chains have hundreds and thousands of sites with POS devices at the register and mobile: this is a big business problem for enterprises as well as small businesses,” Somerville said. “A good firewall would detect and prevent the DNS exfiltration, and thoughtful patching and administration practices would stop the fake service pack being installed.”


Forcepoint was not able to identify its origin, where it’s being sent from or which type of organizations are the intended targets.  Sommerville stated, “It seems as if the authors of this family of malware did their research, looked at what was successful in other POS malware families, and put it all together in a successful campaign.”




Last month marked the fourth anniversary of the Target breach, which ultimately was found to involve as many as 40 million credit and debit cards.  Since then, we’ve seen cyber criminals shift from targeting big box retailers to going after small to mid-sized merchants.


Four years later, not much else has changed.  The largest sellers of stolen cards still index most of their cards by zip code, though not the one you’re probably thinking.  Rather than the zip code of the billing address, they use the zip code of the hacked store where the card was physically swiped.  Why?  Because buyers of this data tend to prefer cards issued to people in their geographic area – use of those card numbers in the same geographic area as the hacked store tends to set off fewer alarm bells at the issuing bank, since it’s likely that the consumer lives in the same area as the breached store.

Brian Krebs, with KrebsonSecurity, reports “popular carding store Joker’s Stash had just posted a new batch of cards dubbed “Dynamittte,” which boasted some 7 million cards advertised as “100 percent” valid — meaning the cards were so fresh that even the major credit card issuers probably didn’t yet know which retail or restaurant breach caused this particular breach.


Translation: These stolen cards were far more likely to still be active and useable after fraudsters encode the account numbers onto fake plastic and use the counterfeits to go shopping in big box stores.”

Krebs went on to say, “I pinged a couple of sources who track when huge new batches of stolen cards hit the market, and both said the test cards they’d purchased from the Joker’s Stash Dynamittte batch mapped back to customers who all had one thing in common: They’d all recently eaten at a Jason’s Deli location.


Jason’s Deli is a fast casual restaurant chain based in Beaumont, Texas, with approximately 266 locations in 28 states. Seeking additional evidence as to the source of the breach, I turned to the Jason’s Deli Web site and scraped the ZIP codes for their various stores across the country. Then I began comparing those ZIPs with the ZIPs tied to this new Dynamittte batch of cards at Joker’s Stash.

Checking my work were the folks at, a threat intelligence startup in California that monitors Dark Web marketplaces and tries to extract useful information from them. Mindwise found a nearly 100 percent overlap between the ZIP codes on the “Blasttt-US” unit of the Dynamittte cards for sale and the ZIP codes for Jason’s Deli locations.”


When reached for comment, Jason’s Deli confirmed that they were notified in late December that they’d been the victim of a breach.  The investigation is ongoing and no further information has been announced.


Krebs concludes that “by moving down the food chain to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target) — and by mixing cards stolen from multiple breaches — the fraudsters have made it less likely that breaches at chain stores will be detected and remediated quickly, thereby prolonging the value and use of the stolen cards put up for sale in underground marketplaces.”

2017: Another Year Plagued by Breaches

Like those before it, 2017 was a year plagued by breaches, resulting in huge losses of personal and payment card data.  In 2017, we saw more sophisticated types of ransomware used, with millions of people having their personal identification information stolen.

As we end the year, Verizon’s Data Breach Investigation Report notes the following:

  • 75% of breaches were perpetrated by outsiders
  • 62% featured hacking
  • 81% leveraged stolen or weak passwords
  • 51% involved malware
  • 66% of malware was distributed via infected email attachments
  • 95% of phishing attacks that led to a breach were followed by some sort of software installation.

The report also noted that 61% of the businesses breached this past year were those with under 1,000 employees.

The fact is, simply by following common security guidelines like creating strong passwords, and properly training of employees to be cautious when opening emails and requiring proper identification from anyone giving them instructions to download software, or swap out equipment, most breaches are avoidable. 

The team at MAXpci wishes everyone a Happy New Year

 filled with good health, prosperity and happiness.

Night before Christmas or Nightmare?

           As retailers are gearing up for the holiday, so are hackers - and e-commerce may be the big ticket this year.  More than 50% of consumers are expected to shop online this holiday season.  According to Adobe Analytics, e-commerce spending in the U.S. alone is expected to top $100 billion dollars, an increase of 14% from 2016.

            According to the Cybercrime Report released by ThreatMetrix, the 3rd quarter of 2017 saw a 32% increase from the beginning of the year for cyberattacks worldwide with roughly 171 million attacks taking place. Could this be the result of the Equifax breach that put 143 million consumer’s information at risk?  Certainly that information makes it easier for criminals to access consumer accounts.

