Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014.
In a statement released today, the South Plainfield, N.J. electronic payment provider said it launched investigation after receiving complaints about fraudulent charges on cards that had been legitimately used at certain merchants. The information stolen includes the customer name, card number, expiration date and verification code.
“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” the company explained. “Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”
Charge Anywhere said it believes that “only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified,” although the company allowed that the unauthorized person had the ability to capture network traffic as early as November 5, 2009.
The incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to full encrypt the data as it traverses their network. The company has provided a searchable list of merchants who may have been affected by the breach.
You have to be kidding: ‘exact match of merchant name required’ on a searchable list? Again the customer holds the bag to find out if they are breached and where. These middle men are unaccountable and meaningless legalese prevails. You do not need canaries, assume all your information held by these aggregators is breached.
This seems to be geared at people who own the businesses not the average day person.
That may be true, but if a customer has dealings with the merchant whose information was breached, then wouldn’t the customer who allowed the merchant to run their card also have to worry about credit/debit card information being compromised as well? Will this merry-go-round never end?
No – only the issuing is responsible for fraudulent charges. The cardholder is not.
Unless you use the debit network – then Visa/MC policies don’t apply to you and you’re on your own. That’s why, in the US, you enter your PIN at your own risk – never do that. You’re telling it to act like an ATM instead of a credit card terminal.
I’m not sure if a credit card processor will see debit transaction data. My gut says no (at least on their own network).
“Unless you use the debit network – then Visa/MC policies don’t apply to you..”
It is not true globally, only in US and some other countries.
The closest outright list I’ve seen so far is a list of sponsoring banks. http://corporate.chargeanywhere.com/certifications-and-partnerships Bottom of page.
Darn, the search form won’t accept “*” or “%” as wildcards.
Trying ;’1=1 for a City gives a nice error … wonder how much SQL injection is possible?
Invalid action.
You do not have permission to access /notice/search.aspx on this server.
[Site: http://WWW.CHARGEANYWHERE.COM, Source IP: 6x.xxx.xx.xx2, WD-ID: 6xx61237xx55xxx00]
CHARGE Anywhere® is “certified [for use] on all Major Processors” in the U.S. and Canada.
http://corporate.chargeanywhere.com/payment-gateway (bottom right)
On a separate page, “CHARGE Anywhere® is certified to work with the following processors [same processors listed on the other page], which service all of the major financial institutions in the United States and Canada”.
It’s totally irrelevant if your credit card is used without your consent, as Visa/MC regulations protect the consumer 100%.
That said, Chase called me once about a couple itunes charges on cards I didn’t actively use, and essentially accused me of actually making the charges (even though the cards were in a 1000lb safe, and none of my Apple accounts had any activity either). After that, they knocked 20k off my available credit in retaliation.
The processors are not necessarily aggregators, they’re middlemen. They need transaction data to perform security checks of the actual processing prior to transferring money. There’s a lot of fraud, that occurs within legitimate channels that has to be caught. In some cases there’s sharing of credit card data with additional 3rd parties in order to facilitate rewards and such.
In 2008 I walked out on the credit card processor I built the network, and established PCI, for. There were just too many incidents of “We put your servers in a locked cabinet, so it’s PCI compliant” or “You don’t need to know what we’re installing on your network (from corporate during a ‘PBX upgrade’ that was really a 3rd party video conferencing system)”. I would be surprised if they’ve never been breached, I think they just never disclosed it. Totally incompetent VP IT and CIO.
They “Chase what matters”, Your money!
[After that, they knocked 20k off my available credit in retaliation.]
if you have or need 20K+ for available credit, brotha! You better be running a business, if not you’re grandchildren are going to assume you debt as well as their children too. insanity know no limits!
*your
Coming from a guy who who charges money and then provides a a real bad service.
OT. Hey, I’d love to provide 5 nines of uptime, but if it means shutting down in a year then it’s not worth it.
This is no Lavabit. I’m 100% straight with users and won’t take off with your money.
In a few months I hope to have negotiated a better colo facility for all the equipment and we’ll have environmental issues negated.
Rick , co-location is what your service needs :–)
“…an unauthorized person…”
Read: disgruntled IT guy. Who’s watching the watchers?
Verizon Wireless used ChargeAnywhere
business.verizonwireless.com/content/dam/b2b/resources/ChargeAnywhere.pdf.
