February 28, 2014

In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year.

Earlier this week, rumors began flying that Sears was breached by the same sort of attack that hit Target. In December, Target disclosed that malware installed on its store cash registers compromised credit and debit card data on 40 some million transactions. This publication reached out on Wednesday to Sears to check the validity of those rumors, and earlier today Bloomberg moved a brief story saying that the U.S. Secret Service was said to be investigating a possible data breach at Sears.

But in a short statement issued today, Sears said the company has found no information indicating a breach at the company.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears said in a written statement. “We have found no information based on our review of our systems to date indicating a breach.”

The Secret Service declined to comment.

Media stories about undisclosed breaches in the retail sector have fueled rampant speculation about the identities of other victim companies. Earlier this week, The Wall Street Journal ran a piece quoting Verizon Enterprise Solutions’s Bryan Sartin saying that the company — which investigates data breaches — was responding to two different currently undisclosed breaches at major retailers.

Interestingly, Sartin gave an interview last week to this publication specifically to discuss a potential blind spot in the approach used by most banks to identify companies that may have had a payment card breach — a weakness that he said almost exclusively manifests itself directly after large breaches like the Target break-in.

The problem, Sartin said, stems from a basic anti-fraud process that the banks use called “common point of purchase” or CPP analysis. In a nutshell, banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe.

This CPP analysis can be a very effective tool for identifying breaches; according to Sartin, CPP — if done properly — can identify a breached entity nine times out of ten.

“When there is a common point of purchase, more than 9 times out of 10 not only do we later find evidence of a security breach, but we can conclusively tie the breach we found to the fraud pattern that’s been reported,” Sartin said.

However, in the shadow of massive card thefts like the one that occurred at Target, false positives abound, Sartin said. The problem of false positives often come from small institutions that may not have a broader perspective on how far a breach like Target can overlap with purchasing patterns at similar retailers.

And that can lead to a costly and frustrating situation for many retailers, particularly if enough banks report the errant finding to Visa, MasterCard and other card associations. At that point, the card brands typically secure guarantees that the identified merchant hire outside investigators to search for signs of a breach.

“CPP is linear enough that it just says look, there’s a problem in these shoppers’ accounts,” Sartin said. “So you have many banks looking at these patterns, and reporting that upstream, and the more noise these banks make about it, the more likely there will be an investigation that could be erroneous. That’s why there is often a period of probably 60 to 90 days after a major data breach that until such time as the investigating entity gets there and [identifies] the at-risk batch of accounts — there’s really no ability for them to identify what’s a false flag and what’s not.”


69 thoughts on “Breach Blind Spot Puts Retailers on Defensive

  1. E.M.H.

    Given that the breach happened during the Christmas shopping season, it’s size, and the fact that Sears is a majority mall store and Target has a fair amount of mall-bound locations too, I’m not all that surprised that a false positive like this has come up. It seems logical in hindsight that a lot of Target shoppers would’ve also stopped by a Sears. I know I did last December when gift shopping, and the only reason I didn’t buy at Sears was because I didn’t find what I was looking for.

    That said, this isn’t a rigorous analysis. I’m wary of accidentally falling prey to the “Texas Sharpshooter Fallacy” here, so it’s smart to be careful and not declare it an inevitable occurrence.

    1. JCitizen

      I think this paranoia is healthy for the retail environment. Maybe they will all get together at a ‘G8’ type conference, and decide better security is good for everyone in this business climate – and not wait for the recalcitrant gubbamint to tighten PCI standards.

      Perhaps I’m giving to much credit to the “gubbamint” for any action in this area! 🙂

      1. pboss

        Maybe? I would be kind of worried that places like Starbucks (and lots of Targets have mini-Starbucks now) might have so frequent “check if you have a data breach” requests that their IT staff might not be as careful analyzing their systems.

        1. JCitizen

          Okay – I’m talking about a complete change of standards. I think your scenario will happen with inaction from industry in the near future!

          So going status quo is not the answer; but a totally inadequate response is not either, in fact – as you point out – it could be worse!!

  2. Kenneth Harshbarger

    Doesn’t sound like this kind of this will ever stop. I’m just glad we live in a place where the consumer of a place like Target doesn’t have to eat the cost when someone hacks their card.

    1. JCitizan

      Good post, and yeah; until “Cow-chip” & – Pin is instituted, then the crackers will still get away with murder, and the consumer will be left holding the empty bag. 🙁

  3. JATny

    Hello, Brian, I headed right over here after I’d had enough of the mainstream media’s non-stories about this Sears announcement, most of which ended after “The Secret Service declined to comment.” Still, time will indeed tell, or not.