            The ThreatMetrix report goes on to list five reasons why there is such a high threat ofe-commerce attacks in the 4th quarter:

  1. Transactions are expected to be at an all-time high.  As the volume of sales increase, so does the threat.  Illegal transactions and chargebacks grew to 31% during the holiday season of 2016, costing merchants 7.5% of the revenue.
  2. Mobile transactions account for 52% of online transactions. Because many people store their card information on retailer sites and in apps, they’re an easy target for cybercriminals with stolen login credentials.
  3. Returning customers are high during the holiday season and user authentications systems aren’t able to recognize if the user if legitimate or not.
  4. Same-day deliveries make it easy for thieves too.  With very short lag time between purchase and delivery, retailers don’t often have the opportunity to catch fraudulent charges.
  5. Gift cards open many doors for thieves too since they are able to monetize them by selling them for cash.

            This holiday season could turn out to be very lucrative for hackers, while proving troublesome for retailers, particularly those selling online. 

Are Hackers Gearing up for the Holidays?

In just the past two months, three major businesses have announced that their POS systems have been breached. 

Sonic was the first to announce they were breached in mid-September when many cards used at their locations were found being sold on an underground site. With close to 3,600 locations across the US, the number of cards compromised may be significant.   They have already seen a 2% drop in their stock price since the announcement.

            Hyatt Hotels announced in mid-October that the POS system used to manually enter or swipe credit card information at the front desk of 41 properties in 11 countries was breached earlier this year.  This comes just two years after their last breach, which affected 250 properties in 50 countries.

            The most recent announcement came from Whole Foods Market, which is now owned by Amazon.  The POS systems at their “taprooms and full table-service restaurants” at 56 locations have been breached.  Fortunately these POS systems are not connected to their checkout systems, which should reduce the impact of the breach to some extent.

POS systems continue to be the target of hackers because they continue to be the most vulnerable to attack.  Visa’s requirement that merchants purchasing a POS system from a third party vendor use a Qualified Integrator and Reseller to install the system securely is one step towards securing these systems and reducing the threat of a breach.

PCI Compliance is on the Rise

Verizon Enterprise measures the overall compliance status of merchants in the hospitality, retail, information technology and financial-services sectors annually.  Based on measurements by their qualified security assessors who perform PCI assessments, the overall PCI compliance rate increased from 42.9% in 2015 to 59.1% in 2016. 

As we’d expect, merchants reported that meeting the requirements of section 11 is still the most vexing part of completing PCI Compliance.  Requirement 11 involves testing, which includes internal and external vulnerability scans and penetration testing.  Ron Tosto, Verizon’s global PCI manager, says, “Between the confusion and then fixing and retesting, an organization can have a tough time getting through the process,” and he is correct.  Completing most SAQs is fairly easy for most merchants.  Successfully setting up systems and networks that are PCI compliant continues to be both the most challenging, and the most important.  Hackers who are looking to exploit vulnerabilities in systems don’t discriminate – they don’t typically know if they’ve breached Target, or the corner market until they’ve been collecting card data for some time.  

While the Owner's Away the Hackers Will Play

We recently had a call from a merchant saying that she believed her system had been breached. While most merchants learn of a breach when their acquirer notifies them, in this case the merchant discovered the breach first.

Two days into her vacation, the store owner received a call from one of her teenaged employees. The employee had downloaded a software update from their "billing" company. The employee said she'd been reluctant to do it, but the person who called from the billing company convinced her to download it by saying that the store wouldn't be able to process credit cards if she didn't. As luck would have it, the teenager's dad handles tech support for the store, and warning bells went off as soon as he heard what she'd done. He immediately discovered that the update had installed the ransomware"Wannacry" on the system, and his quick actions prevented it from doing any damage.

In this case, the merchant had done everything right - they were PCI compliant, their scans passed, and they were confident that the store staff was trained to spot fraud. Unfortunately, hackers are quite good at what they do, and can fool unsuspecting employees all too often.


Every year millions of payment card numbers are stolen, typically throughskimming, hacking into a network or infecting POS systems with malware. Once thieves have the payment card information, they do what's referred to as a "credit card dump" - the process of "dumping" the card numbers to a site that allows other crooks to use the information to create counterfeit cards or use the numbers to make purchases, which they will sell or return for cash.

The sites where information is dumped are known as "dump sites". Thieves use Bitcoins to buy card numbers. The sites are commonly named after iconic American figures. American figures are used because most buyers tend to be American, so it offers recognition; because many of these sites are hosted on Russian servers, it's also a not-so-subtle jab at the US. Examples includeMcDumpals, that uses the Ronald McDonald character, Uncle Sam's Dump Shop, and the newest up and coming site, Trump's-Dumps, which promises to "make credit card fraud great again".

Trump's-Dumpsadvertises that it has more than 133,000 card numbers for sale. Pricingranges from under $10 worth of Bitcoin to over $40. The prices are based on which bank issued the card, the geographic location of the cardholder and whether it's a premium, prepaid, business or executive account.