Appears ChargeAnywhere works with FirstData.
thepaypers.com//news/mobile-payments/charge-anywhere-to-deliver-mobile-payment-services-on-first-data-platform/746947-16
CHARGE Anywhere, a US provider of mobile payment and payment gateway services, has completed its ComsGate Payment Gateway certification to the First Data South Processing Platform for South America, Central America, the Caribbean and Mexico.
This certification is set to extend CHARGE Anywhere’s presence into the Latin America, Caribbean and Mexico markets and provide these regions with access to the company’s suite of PCI PA DSS payment applications for smartphones, tablets, POS terminals and e-commerce services as well as the ComsGate payment gateway.
In recent news, CHARGE Anywhere was set to launch the mobile payment application for Android with Spanish language functionality at the CARTES in North America Expo and Conference which will take place between 5 and 7 March in Las Vegas.
Wow, AT&T too.
paymentssource.com/news/att-certifies-charge-anywhere-mobile-payment-2703061-1.html
This is why we need to MOVE away from “Old” technology. Our 1950’s “MAG STRIPE” technology and EMV’s 1990’s technology are NOT the answer or the solution. Biometrics, unique authorization codes, and other types of technology that can truly protect our purchases should be where we are going. The “Knee-Jerk” reactions to go with “Chip & Pin”, “Chip &Signature” or to simply encrypt everything will not fix this problem. I’ve been in and around security going back to the 1970’s – YES – those days – and quite frankly, these kiddos that are doing the hacking will continue to abuse these “old” technologies. Until the entire payments industry realizes this and starts to make REAL strides toward REAL security, the banks will continue to pay for these breaches – yes – it’s the BANKS who end up paying; not Visa, not MC, not AMEX, etc.
biometrics… hmmm.
so, your analog biometric information is converted into some form of digitally transmissible and storable data.
then, that stored data gets hacked, stolen and shared.
then, what? you change your iris, fingerprints and DNA?
I’m not a fan of biometrics, for exactly this reason.
I agree. Too much hype around biometrics. As if it was transiting into thin air.
In the end, all data stored somewhere can be hacked and reused against you.
Emv is actually pretty close to end-end encryption. There’s a secret on the chip, used to create a one-time token that then goes through the network. The malware doesn’t get much to work with. There will be some implementation screwups during the emv cutover, but then these hack stories are just going to vanish. Good riddance magstripe hacks!
EMV does not provide end to end encryption. The only token is the dynamic CVV. PAN is still in the clear.
Wrong. What you say is true for EMV Contactless in MagStripe mode, but not EMV Contactless in EMV mode, which encrypts the transaction data with a key known only by the issuing bank.
I’ve said it before and I’ll say it again (esp. to Coop above), if it’s the banks who pay, guess who really pays? To the banks, it’s a zero -sum game. In the end, it’s US who get it in the end.
…and they have other problems. If you go to their partner portal http://corporate.chargeanywhere.com/partner-portal/, you’ll notice its using unsecure port 80. Amateur mistake by a business that handles credit card information…steer clear!
…not true, all forms on that page post via https.
>…not true, all forms on that page post via https.
If the starting page is not https, it is a vulnerable site, subject to manipulation by a man-in-the-middle to extract or steal information. That includes but is not limited to posting to an off-site page without https (who validates where it will post to on a regular basis?).
^^^ Bingo!
I’m on Coop’s page and I go back before his time!
And it’s certainly not about more PCI SSC edicts. Indeed, PCI DSS version 3 is an abomination that will frustrate most Level 4 merchants and do nothing to prevent more breaches. It’s about Security 101 and C-Suite commitment and support with security staff and security budgets. Obscurity is not security.
Nobody really cares about breaches as long as the swiper works for every transaction and the service providers, banks, MSPs, ISOs, issuers, and brands have their greedy fingers on the revenue streams. And, of course, someone already mentioned we consumers pay it forward for breaches.
The PCI Council continuously updates security standards. “Look what we did, Mr. Congressman!” And look what happened this year with some major retailers. Wrong approach, PCI Council! You are wearing out your relevance.
Allow innovative security providers to lead the way in removing or reducing merchants’ PCI scope. Be quicker to adopt what has long been referred to as “emerging technologies” such as tokenization and encryption at the swipe solutions that don’t necessarily fit an existing PCI security standard. More delays here? More breaches to occur.