    “Make it stop” is how a lot of consumers feel these days. Every week now, I get an attempted malware hit, a serious phishing call or emails, an alert on suspicious banking activity, or something. It is becoming increasingly difficult to tell the real from the unreal.

    Just today, it took me 5 full minutes before I realized that a really, really nice guy who called me on my smartphone, using my name clear as day and claiming to be from my carrier’s payments dept, and who seemed (at first) to know way too much about me, was in fact a phony phisher. Broken down later, the only true information he had was my name and phone number, but the other information and the context that he created was eerie. Make it stop!

    1. JCitizen

      Oh I LOVE spammers and illegal telemarketers! Tom Mabe is my favorite guy! But seriously, this is one of my clients biggest threats. Mainly because I lock their systems down well enough that the telephone is the next low hanging fruit!

      I have case study criminal telephone high jinks that would curl most folks hair, and I should write a book about it some day. Oh – well! Let the “Dummy” book writers dream that up.

      1. JATny

        Not TWO hours after I posted here, I got a very reasonable email explaining how my bank was going to have suspend my bank account “due to irregular Debit card activities,” with a simple-as-pie link to “the bank.” I have very high spam email settings, but it still got through.

        The email had a live link that said “wellsfargo.com,” no misspellings or weird english or over the top claims. Except I don’t have a WellsFargo account (small thing), but what if? I forwarded it (without clicking) to the Well Fargo security dept. The email I got back from them was scarier looking than the original!

        Point is, I’m a fairly knowledgeable, albeit paranoid, business professional, and I still get caught off guard sometimes. How do you ask employees, who have no direct personal interest in whether the “Boss” gets gamey calls or emails to be careful so hacker-crackers don’t get into the business like the Target vendor and others?

        1. JCitizen

          I hear ya JATny!! I received a carefully crafted email once, that displayed the graphics, despite the fact that hotmail does not display active content from an untrusted source – ever. BTW – the ‘spear-phishing’ email, had my real name on it! I surmise that they got this from automated mining of compromised vendors – of which are many – as my reports to the FBI have reflected.

          Consequently, I fell for this, and despite getting a warning pop-up from hotmail – I continued on to the site. My trusted sources change IP and domain addresses so much, I had generally accepted that this is common, to a point.

          Fortunately my password manager would not respond to the resulting URL, and THAT was when I FINALLY woke up, and smelled the coffee! [_]3

        2. Izzy

          I had the same thing a few weeks ago! Except I DO have a WF account. And like you, I’m healthily paranoid. The spelling, grammar and punctuation of the email were ridiculous, which made me suspicious, and I’m not dumb enough to click on any link. I called the bank, where they checked my account and assured me everything was fine.

          I read the email to the guy on the phone at WF, and we had a good laugh at the run-on sentences. They asked me to forward the email, and I did, with a tongue-in-cheek note. I figure they must be getting bombarded with this junk, the least I can do is make it a little entertaining for them.

          1. Izzy

            Side note: I’ve been caught off-guard too, and I’m reasonably intelligent. But if it has a bank name on it, I automatically assume it’s false. My bank calls me if there is a problem, so I know their pattern of customer service. Email falls outside the norm for personal banking issues (as opposed to just their occasional e-newsletter).

            1. JCitizen

              True! However this was “carefully crafted”, not only was there no active content on the page, except one hyperlink, but it was a typical communication from the vendor. You know, the usual thing, like, “We have changed your user agreement”, or “Your statement is available”. Things like that. This was a virtual copy of past email, but with only one active object in the email.

              It is time everyone simply NOT click on ANY email, no matter what the source. But especially when your email provider pops up and WARNS you about it!! I’ll admit – this was my DOH! moment!!

              The really scary thing about this, is just like Brian has reported before – valid site certificates have been stolen, or even manufactured, in some way as to fool the most careful victim of spear phishing, because some vendors use self made certificates that cannot be verified without specific circumstances.Even Microsoft Partner programs have been compromised – I’ve had at least one client who was redirected from an Azure site, and was totally unaware of it right at that time; but suspicion later got the client side PC practically destroyed!!

              They had totally taken over the PC, and every trick I had in the book would not clean the PC. This victim finally had to just throw it in the trash! I really do suspect MPAA hardware had a hand in this industrial espionage attack! The victim said the event viewer had many event 1033 Secure Socket Layer-SSL logs in the viewer!!! These seemed directly attributable to IAA qualified software associated with Cyberlink premium content distributables. Remember the SONY debacle years ago? I don’t think the world wide corporations have learned one thing from that, except to get Hollywood on their side to expunge any dissent about the “New World Order”!!!!