The obvious question is why aren't these sites taken down by law enforcement? The reality is that most illegal sites have numerous domains, so if one is taken down, the owners simply move to the next domain. Law enforcement agencies simply cannot keep up.

As long as there is money to be made selling stolen payment card data, it will be in high demand and thieves will continue to find ways to steal it. Merchants can take an active role in trying to prevent their customers' card information from being stolen by maintainingcompliance with PCI compliance requirements.

Ransomware Will Make You "Wannacry"

There is a new type of ransomware that is threatening cybersecurity in countries all around the world. Ransomware has been around for years, but this new creation, known as Wannacry, is different from the rest. Ransomware is software that enters a computer and holds the data on it for ransom. Wannacry is unique because the malicious software has been attached to a worm that is able to spread itself through company networks by using vulnerabilities in Windows computers.

This newly created ransomware can encrypt 176 different types of files and it attaches .WCRY to the file. Once the files have been encrypted, the user is asked to pay a $300 bitcoin ransom. According to the ransom note, if the user doesn't pay the $300 within 3 days the amount will double, and if not received within 7 the data will be deleted. When the ransom note is delivered, there is a Bitcoin wallet address for each infected computer, which then defaults to 3 hard coded addresses due to a glitch in the code. Using 3 Bitcoin addresses makes it impossible for the attackers to identify which computer made the payment, so the chances of getting the files back are very slim. This is why most computer professionals will recommend not paying the ransom.

There are a few steps that can be taken to protect your computers from any type of attacks, including Wannacry, and many of these steps are required to be PCI Compliant.

  • Always keep your antivirus up-to-date and make sure it runs on a regular basis to help protect your computer from attackers.
  • Install recommended updates to your operating system and other software because these will include important security patches for new vulnerabilities.
  • Never open emails with attachments if you are not certain of their legitimacy.
  • Backing up important data and making sure it's protected and stored offline is one of the most effective ways to protect your files because it can then be restored once the infection has been removed.
  • Using a cloud service may also help to protect your files.

While you may not be able to completely protect your computers from attackers, preventative measures are the best course of action.

Penny Wise, Pound Foolish?

InterContinental Hotel Group, (IHG), announced earlier this yearthat a dozen properties were breached during the fourth quarter of 2016. That number increased significantly In April when they announced that the number of properties affected was actually over 1,000.

According to their investigation, malware used to access payment card data was found in registers accepting card present payments at franchises without a secure payment solution.

IHG hasn't yet released the exact number of properties affected, but they did make a state lookup tool available. Christian Sonne, founder of Geeks By Nature, researched the lookup tool and found that 1,175 properties across the US and Puerto Rico were on the list as of April 19th. His breakdown is:

  • Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crown Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3)

These numbers may continue to rise as the investigation continues.

POS systems are often breached due to improper installation and maintenance. "Plug and Play", while popular with most of us, all too often has meant open ports and insecure settings at the merchant level. The PCI Security Council now requires that merchants use Qualified Integrators and Resellers, (QIRs) to install and maintain systems. While using a QIR is an added cost, it is less expensive than the costs the merchant faces in the event of a breach. A full list of approved QIRs can be found at
click here.

A Liability Shift of Another Kind

Breaches at large merchants like Target and Home Depot are splashed across the news and the internet, but very little is said about breaches at smaller merchants. The lack of publicity tends to lead the average merchant to believe they're not vulnerable. They have the "why would anyone want to hack in to the corner store, we're too little" mentality. Turns out nothing could be further from the truth. Recent forensic evidence has shown that smaller merchants remain the target of hackers. According to Visa, small merchants account for 93% of breaches, with up to 80% of those breaches occurring because of "insecure POS implementation and servicing by integrators and resellers." Investigators have found that insecure remote access is also one of the biggest security risks to these merchants, and is what often leads to a breach.

In an effort to reduce the number of breaches caused by insecure POS implementation and service, Visa now requires all level 4 merchants that use third parties for their POS application and integration to use Payment Card Industry (PCI) approved Qualified Integrators and Resellers (QIRs). A list of approved QIRs is available on the Security Council's website at

With this new requirement comes a potential layer of protection for the merchant. If a QIR installs and services the POS system, and there is a breach, early indications point to the QIR being held financially liable for the breach. If it is found that the merchant did not use a qualified QIR, a penalty may be imposed for non-compliance, in addition to the fines and fees associated with the breach itself.

Newton's Third Law

As technology has changed, so too has the way merchants process their transactions. Most of these changes have resulted in improvements. With internet-based processing, transactions are approved faster, merchants save money on their phone bill, and recurring transactions are easier to manage. However, as Isaac Newton taught us, for every positive there is a negative; in this case, the negative is the risk the merchant faces if their system is vulnerable to attack.