For example, I’m a member of the second PCI tokenization taskforce. The first one died on the vine years ago and from what I’ve seen in the second round, I have no confidence because truncation and encryption, which is covered in PCI DSS Requirement 3, are considered forms of tokenization.
Coop, Petepall, et al., for the hundredth time, in most instances of fraud or card data theft, traceable to the merchant (e.g., Target and Home Depot) it is the MERCHANT who pays, not the banks. Get off your soapbox against banks and look for the real villain. Yes, I agree with “who ultimately pays”, but for crying out loud, get it right when it comes to “who pays first”.
JVH TimeLess JCitizen Linda Coop Dan Patti and all:
Sometimes the cash comes out of the pocket of the merchant, sometimes from the bank. Yet all the cash went into those pockets from the CONSUMER. In the end the consumer pays all the bills and I’m more than a bit tired of it. So is Dan.
Re biometrics – I am glad to read so many who are smacking that down. There are lots of weaknesses as Timeless pointed out. My question is how to use that when I’m not at a merchant. Send my scanned retina over the internet to complete a transaction. Trust an unchangeable password over https? I think not. See http://nc3.mobi/references/biometrics/ for more
JCitizen – a special pen is a good concept, but how is that going to work for eCommerce? Even for card present transactions malware that reads signature X and reports signature Y isn’t even a stretch of the imagination.
Linda – a ‘super’ card is a great solution … for the last century. It does not address the growing avenues of e&m commerce.
Patti – you can’t stop the theft, but what is stolen can be made valueless to the crook. No possibility of reward negates the motivation to steal! There is at least one way.
Jonathan @nc3mobi
My pen reader idea is nothing but a list of assumptions.
1. The device not be programmed but hardware only, and present at all POS or ATMs.
2. The five data streams would be encrypted separately, and then scrambled using a predictive algorithm that only the authentication authority knows, and is shifted each request. So reading one stream of data would be gibberish compared to the next.
3. Even if the data were transmitted in the clear, it could not be replayed without giving up the plot, and would be difficult to anticipate in the least.
4. This also assumes malware could not possibly predict the authentication range of a true request. From data sets I studied in mathematics, it should be similar to a chaos butterfly graph, where the crook would have to find the ‘attractant” to be able to anticipate a true condition for authentication. Something like that is supposedly impossible without actually knowing this set variable, and impossible to predict without some hefty high speed super computer time.
5. Each authentication would become more and more accurate and representative of the customer, as each authentication session builds a more accurate signature.
6. If nothing else, it would make an excellent 2nd or 3rd factor, even if a really genius crook found out how to predict this range of authentication accurately with some kind of surveillance malware or device. I should think it would take a huge data base of individual tracking to finally be able to crack the code on just one individual, even if it were transmitted in the open.
7. There may be an advantage in transmitting each stream in analog vs digital information, as it would introduce a disorder to the system of anyone trying to derive entropy out of that one variable.
I realize this is a hair brained idea, but I can’t help trying to brain storm the issue. Criticism is very welcome.
JCitizen – Your idea has some interesting potential applications, but you may have just shot yourself in the intellectual property foot by publishing the novel concepts in a public forum. If you believe you may ever want to embody your work in a patent or other form of protected intellectual property ask BK to remove comment 342266 from public view. Even if you have already filed for a provisional, premature public disclosure is not desirable. It was a year after the provisional application was granted that I started the nc3.mobi web site, the first public disclosure. To get criticism and refinement prior to IP protection, protect yourself with CNDAs.
I am not a lawyer. I have multiple granted patents and more in the works. Implication: I’ve shot myself in both IP feet in ways that themselves can be considered novel!
Jonathan @nc3mobi
Nah! This is actually an old idea, and the patent expired long ago. I would leave the security algorithm up to the developers. I’m am not in it for the money – I just want to see problems solved(hopefully).
I look at things like this kind of like open source code; with all factors vetted by the many, but less possible to defeat by the few. Thanks for your thoughtful responses!
Biometrics are *not* the answer.
Premise:
Anything that can be observed can be recorded.
Anything that can be recorded can be reproduced for future recordings, or emulated by tapping a line and pretending to have recorded it.
Thus, anything that can’t be changed should never be used.
Biometrics can’t be changed, and thus shouldn’t be used.
Worse, Biometrics are easily recorded.
Video cameras (and IR cameras) record your biometrics constantly.