                1. JATny

                  Greg, I know, this sounds like small peanuts, but my main point was that I have several strong layers of email protection, one from my provider and TWO antivirus email filtering programs, 95 % of my bad email gets zapped, but nothing caught this. It went into my cleared mail file. The links revealed by hovers and headers had similar-sounding names w.fargo, wellfargo.com, etc. It looked almost legit, logos etc. The bank’s own true reply looked spammier than the original, whose return address was a scary-looking “ofsrep.rumbbgw@wellsfargo.com.” Also, my bank does send out account alerts on suspicious activity, ironically, because I’ve asked for them for “security” reasons. It didn’t fool me, but it could have fooled someone who worked for me.

                  Going back to the Target vendor, I think it was determined that the bad stuff was introduced into their system via email, and the rest as they say is history. A small company like mine could literally get wiped out by a bad click. Ultimately, and maybe unfortunately, it’s the “wet-ware,” or we humans, that are the key to all this. Thanks for the article, though.

                2. JCitizen

                  No Greg. I’m not surprised at getting phishing email of any kind – I AM surprised they(the criminals) did such a GOOD job of camouflaging it!!

                  Most phishing emails go straight to the junk folder in Windows Live Outlook. The ones that don’t usually still have the ->active<- content blocked. I simply want folks to know that, the sneakier more dangerous emails have little ACTIVE content at all! AND they WILL have your name on them!! I call these spear-phishing emails, but I have a feeling even this process has been automated by the crooks, who simply integrate stolen personal ID data with phishing email campaigns. After all, the odds that the victim were a PayPal, VISA, or Target customer would be very good, and in fact the personal ID stolen from a vendor, might even indicate the victims favorite avenue of payment, such as credit card, PayPal, or Bill-Me-Later, just for example.

                  The design of the email page would be just like the thousands of emails sent out by these same sources everyday. The victim could be fooled very easily because:
                  1. Phishing email is not blocked – and there is little active content blocked
                  2. Email page looks absolutely identical to vendors typical communications; sales pitches, etc.
                  3. Included personal information that only the sender was supposed to know.
                  4. Had perfectly spelled text, no irregularities at all, and in fact a virtual copy of the same type of email people get every day.
                  5. Clicking on the only link that is active WILL initiate warning by Outlook email, probably Gmail, and Yahoo! too. I doubt that changes much. Buy now the victim is SO hooked they will follow the link anyway.
                  6. Resulting web page looks identical to expected destination web-page – the scary part here is if this poser page uses stolen certificates, and even has the same URL after redirect, I'm not sure even password managers might not be fooled!

                  Since I've seen few examples of this, but none-the-less very dangerous examples, I'm not yelling that the sky is falling – but also none-the-less, it think the public needs to know that it is just too dangerous to follow any link in any email, even if the email client doesn't pop up with a warning about untrusted source active content.

                  It is true that most brick-and-mortar banks do not communicate with anyone using email – but this is rapidly changing, as doing business electronically has been lucrative for banks going paperless in their relationship with customers. Many now offer to stop using snail mail paper at all!! One has to wonder if the bean counters will some day reverse this trend, when they assess the losses to web criminal activity !?

              1. benjamin

                This is why it is more important than ever to establish a good communications relationship with your bank. Especially if you are a business owner, you should have your primary contact at the bank whom you can call before acting on any communications from the bank.

                For a lot of business owners, this will be their “Banker”, but if you can make that contact in the digital area, as well (or “Electronic Banking”, etc.) it can mean faster response times.

                It’s an easy trap for a bank to fall into, breeding complaisance into their customers by sending them marketing emails or “Confidential and Secure Mail” that requires a link be clicked in the email. All a fraudster has to do is mimic the secure mail process relatively closely and they can pick clients like crazy from an FI.

        3. stine

          Welcome to the real world. Wells Fargo’s ‘report phishing’ mailbox won’t accept phishing emails. I got one of those last year, with a valid (hah) link to a wellsfargo.com website. When I tried to forward the email, as a Wells Fargo customer, to their phishing address, they rejected it. I ended up calling customer support. The first-level tech couldn’t handle my problem and transferred me to his supervisor (correctly,) but the supervisor was equally unhelpful. What I finally did to be able to report it to them was remove the attachment and inserted a comment that said “attachment here with xxxx”. For his part, the supervisor did stay on the phone with me until I got an automated reply from their phishy mailbox.