No merchant ever wants to be told they've failed a scan. For most merchants, this means time away from running their business, and possibly hiring someone to come on site and correct the vulnerabilities. All in all, they see it as a costly disruption, and often take the stance that it's a nuisance and just one more fee to pay. Recently, a chain of restaurants in Florida suffered a breach. After undergoing a forensic audit at each location, it was determined that all but one of their locations had been breached for anywhere from 12 to 21 months. During that time, they completed two SAQs, but for the entire duration of the breach, their scans failed.Had they paid closer attention to the failed scans, and addressed the vulnerabilities that were found, the breach may have been avoided. At a minimum, the breach would have been caught, and shut down, much sooner than 21 months, and a whole lot of money, later. Instead, scan findings were ignored, and thieves were able to grab payment card data for over 21 months without being detected.

No one enjoys hearing that a scan has failed, but it's much better to hear it from a scan vendor than to hear it from their processor. The processor notification is typically accompanied by a demand for a forensic audit, followed by a very large bill.

EMV Deadline Extended at the Pumps

Visa and MasterCard recently announced an extension of the EMV deadline for gas pumps. While they were previously required to have EMV readers installed by October 2017, as were other retailers, they now have until October of 2020 to become EMV compliant. In a statement released by Visa, it wasacknowledged that it would take longer for automated fuel dispensers/pumps (AFDs) to meet the EMV requirements because of the infrastructure of the pumps and the specialized technology needed. The National Association of Convenience Stores estimates that gas station owners will spend approximately $30,000 per location to install EMV readers and that the shift could end up costing the fuel industry over $4 billion to accommodate these changes.

According to Visa, fraud at fuel pumps currently make up 1.3% of card fraud in the US; with this extension, this number may increase. The Department of Consumer Protection reports that skimmer-related fraud at gas pumps doubled in 2016 compared to 2015. We have seen this in the headlines too, 2016 has been the year of skimmers at gas pumps. Visa has stated that they will continue to work with merchants, issuersand acquirers in dealing with AFD fraud and they will monitor the AFD fraud trends, as well.

While this extension is enormously helpful to those in the fuel industry, it does give thieves another three years to exploit this opportunity. During this time there are steps that merchants can take to try to stay a step ahead though. As part of maintaining PCI compliance, merchants should monitor pumps and all processing equipment to ensure that no skimmers have been added, no equipment has been replaced, and there is no evidence of tampering.

The MAXpci team wishes you a Happy and Healthy New Year!

Skimmers, Skimmers, Everywhere are Skimmer....

Thieves have once again taken advantage of older technology, this time to install skimmers. Skimmers were recentlyfound at several gas stations in the metropolitan DC area. The skimmers were found at one location in northern Virginia during a regular maintenance check, as required for the merchant's PCI compliance review. This makes the 10th location in the area attacked since June of this year. The common thread between all of the locations is that all of the gas stations use older terminals in their pumps, and police believe this is the main reason thieves targeted these locations.

Skimmers not only allow thieves to gain payment card information that is stored on the magnetic strip, some also have cameras, allowing thieves to steal the PIN as well. Fairfax County police reports that payment card information stolen in these cases has already been used to withdraw cash from area ATMs.

The recent release of PCI DSS 3.2, which went in to effect today, places even more emphasison making sure that merchants are being vigilant about their terminals and POS systems in hopes of making it more difficult for thieves to modify them and access sensitive data.

The staff of MAXpci wishes everyone a Happy and Safe Halloween!

New Season, New PCI Version

The PCI Security Standards Council has released a new version of the PCI DSS that will take effect on October 31st. The Council is continuing to release updates more frequently than in the past, but with fewer changes for merchants to address. Reflecting the increase in the number of breaches being reported by service providers, the changes in this version are largely aimed at service providers.

Listed below is a summary of the changes in this version:

  • Section 3.3 Updated requirement to clarify that any displays of PAN greater than the first six/last four digits of the PAN requires a legitimate business need. Added guidance on common masking scenarios.
  • Section 3.5.1 New requirement for service providers to maintain a documented description of the cryptographic architecture.
  • Section 6.4.6 New requirement for change control processes to include verification of PCI DSS requirements impacted by a change.
  • Section 8.3.1 Addresses multi-factor authentication for all personnel with non-console administrative access to the CDE.
  • Section 8.3.2 Addresses multi-factor authentication for all personnel with remote access to the CDE (incorporates former Requirement 8.3).
  • Sections 10.8, 10.8.1 New requirement for service providers to detect and report on failures of critical security control systems.
  • Section New requirement for service providers to perform penetration testing on segmentation controls at least every six months.
  • Sections 12.4 New requirement for service providers' executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program.
  • Sections 12.11, 12.11.1 New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures.