You drip your DNA all over the place. Various police agencies have been using DNA to prove things for decades (I’m still waiting for criminals to regularly plant DNA, it has appeared in TV / Movie plot lines, but the crooks haven’t gotten there yet — The crooks have made much more progress on ATMs — see the previous article).
One time tokens and two factor authentication are the best we’re going to get for a while.
Personally I’d prefer Chip+signature + SMS (random) Token w/ transaction description over Chip+PIN.
My PIN is something I have, and something that everyone else will learn, no different than my credit card number. Thus, it’s useless (this is more or less what the US credit card companies have figured out).
And yes, we should be aware that you can socially engineer and/or hack the PTSN to intercept/redirect SMSs. But those are bugs that need to be addressed anyway as we move to 2FA.
I still say a special pen that records at least 5 data points on a signature(x-y-z-axis, downward pressure, and grip pressure) is the way to go. No human can repeat the signature exactly the same, but because the data points can represent the overall pattern accurately, the signer could be reliably identified. This tech is actually pretty old. The recorder is pretty simple, the analyzer not so much, but I’d lay odds that as long as this has been around, it can be done now.
Even MagnaPrint can prevent replay, as it tracks the swipe stochastically to sense each swipe is unique, but still incontrovertibly original to the users card
My guess is the pen system would be cheaper. I’d even argue the criminals could know this general ID data, and still not play or replay it successfully – this can’t solve all the problems, but it can prevent replay and still positively show the user is present, where even MagnePrint only shows the proper card is present.
The pattern that we are seeing now from most of these data breaches is what has become a customary, reactionary after-the-fact afterthought. This of course is just too late and the damage is already done. No matter how much the breached victim plays it down the problem is never really resolved it. Just saying it will never happen again (until the time it happens again) or denying the data stolen was sensitive, the truth of the matter is, we may not feel the effects of this type of breach for months if even years. When all sensitive data is encrypted with strong encryption from point to point, then the thief will be left with nothing but useless bits and bytes.
Interesting they say “the format and method of connection for certain outbound messages”, perhaps sometimes the other party does not do encryption, which may result in the “searchable list of merchants who may have been affected by the breach” not being all of their customers.
The real issue is that we are charged with defending a static item (PAN) of value across physical hardware, software and networks – that is a tough battle to win.
We need to change the game so that compromise of the static PAN does not equal a win for the attacker. Apple Pay MAY do this (I have not seen a deep dive on its mechanics yet). I would like to see the card issuers use the static PAN in combination with a temporal token (Google auth, VIP, RSA, …) or generate a unique token at time of transaction and stop transmitting/storing a static PAN.
If they INSIST on keeping a static PAN, then enforce end to end encryption starting at the card swipe itself so even interception on the wire or in mem on the POS gets you only pseudo-random noise.
Until we can change the game we are bound to lose due to the complexity of systems and the fact that as defenders we are always in a sudden death situation, no matter how many successful defenses /APT (drink) waves we have repelled.
Who cares who is the first loser, second lose, end loser?
We all lose when there is a breach. Financial institutions, card issuers, merchants, AND consumers in terms of higher product or service prices, transaction fees, cc interest, layoffs. Yes, layoffs when a company decides to lower cost by lowering number of employees (making those still there work harder, longer) so they can still make a profit, esp. execs, COB, board members, etc.
What do you think of the newly designed cards that require you punch in a 5 key code into the card?
Dynamics CEO Jeff Mullen said the card, which has five buttons that customers can use to enter a security code, should be available next year. The technology is one of the advances that the credit card industry is exploring as a way to prevent fraud.
“In order to turn the card on, you have to enter an unlocking code,” Mullen said. “If the card is lost or stolen, it’s a dead piece of plastic.”
Read more: http://triblive.com/business/headlines/7334567-74/card-cards-dynamics#ixzz3LSPKI6HB
Note: “5 key” = “5 digit key”
Briefly looking over the article, I lean towards what Stephen Ames suggests, such as tokenization and encryption:
http://krebsonsecurity.com/2014/12/unencrypted-data-lets-thieves-charge-anywhere/comment-page-1/#comment-341252
The article leads me to believe it’s a card that once you enter the 5 digit key says nothing about further protecting the unlocked payment card data number once it’s swiped through a point-of-service device–it’s a piece of protecting the payment card data; but not enough in itself.