  4. Wei

    I am just wondering who is responsible for the cost associated with the investigation. It could cost huge money and labor. It might be good to stay alert, but when things go paranoid, I am not sure if it’s good or not. Attacks are exceptions. That’s why it hit headlines. But when they are routine (or cry wolf), things don’t look pretty.

    1. junior

      The targeted/”attacked” organization is usually responsible for costs in assessments or third party incident response/forensic investigations

  5. TheOreganoRouter.onion

    I think Sears is getting like Mt Gox, going down the path of bankruptcy because they are losing way to much money. If their real was some type of security breach then that might just push Sears over the edge into chapter 11

    1. JCitizen

      Not so much unlike an earlier conquest (kmart); down the path of ruination! HA! ]:)

  6. AlphaCentauri

    If all the cards used during the Target breach period – or cards used during other previously identified breaches at other retailers — had been immediately replaced by the banks in the first place, we wouldn’t be worrying about this, because no one would be selling the known compromised accounts now. I think trying to delay doing it was penny-wise and pound foolish, as they have made it much more difficult to interpret their data on other retailers.

    1. JCitizen

      My credit union issued all new debit cards with new numbers and PINs immediately after the news hit. My local vice president said over 5000 victims were hit in the days immediately following the breach. Oddly enough, even though I shopped during the date window in question, my credit card has not been compromised; and the issuer emailed and snail mailed me that they are on it, and will not allow suspicious transactions. They also suggested alerts be configured on our accounts; and of course I have done that. So far so good – no suspicious transaction for now. (kings X)

      1. AlphaCentauri

        But what happens if your card does show up for sale? By that time, you will have shopped at many other retailers. If a big retailer like Sears is compromised, it is likely that it will involve cards that were also used at Target, Starbucks, Wal-Mart, etc. If you assume it was the Target breach, you miss identifying a second breach.

        1. JCitizen

          I assume I’m already compromised all over the place, so I’d never be able to pin it down now anyway. When I first started online shopping it was easy to tell; but now I might have the same information on a hundred sites. I wouldn’t have a clue now.

          Since Discover Card dropped online secure credit card numbers, I’ve dropped Discover Card. That was the only reason I was using them. The best thing about it, was the criminal didn’t get a penny from anyone on that deal!! Only the original vendor that was assigned that number was authorized to be paid – if anyone else tried to use it, it would simple disapprove the sale.

        2. Lee Church

          correct.

          Though I’ve said the following before, this time I’ll try a techie slant:

          What this ‘detection by intersection’ (my term for it) does is basically a cyclical redundancy check (e.g. CRC32).

          A CRC32 does a good job at single bit errors, and a pretty good job of bit bursts of 26 bits or less (if i recall correctly).

          When we scale up and make packet size extremely large, or we change the mechanism of transmission (like trellis encoding), we change the appropriateness of the polynomial that is used as a checksum. We can change the CRC function, but ultimately we are just shifting failure to having smaller but larger consequences.

          When one has a bit burst, and or single bit error detected, it is a positive flag. Those small banks flagging merchants are correct to do so as there very well could be problems there. In that sense the quote in the article is technically correct. Given only detection by intersection, it’s possible that the bit burst is really 20 single bit errors, all in a row. There really isn’t any way to tell the difference. On the other side, a single bit error is still a single bit error, so the small banks reporting their ‘single bit’ are correct to do so, even though when assembled, the single bit error is part of the 20 bit burst, it’s still a CRC flag all the same.

          However, the quote and the thinking of the bankers is silly. The reason such a situation exists is because of scale, not lack of it. But the insanity of ‘big data’ means that we must repeat what we did in the financial crisis with CMBS, CDS, and leverage, because of two basic reasons 1) there is moral hazard – they are gambling with grandma’s data, so it’s heads they win, tails grandma loses. 2) blinded by greed, they discount the losses , and only count the ‘gains’. They hope to cash in before ‘the big one’, or the realization that it’s a silly minus-sum (not even zero sum) game.

          So the quote was like a banker complaining when a mortgage defaults that if they only packaged more of them together and scaled up they would have been less risk. Or more precisely, that you can’t see individual mortgage defaults because they are all wrapped up into a single large default. In other words, the very structure that was supposed to be safe IS the reason it’s less safe. We didn’t lessen risk, we just moved it around.