This version must be in place no later than October 31, 2016, though PCI compliance vendors may put it in place earlier. Any merchants in the process of completing their SAQ when the version is updated will be required to start over using the new version. If your PCI compliance vendor does not have a plan in place to notify them prior to the change, you may want to do so yourself so the merchant can either make it a priority to complete the SAQ they're working on now, or begin fresh with a new SAQ.

Macro Breach at MICROS?

Most large companies breached today share one thing - their systems were accessed by exploiting vulnerabilities in a third-party connection, also known as remote access.Remember Target? Remote access acts as a virtual back door into a company's main system, giving hackers access to any data held on that system. If one POS system is a target, gaining remote access to a POS vendor is a gold mine - it givesthieves access to credit card data for any merchant that uses that POS system to process. The most recent breach occurred at Oracle, with thieves gaining access to their MICROS POS system. As one of the top three POS vendors globally, this breach has put 330,000 merchant locations at risk.

Oracle has not yet shared much information regarding this breach, drawing criticism from both customers and industry experts. Many MICROS users are left vulnerable by Oracle's silence because they do not know how to determine if their systems have been breached. Oracle did acknowledge the breach, and issued an FAQ regarding it. In this FAQ, they stated that they believe the Carbanak Gang, a Russian cyber crime group,is responsible for the breach and they ask that all customers reset their customer portal passwords. The FAQ also states that their corporate network and other services were not impacted; however, a source in Oracle's Hospitality Division told Krebs On Sercurity that the breach first started in their Manassas, VA point-of-sales data center, one of Oracle's major data centers that work with their hospitality clients to manage their POS devices. Gartner Analyst Avivah Litan, believes that abused credentials stolen from the MICROS portal breach could be the link in many of the recent hotel and retail POS hacks.

"This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider. "I'd say there's a big chance that the hackers in this case found a way to get remote access" to MICROS customer's on-premises point-of-sale devices."

News of this breach led Visa to issue a security alert on August 12th, instructing all companies that use MICROS to change the password on any account that gives MICROS access to their system, and to check their devices for malware or unusual activity.

The PCI Security Council addresses this often exploited vulnerability in the newly released version, 3.2, which goes into effect in October of 2016. Multi-factor authentication is now a requirement for anyone with administrative access to environments handling payment card data. This requirement previously applied only to remote access from untrusted networks. "A password alone should not be enough to verify the administrator's identity and grant access to sensitive information," said PCI Security Standards Council CTO Troy Leach. "We've seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data."

Did Thieves Take a Slice Out of Cici's?

Brian Krebs, of, is reporting that CiCi’s Pizza may be one of the most recent merchants to have suffered a breach in 2016.   CiCi’s Pizza, a chain of restaurants located in 35 states, has neither confirmed nor denied that they were breached, but Krebs feels it's more likely than not that they were.  This breach differs from most.  It’s suspected that the thieves posed as technical support specialists for Cici’s POS system, Datapoint, which allowed them to insert malicious botnet malware into the system. Brian reports that he first became aware of the breach after numerous contacts at financial institutions reached out to him regarding fraud patterns that stemmed from cards used at various CiCi’s restaurants across the country.

Despite Cici’s reluctance to confirm the breach, all signs point to them.  At least half of the 100 compromised systems found on a botnet admin server are running a malware in the Windows process called cicipos.exe.  Other evidence that supports a breach at CiCi’s is the control panel for this botnet, which reveals the full card holder data. With this information, Krebs was able to confirm that many of the individuals affected had been to a CiCi’s location on the same day their data was stolen. To further suggest Cici’s POS system has been breached, there were notes made by employees referencing upcoming shift information and issues that the next shift workers needed to resolve.  This information is present because this botnet appears to be powered by Punkey, which is a POS malware that records keystrokes, along with the credit card data. This POS malware has been the malware used in most of the breaches over the past two years, including Target and Home Depot.

Recent changes to PCI standards included requirements that merchants maintain processing equipment inventory records, visually check physical equipment for signs of tampering, and verify the identity of anyone coming on site to access processing equipment.  Perhaps the next version should include the requirement that merchants verify the identity of tech support specialists before allowing them access to their systems.

Everyone at MAXpci wishes you a Happy and Safe 4th of July!

Even EMV Can't Stop Crooks

Two Walmart stores in the US recently discovered that they'd been the victims of thieves who installed skimmers on their payment terminals. In early May, a Walmart located not far from our office in northern Virginia found credit card skimmers placed on payment terminals in the self-checkout lines; just last week more were found at a Walmart in Fort Wright, KY. The skimmers used in Virginia were detected after at least 37 customers reported that they were hit with large ATM withdrawals after shopping at that Walmart. It is not known exactly how long the skimmers at that location were in place, but authorities say it could be as long as two to three months. Skimmers similar to the ones used at Walmart were found in some Safeway locations earlier this year.Despite the push for greater EMV acceptance in the US, thieves were able to take advantage of the many consumers without chip cards.