          As data gets bigger, better CRCs will make all the errors appear in fewer events, and the data packet lost will be larger. The sum total of loss is the same, but comes all at once. Given more than zero chance of a breach, and infinite time, we have certainty of disaster.

          The folly is in thinking they can solve the problem by scaling up, as evidenced by the thinking behind the quote in the article.

          I don’t think anyone learned a darned thing from the financial meltdown, do you?

  7. Kenneth

    Just came across this quote from Roger Schell:

    “…From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.”

    1. JCitizen

      Well there is one thing for sure – I am NOT for going to “Cow-Chip & Pin”!!! I am convinced even a rewrite of the PCI standards will solve many of the problems – I have my own views on the hardware tech here, that I have reiterated on KOS before.

      1. Junior

        I agree as it relates to these events, chip and pin would address the fraud vector in increasing the difficulty in the reproduction of cards…after cardholder info had been stolen but not necessarily in protecting cards from being stolen on the front end. It would also not help in card not present transactions.

        1. JCitizen

          There are much cheaper alteratives, that in my opinion are even more reliable the “Cow-chip & Pin”. I utterly have no respect for that as a viable solution:

          List of FAIL:

          February 2008
          http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf

          February 2010
          http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
          February 2010
          http://news.bbc.co.uk/2/hi/science/nature/8511710.stm

          September 2012
          http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

          Video summary of above report
          http://www.bbc.co.uk/news/technology-19559124

          1. RBBrittain

            No one claims EMV (in “chip-and-PIN” or other flavors) is flawless; but frankly NO mathematical crypto solution will EVER be flawless. (Any historical comparison of WWII codes will tell you that: ENIGMA was cracked; the Code Talkers generally weren’t.) What the Target breach suggests is that EMV, at a BARE minimum, should be the BASE level of security going forward; these breaches WILL continue as long as the U.S. clings to magstripe technology, which is unquestionably FAR less secure than EMV. Once EMV becomes the baseline, industry anti-fraud efforts can be redirected to plugging the holes in EMV, instead of magstripe *and* EMV.

            1. JCitizen

              I used to play with the same chip that they are using in “Cow-chip&Pin” when I was learning about integrated circuits, we used to program them with a mini-station. Just like any electronic circuit chip, an electrical whiz can mess with them without any concern for encryption, they program what they want into it. Besides a situation like the Target breech, the Security types were telling me THAT couldn’t happen, but here we are.. I say nothing is impossible – look what happened to Target.

              The best cheap anti-replay tech I’ve seen is MagnePrint – take a look at it and tell me any flaws you see; we’ve been discussing it on TechRepublic for a few years, and no one has seriously dented it yet. I’m not a shill for them, but Michael P. Kassner over at TR did an article about this solution, and we got in a big, long winded discussion on whether it could be defeated. I figure only the hardware reader or middle ware is vulnerable just like in present systems, but the data strip is golden, as far as the geometric math and science goes. As long as the reader can’t write to the strip, I think the hardware can be locked down, and the reader isn’t much more sophisticated than what we already have, so it is more economical. The big difference is the sensing algorithm and the magnetic resolution of the swipe reader – well – you’d just have to read about it really. Rewriting the strip would result in permanent rejection.

              http://www.magneprint.com/

              This relatively simple design cannot be replayed, and even if they tried, it would be immediately rejected, because no two, even in a million swipes could be exactly the same; yet without encryption, it can be verified. The simplicity of its design, but the complexity of its security, approach a limit that can only be described as the science of chaos!! Also – putting addon readers like the criminals Brian writes about wouldn’t get them anywhere because of the design of the background ‘noise’ behind the reader strip. Unfortunately, because – like chip&pin, any compromise done successfully some other way, would probably still result in a foisting off on the card holder the responsibility of other theft – when in actuality, the compromise comes from a direction other than the POS terminal after all. Physically stolen cards would get the card holder in trouble, if they didn’t know it was lost or ripped off. I feel this product could be scalable and a 3rd factor authentication could be added, that on the face of it, anyway, ALSO doesn’t require encryption to work!

  8. Manoa Kahuna

    Dear Brian,

    Thank you for keeping on top of this. We have to keep the pressure on until US banks, credit card companies and retailers upgrade their security.

    It’s funny now in the 21st Century gangsters rob the customers instead of the banks.

    It’s weird. I bought a mattress the other day with cash at Sears (because of my misgivings about security) and the sales help treated me like I was a criminal.

    Strange.

    1. benjamin

      It’s not that funny that the onus has been put on the customer, but if you think about it, the structure still puts a great deal of the burden on the banks. While the criminals go after the end-user as the weakest point of security, it’s the banks that ultimately pay.

      They pay the fraudulent charges if reported in a timely manner, they pay to reissue all of the cards (which can be a considerable cost).

      As a matter of fact, it strikes me as odd that, even though the bank has no fault, it is their responsibility (not the retailer’s) to carry the burden of these costs alone. Most banks grudgingly consider it a cost of doing business, but I think you would see fewer security problems if large retailers were required to share in the actual costs beyond reputation management.

      1. Lee Church

        no, it’s grandma that ultimately pays.

        She pays in higher fees, bank bailouts, higher inflation, interest rates, etc.

        With your iteration of paper scissors rock/hot potato, musical chairs, the merchants will charger grandma higher prices, offer lower quality goods, less choice, less competition, or take up more of grandma’s time, etc.

        When the music stops, when the game of paper scissors rock/hot potato/musical chairs is over, grandma is left to pay.

        The thing is, grandma doesn’t really see much of the benefits from hackers, nor from bank profits, nor from merchants ‘big data’ to get her to buy soap bar A vs soap bar B.

        But at some point, grandma ALWAYS pays. And I don’t think she views it as humorous either.

        I do applaud addressing the moral hazard, however grandma still doesn’t have a ‘seat’ in the musical chairs game. She just doesn’t get much out of having her data collected, sold, and traded like a poker chip at a casino, but she pays the price when they lose their bet. And they will lose. There is no other outcome possible; non-zero risk of event, infinite time gives certainty of event.

        As with the financial crisis, the gamblers game is to cash in the chips before the ‘big one’. If they ‘win’ they win big, and if they lose they still ‘win’, as they get to keep their past winnings. I really don’t think anyone has learned a thing from the financial meltdown, and it’s a shame really. Or maybe they have learned, and that’s why we see the silliness repeated.

        For now, the music plays on to the tune of “big data”.

        For the record, I think you are on the right track of pursuing ‘moral hazard’ but the ‘box’ isn’t big enough.

  9. DefendOurFree

    KMart owns Sears. Is it just Sears, or would it include KMart?

    1. JCitizen

      Sears includes kmart, Land’s End, and many of the traditional internal brand names like Craftsman, PARTS DIRECT, and Kenmore. I don’t remember if kmart was merged with Sears or was bought out by Sears, but I’m pretty sure it is a sub group within the Sears Holdings Corporation.

      1. DefendOurFree

        KMart bought Sears in or around 2005.

        1. JCitizen

          Wow! For a company that was going bankrupt in 2004, that was an amazing turn around! It seems you are right in that K-Mart was the buyer in that merger. I’m surprised!

          1. saucymugwump

            “K-Mart was the buyer in that merger”

            I would not describe it that way. Lampert took control of K-Mart in 2003 and Sears in 2005. He then merged the two companies into Sears Holdings. Lampert is a billionaire and essentially controls Sears Holdings. Forbes Magazine described him in 2012 as the second worst CEO/Chairman of a large publicly traded American company.

            1. JCitizen

              I’d agree with you, but the news said it was a Kmart buy out too! Go figure – I rate mergers different in my book. Either way, it is amazing they were able to do it, just two years after declaring bankruptcy in 2002.

              I suppose if you have a money bags like Lampert involved, anything is possible.

              1. saucymugwump

                “I’d agree with you, but the news said it was a Kmart buy out too”

                Technically it is true that K-Mart bought Sears in 2005, but the truth is that only “after making a nice wad of cash from Kmart by selling off the valuable real estate sitting under dozens of stores, shutting down 600 stores and laying off tens of thousands of workers in the name of cost-cutting and thereby jacking up the stock price” Lampert had the funds to buy Sears. See the below Salon and Businessweek articles for the details.

                That’s like saying that you bought a new Aston Martin, but forgot to tell your friends that you sold your house and cashed-in your IRA to do it.

                http://www.salon.com/2013/07/18/ayn_rand_killed_sears_partner/
                http://www.businessweek.com/articles/2013-07-11/at-sears-eddie-lamperts-warring-divisions-model-adds-to-the-troubles

                1. JCitizen

                  Oh yeah! Typical “robber baron” mentality. Interesting reading! Thanks saucymugwump!