Skimmers have been around for years, and have been used to steal payment card data at both merchant locations and banks. Anywhere a mag stripe can be swiped, a skimmer can steal the data - including the PIN. Newer skimmers include working chip card slotsto make them harder to spot. Skimmers are easy to come by. For less than $300, you too can buy one over the Internet, a small price to pay for the large amounts of money thieves stand to gain in these cases.

This case demonstrates that EMV does not prevent all fraud, and will not thwart all criminals. Many merchants still do not use EMV terminals, and as many as 40% of consumers still do not carry chip cards, even though we are roughly 8 months past the October 1st deadline. In reality EMV will only slow down thieves. There are already EMV kits circulating on the black market that claim to be able to circumvent EMV chip cards. It is only a matter of time before these are not just claims. Despite the continued success of these crooks, maintaining PCI compliance, and using EMV-compliant payment terminals, does go a long way towardshelpingmerchants protect themselves from breaches.

Where There are Breaches There are Feds

With more and more federal agencies and courts becoming involved with trying to prevent breaches and dealing with the aftermath, are changes on the horizon for level 4 merchants?

In March, the Federal Trade Commission showed an interest in PCI compliance when it issued orders to nine QSAs requesting they provide information regarding how they audit merchants' compliance. The following QSAs were requested to provide details about their assessment process, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments; and information on additional services provided by the companies, including forensic audits.

Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust)

Payment expert, and former QSA, Jeff Man, believes that the FTC's interest in PCI compliance may be linked to the increased number of breaches at Level 4 merchants over the years, and questions about whether current PCI compliance requirements are sufficient. While Level 4 merchants are not required to have compliance audits now, this may be an indication that that may be changing in the future.

The courts are also becoming more active in how they handle lawsuits after a breach has taken place. In years past, class action lawsuits were filed; however, once the merchant proved that no harm had come to the plaintiffs due to the breach, the suits have typically been dismisssed due to the Supreme Court's 2013 ruling in the Clapper vs. Amnesty International case. This ruling stated that in order to meet constitutional requirements to sue in federal court, plaintiffs have to allege they are at imminent risk of suffering a concrete injury. As of last year, this is no longer the situation. In July of 2015 the 7th U.S. Circuit Court of Appeals ruled that a class action suit against Neiman Marcus could move forward. The court panel felt that the theft of customers' financial information was enough to satisfy constitutional standing requirements, even after the Clapper case.

Chief Judge Diane Wood wrote, "The Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur."

This was seen again last month when the panel ruled to allow the class action suit against P.F. Changs to move forward again, stating that there is "substantial risk of harm" in the future for the plaintiffs.

With the threat of more rigorous requirements, and now the addition of class action lawsuits against breached merchants, it is more important than ever for merchants to take every action possible to keep their data secure, including completing their PCI compliance requirements.

Beware the Danger of Breach Fatigue

A term, coined to describe a consumer's apathy regarding breaches -"breach fatigue" - refersto a mentality that causes consumers to become blase about security breaches. Because of this, they tend to do less to protect themselves and their sensitive information. Since breach fatigue causes many peopleto feel that theyhave little to no control over the security of their own data, they tend be less likely to take breaches seriously or to take extra steps to protect their information. This type of complacency is exactly what thieves hoped would happen.

In a study done by the The Ponemon Institute for the RSA (a subsidiary of EMC Corporation), 45% of the 1,000 consumers that respondedsaid that recent breaches did not affect their credit card or debit card use. Nearly one in four consumers feelthat breach notificationsare not important; when asked why, 65% stated that it was due to the inability to stop security breaches.

Unfortunately, studies like this reinforce the notion that the hackers have won this battle. With a price tag in the billions, this is a fight we cannot concede.

Time isn't the Only Thing Changing...

Visa recently announced changes to PCI compliance requirements for level 4 merchants and their acquirers. Up to now, all merchants have been required to be PCI compliant, but enforcement of that requirement was done at the acquirer level. Some acquirers required reporting and levied fines, some simply stated that all merchants must be compliant and left it to their banks and ISOs to provide a program, or not. Some ISOs, used this as a tool to entice merchants away from processors who required them to be PCI compliant, and billed them for non-compliance. Effective January 31, 2017, Visa will require all acquirers toannually validate that their level 4 merchants are PCI compliant.

Continuing their initiative to boost compliance and reduce risk, Visa has also announced that, effective January 31, 2017, merchants using third parties for POS and terminal installationsmust use only certified professionals. Recent forensic investigations have found that small merchants remain a target of hackers attempting to compromise payment data. Additionally, investigators have identified links between improperly installed POS applications and merchant breaches. Using organizations that have completed the PCI SSC QIR, (Qualified Integrators and Reseller), training program helps improve security by ensuring that payment applications and terminals are installed and integrated properly to mitigate breaches and facilitatePCI compliance. Integrators and resellers that complete the program are included on the PCI SSC's online list of approved qualified providers, making it easy for acquirers and merchants to identify and select a partner.

EMV: Class Action Suit

B&R Supermarket, doing business as Milam's Market, and Grove Liquors,filed a lawsuit this month alleging violations of the Sherman Antitrust Act, violations of the Clayton Antitrust Act, and California's Cartwright Act and Unjust Enrichmentagainst the following:

VISA, INC., VISA USA, INC, MASTERCARD International Incorporated, American Express Company, Discover Financial Services, Bank of America, Barclay's Bank Delaware, Capital One Financial Corporation, Chase Bank USA, National Association, Citibank, PNC Bank National Association, USAA Savings Bank, U.S. Bancorp National Association, Wells Fargo Bank, EMVCo, LLC, JCB Co. LTD and Unionpay

According to the complaint filed, the defendants did everything they were supposed to do to comply with the EMV shift. They purchased new card readers and trained their staff to use them, but though they were ready on their part, they never had anyone come out to EMV certify them.

The complainant was quoted as saying, "while very large retailers such as Target, Walmart, and others quickly had their EMV-processing systems 'certified'-thus sparing them the liability shift-the members of the Class are at the mercy of defendants," the complaint states. "Merchants like Milam's Market and Grove Liquors have no control over the certification process. All they can do is request certification and wait for it to occur. And no one can say when that will be."

According to the lawsuit, the complainant claims to have accumulated 88 chargebacks for fraudulent transactions totaling $9,196.22 from MasterCard and Visa since the liability shift, plus $5.00 chargeback fees for each item. The merchant complaint also suggests that merchants receive no compensation for the change to the business relationship, which they had no voice in.

"Merchants were not consulted about the change, were not permitted to opt out, were not offered any reduction of the interchange fee, the merchant discount fee, the swipe fee - or any other cost of accepting defendants' credit and charge cards. This is in contrast to the United Kingdom and Australian markets where merchantswere giveninterchangeconcessions which helped share the costs of fraud and purchasing and deploying new hardware and software."

"In exchange for this newly bestowed, unavoidable liability, Milam's Market, Grove Liquors and the Class members have received... nothing," the complaint says. "Interchange fees, which defendants have said exist in part to pay for fraud, are still paid for by the merchant, and have not decreased. The liability shift was unilaterally imposed to the benefit of defendants, with no compensation, consultation or consideration of any kind made to the Class members."

B & R Supermarkets is asking the court to certify the lawsuit as a class action suit and also for a preliminary injunction, which would order card issuers and networks to halt the liability shift until class members who have tried to comply with the shift are able to become certified.

When contacted about the impending lawsuit; Seth Eisen a MasterCard spokesperson said, "We're currently reviewing the claims. What I can say at this point is what we've said since introducing our roadmap in early 2012. There was never a requirement for any party-issuer or merchant-to move to EMV. Using insights from merchants, issuers, and others, our roadmap and the related liability shift provided incentives to prompt for the most secure ways to pay. We have and continue to work with parties across the industry-merchants, issuers, processors, manufacturers-to assist in this migration."

If the court approves this suit as a class action lawsuit, it's likely that many of the level 3 and 4 merchants that are having difficulty being EMV certified will join. This could turn into one of the largest lawsuits the payment cards industry has faced.

The MAXpci team enjoys meeting and interacting with people from all over the country at industry events. Please drop by our booth if you are attending any of these events. We look forward to meeting with you.

Midwest Acquirers Association

Western States Acquirers Association

Northeast Acquirers Association

Southeast Acquirers Association

To schedule a meeting with us at any of these events, please contact us at

Latest Updates

  • US State Department to Create Dedicated Cyber Office

    Bureau of Cyberspace and Digital Policy to Include Ambassador, Special Envoy
    The U.S. Department of State will create a Bureau of Cyberspace and Digital Policy, led by a Senate-confirmed ambassador-at-large, to advance its cybersecurity diplomacy efforts, according to Secretary of State Antony Blinken. The move is a response to a challenging global threat landscape.

  • Cyberattack Reportedly Cripples Iran Gas Stations

    Iranian Government Blames Unnamed Foreign Country
    An attack on systems that govern fuel subsidies in Iran reportedly hit all fuel stations and left many of the country’s citizens without gas for hours. Islamic Republic of Iran Broadcasting says that a cyberattack caused widespread disruption to the country's fuel distribution network.

  • REvil's Cybercrime Reputation in Tatters - Will It Reboot?