  10. Jim

    The way i’m pinning, this may be an attempt to sell the store to the next bankrupting agency. You know, the waiter there’s a fly in my soup. Exp: Aompany A wants company B but not for that much. How do you drive down the valuation? By infecting sales. By destabilizing the situation, where the store appears weaker in sales and profits. Now who profits.
    Target stock price took a hit. Or was it their security division that took the hit, did they have to pay a fee? to some third party to restore the faith? Could this be the new business model of capitalism? They were gaining slowly on another retailer, who wasn’t marking their products down by three cents, who is now heavily invested in overseas growth, that uses third parties to do all their work. What was different about their setup that was attackable, versus another party that wasn’t attacked? That if I had the know how, why go for the number 2/3 when you could have gone for number 1?
    Did they pay, but i don’t believe thay had/have any better security.

    1. saucymugwump

      @Jim “Target stock price took a hit. Or was it their security division that took the hit, did they have to pay a fee? to some third party to restore the faith?”

      Reuters reported that Target will use its insurance covering cyber-losses (look for “Target shares recover after reassurance on data breach impact” on Reuters). Some websites reported that Target only has $165 million in coverage, yet the losses might top $1 billion.

      And in related news, Target is dropping healthcare coverage for its part-time employees, but it is unclear if that is Obamacare or cyber-breach fallout (look for “Target to Drop Health Insurance for Part-Time Workers” on Bloomberg News).

      “Could this be the new business model of capitalism?”

      I’d describe this as the original business model of capitalism.

    2. _Jim

      Geesh. Your grammar is atrocious … USA much?

      1. JCitizen

        What?! You no-likey our east Texas acksayent? 😉

        It only encourages us to brow beat our redneck traditions!

  11. saucymugwump

    As I wrote in my blog post “So long, Sears; it’s been swell, JCPenney; just die, Walmart,” Edward Lampert, a billionaire hedge fund manager whose corporate philosophy is “strip and sell,” is the majority owner of both Sears and K-Mart via Sears Holdings.

    I think it is likely that Sears and K-Mart were hit because of Lampert’s incompetence and greed. It’s really sad for those of us who remember great companies from the past.

    1. JCitizen

      One weird thing about Sears, is there are very few of the original Sears corporate owned stores left in the USA. Our local Sears is actually owned by one person, and he just does the Sears franchise. You can’t tell the difference on the decor of the store, as they all keep to the same formula look, but I wonder if kmart is in the same boat. In fact, I really wonder if kmart isn’t doing more business online than in the street facing store locations.

      1. saucymugwump

        Remember that Sears franchise stores use the same Lampert-controlled website which ties all of the stores together. Franchise stores probably have to use the same POS equipment as the corporate ones. So from an IT point of view, there is no difference between franchise and corporate stores.

        And if you are an old Sears Craftsman Tools user, look at the ones for sale next time you are at the store. The current generation of tools is made in China.

        The situation with K-Mart also annoys me. Lampert never took control of his inventory the way Walmart did. That’s why K-Mart shuttered many stores while Walmart just keeps opening new ones.

  12. Anonymous

    Hello Brian,

    Hope this finds you well. Received an email in my inbox recently from Coursera.org saying that they were starting a course again called ‘Malicious Software and its Underground Economy: Two Sides to Every Story’.

    I’m sure a seasoned pro like yourself has probably either done this already or hasn’t got much to learn from an ‘introductory’ class on the subject but thought I’d mention it none the less.

    https://www.coursera.org/course/malsoftware

    As an adamant reader of your blog, you’ve certainly inspired me to sign up, though my programming skills are lacking, I shall be giving it a go none the less.

    Regards,

  13. Sharon Harmon

    I admit I an new to the finer points of this so my question may be a little simple minded but, here goes: Wouldn’t asking for a valid photo ID cut down on a lot of this? I realize making cards isn’t that hard a thing to do but my driver’s license has at least four security measures on it. The sad part is that lately the card is never asked for to verify anything. I do the swipe, I sign the pad. The name and even the appearance of the card is never checked. Lowes hardware is the only place that I can remember going to that looked on the back of the card to see where I had written “please request photo ID”. Isn’t a lot of this a training issue? If the checkout person was put back in charge of a card transaction and held accountable for their actions, wouldn’t that help? The idea the adding that step would take too long is just silly. Look how long it takes to prosess a paper check. To the best of my knowledge, no one turns down a check. And they (seem to) take forever.

    1. timeless

      Probably not.

      Not everyone has a driver’s license (I don’t).
      There are 50 states, the District of Columbia, a couple of territories (Guam, Puerto Rico), and then the general “what’s an ID?”

      Children in middle school can get credit cards – they’re lucky / unlucky if they have a photo ID on a lanyard.

      In high school, you probably have a photo ID, but there are …

      http://www.ask.com/question/how-many-high-schools-are-in-the-us
      Says 23000..27000 high schools in the USA.

      Note that credit cards don’t indicate age.
      There’s no way for a clerk to validate more than 5 high school IDs (theirs, and those of a few friends) at best.

      Then you get Drivers licenses (~60), learners permits (~60), state IDs (for people without drivers licenses, 60), Passports (200), foreign national IDs (200), and foreign drivers licenses, and foreign health care cards with photo ID.

      Note: I’m using 60 to incorporate the territories and I’m lazily including the Canadian provinces – with some rounding.

      There are also a bunch of other government issued IDs (at least the 5 military branches).

      There are another 4000 or so Colleges and Universities in the USA, and then there are some more around the world.

      Most people will accept an employer photo ID.

      By the time you’re done, you’re guaranteed that no one could possibly validate all of them against a credit card.

      Also, sometimes you are allowed to make a purchase using someone else’s card (the rules for credit card purchases are odd…- read the liability and terms of use).

      Oh, and some places don’t allow random entities to demand access to a given ID (e.g., most places aren’t allowed to demand your SSN card).

      Note that very little information on an ID will necessarily match the credit card. People get married, divorced, change their names (to hide from stalkers/etc.), they move (especially state to state). People also change their appearance (glasses, hair in a tale, beards). Sometimes people even dye their hair or shave it. Some people wear contacts which change their eye color (I’m not sure I care about supporting this edge case).

      Sometimes credit card issuers get “smart” and include a photo on the card. If someone presented such a card to you, would you demand a second form of ID?

      Lastly, Ask your average 19 year old college student how hard it is to get a fake ID.

    2. Jacob Givens

      The flaw in what you are proposes is the assumption that the counterfeit cards have an accurate name on them. If they can make a counterfeit card… they wouldn’t need to make a counterfeit Drivers License… they could just made the counterfeit card with their own real name on it – and if prompted, use their own photo ID for verification.

    3. Melissa

      Sharon – what no one has pointed out is that it is against Visa card organization rules for a merchant to ask for ID on EVERY transaction. They stipulate that ID can only be requested during suspect transactions. If Lowes is asking for it everytime, they are violating the Visa Merchant Regulations.

      Also, if they are accepting your card without the signature on the back, they are violating the regulations. SEE ID is not a valid signature and merchants should be asking you to show ID and telling you to sign it in front of them before accepting it as a valid form of payment. It even says on the card itself that it is not valid if not signed.

      Consumers prefer to swipe their own card these days which makes checking the validity more difficult. If the merchant is set up this way, they are supposed to be asking for the card to verify. But by that time, the transaction is already complete.

  14. JimV

    If retailers don’t want to be placed squarely on the defensive and excoriated mercilessly by customers, politicians and regulatory agencies alike, then perhaps they should not only focus on closing off those blind spots but also paying much closer attention when a reliable entity identifies and then notifies the retailer that they have been breached. Needless-Markup apparently ignored such warnings for an astonishing 6 months, according to Business Week.

    http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data

    1. JCitizen

      Sheesh – good one JimV!

      Why am I not surprised? Maybe because IT security, and in fact IT itself, are the lowest priority of business everywhere, at least in the US.

  15. Andy Sven

    So many companies being hit early this year for financial information that should be private. As technology evolves there will always be holes.

    If Sears is just trying to keep this under wraps then they are doing a pretty good job. Eventually a public statement will have to be made.

  16. Lawrence Knowlton

    All retailers need to take a look at how these malicious programs got onto their systems in the first place. Possibly the following:
    anyone who has access to an I/O port (usb, CD etc) on their POS systems (save the cashier interface, which should be a locked down KIOSK).
    The POS systems computer I/O, must not be accessible by anyone other than their IT dept. personnel. That narrows down who the hell can and can’t do!

  17. TheHumanDefense

    Just saw confirmation on MSNBC that Sears Holding Corporation has officially announced a breach investigation in progress in conjunction with the appropriate authorities.

  18. bob

    spelling error in 8th paragraph about CPP; ‘identity’ where it should be ‘identify’

  19. j2spen

    I would have appreciated notification from Sears before fraudulent activity occurred on my card. Got a fraud alert by phone and fearful of phishing, called the number on the back of my card instead. There were 2 fraudulent transactions in a state far, far away from me. I only use the card at Sears and used it last during December. Closed the account, won’t do business with them anymore if they can’t be forthcoming about breaches.

Comments are closed.