    Rebranding Remains Easy for Ransomware Groups, While Affiliates Already Come and Go
    Will the notorious ransomware operation known as REvil, aka Sodinokibi, reboot yet again after someone apparently messed with its infrastructure? Experts suggest that the operation's brand is burned, and administrators will launch a new group. Many affiliates, meanwhile, already work with multiple groups.

  • US DOJ: Global Darknet Sting Nabs 150 Suspects

    'Operation DarkHunTOR' Seizes Millions in Cash & Crypto, Plus Drugs, Guns
    International law enforcement officials on Tuesday announced that some 150 suspects have been arrested globally for buying or selling illegal goods, following a 10-month sting operation, code name "Operation DarkHunTOR," targeting the dark web.

  • Annual Report to Congress on Breaches of Unsecured Protected Health Information

    The Department of Health and Human Services' Office for Civil Rights provided a report to Congress on health information breaches from September 2009 through 2010, as required under the HITECH Act. Nearly 7.9 million Americans were affected by almost 30,800 health information breaches, according to the report.

  • FFIEC Final Authentication Guidance

    The Final FFIEC Guidance has been issued and its main intent is to reinforce the 2005 Guidance's risk management framework and update the Agencies' expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.

  • Accounting of Disclosures Under the HITECH Act

    A notice of proposed rulemaking from the HHS Office for Civil Rights that would modify the HIPAA Privacy Rule standard for accounting of disclosures of protected health information and add new requirements for access reports.

  • ENISA: Software vulnerability prevention initiatives

    The European Network and Information Security Agency, ENISA, has compiled a list of existing initiatives focused on finding and preventing software vulnerabilities.

  • Live Webinar | Hacking Your Organization: With So Many Controls In Place, Why Are You Still Being Breached?

  • Live Panel Discussion | Protecting Your Data While Keeping Customers Engaged Online

  • Live Panel Discussion | Protect Your Bank and Customers from Evolving Fraud Attacks

  • MSP Growth Lab Summit: Sell, Scale, and Seize the Cybersecurity Opportunity

  • Why Healthcare Entities Fall Short Managing Security Risk

    Why do so many HIPAA -covered entities and their vendors do such a poor job managing security risk and safeguarding patient's protected health information? Many critical factors come into play, say Roger Severino, ex- director of HHS OCR, and Bob Chaput, founder of security consultancy Clearwater.

  • Why Hive Attacks Are the Latest Menace to Healthcare Sector

    Several characteristics of the Hive ransomware group make the threat actor particularly menacing to its victims, which include healthcare sector targets, says Adam Meyers, vice president of intelligence at security firm CrowdStrike.

  • Case Study: Intrusion Prevention, Detection in the Cloud

    Chronic disease management firm Omada Health has been changing its approach to cloud intrusion prevention and detection, which is reducing time spent on investigating false positives, says the company's information security leader, Bill Dougherty.

  • Pandemic Plus Ransomware Is 'Perfect Storm' for Healthcare

    Disturbing findings from a recent study examining the impact of ransomware attacks on patient care must serve as a wake-up call for the healthcare sector to intensify its preparedness to deal with such incidents, say Larry Ponemon of research firm Ponemon Institute and Ed Gaudet of risk management firm Censinet. The two companies conducted and sponsored the research.

  • Forget Hacking Back: Just Waste Ransomware Gangs' Time

    Time Is Money for Criminals; Some Profits Susceptible to DDoS and Other Disruptions
    Who's been launching distributed denial-of-service attacks against ransomware operators' sites and cybercrime markets? Disrupting ransomware operations that rely on Tor-based data leak sites and payment portals for double extortion is an obvious move for cutting into their profits.

  • Memo to Ransomware Victims: Seeking Help May Save You Money

    Flaw in DarkSide and BlackMatter Enabled Security Firm to Decrypt Files for Free
    While ransomware might be today's top cybercrime boogeyman, attackers aren't infallible. The latest example: Errors in DarkSide - and its BlackMatter rebrand - enabled security experts to quietly decrypt many victims' files for free, saving millions in potential ransom payments.

  • Troublemaker CISO: Do You Know What You Should Be Doing?

    The Rant of the Day From Ian Keller, Ericsson
    In his second Rant of the Day for the CyberEdBoard Profiles in Leadershop blog, Ian Keller, security director at Ericsson and CyberEdBoard executive member, talks about what a CISO does - and what a CISO should do.

  • Ransomware Soap Opera Continues With REvil’s Latest Outage

    Who Hijacked Infrastructure of Ransomware Public Enemy No. 1 REvil, aka Sodinokibi?
    Is there any bigger cybercrime soap opera than the life and times of ransomware operators? Take the REvil, aka Sodinokibi, ransomware-as-a-service operation, which feels like it's disappeared and reappeared more times than the secret, identical twin of the protagonist in your favorite melodrama.