I personally believe that the death penalty should be enacted for these crooks. If that doesn’t deter this kind of crime, then nothing will and this type of credit business will soon dry up and everything will be done on a COD basis.
Yes, let’s make all crime punished with the death penalty. I can’t see how that will lead to any problems.
Proper restitution would make sense (pay back all the damage you causes), along with debtors prison and loss of many rights – which may end up being a life sentence trying to settle your debt owed.
Also severe penalty must be in place for not disclosing affected merchant list as it makes difficult to clear up the mess they created for issuing banks. Visa and Mastercard usually are late with their warnings, Amex almost always warns issuers too late. They also avoid to disclose relevant information.
My favorite part of this article:
“Charge Anywhere said it believes that ‘only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014…'”
So, the company that didn’t know they were hacked for the past 3 years is suddenly competent enough to understand what and when data was captured… HAHAHA.
Sad really.
I don’t blame any company for downplaying the risks or the incident itself. Safe harbor is a joke and the reality is that significant breach likely means curtains for a mid tier player.
Biometrics is but one new technology. Why not combine biometrics with unique auth per purchase technologies. That was the point I was trying to make. In all of your “Rushes” to prove me wrong, you have all failed to get my point Magstripe, and EMV/chip based technologies are NOT THE FUTURE. Combinations of newer tokenization schemes combined with other, more modern technologies ARE the answer. As to “WHO” pays; yes you can argue it is all of us. However, in fact, it IS the banks who pay initially. Home Depot and Target will not have to absorb the costs of issuing the new cards and the banks are not able to pass all of those costs downward (via contracts they maintain with the merchants) to the merchants in-full. Understand how the payments eco-system REALLY works before you make a comment.
who’s using this payment firm.
it looks like a VERY VERY small firm, isn’t it?
Back in the early 1950’s the First National Bank of San Jose issued the “Gold Card” which was useable and designed for their normal everyday blue and white collar customers at businesses that also banked with the same bank. It became popular. Nearby San Francisco based Bank of America noted this and developed their BankAmericard, the forerunner of Visa. The Bank of America goal was to increase the standing of the bank and to increase the income of the bank, by automatically providing paperless small consumer loans of $50 to perhaps $300, charging the merchant a small fee to increase the merchant’s business volume and to decrease any bad check loss. It worked, the banks increased their income (through small consumer loans and small merchant fees), and the merchants had a small sign they could hang in their windows, increasing their business volume.
The majority of the population carried cash for their normal needs, and used perhaps a check book for other purchases that exceeded the amount of cash one would reasonable carry on them. The normal person used the ‘Credit Card’ only when one would need a consumer loan of money from the bank to make a purchase. Higher end cards, designed for the wealthier consumer like American Express, Carte Blanche (the Hilton Hotel in-house card), and Diners Club required the account to be settled in full upon a monthly billing cycle.
Enjoying the newly found automatic revenue stream, Banks and similar financial firms began highly publicized advertising, promoting the use of “Credit Cards’ as the “in way” or “fashionable way” to shop and travel.
Now, 60 years later, most posters here and the majority of the public cannot imagine daily business without the use of their Credit Card or Debit Card. Stupidity abounds. The easiest way for any person to avoid the security problems now associated with Credit Card and Debit Cards is to limit their use.
Remember, the use of your Debit Card or Credit Card is only really designed for the bank’s convenience and profit. Use the Credit Card or Debit card only when you need to take out a loan from your bank. Having a $20,000 ‘line of credit’ at your bank is nice, not needing to use it is even nicer.
The majority of the population now needs to carry cash for their normal needs, and perhaps use a check book for other purchases that exceeded the amount of cash one would reasonable carry on them. Keep that credit card at home and only consider using it when you need a loan.
So ALL consumers should carry cash? Read the “Less cash, Less Crime” study by the University of Missouri. As consumers have moved away from cash and checks, criminals have moved away from armed robberies and purse snatching.
Agree with those who observe that the final accounting of losses incurred by credit card fraud are passed down to the merchants and the general consuming public. You really don’t believe the networks (credit card companies), acquiring banks (merchants), and issuing banks (customers) would allow these losses to have a significant impact on their return to shareholder? The minor degree to which networks and banks (acquirers and issuers) may be affected is better understood as their cost of doing business, and the direct costs pale in comparison to the significant transaction fee profits acquired by credit card companies, and interchange fees & (APR) finance charges (banks) they obtain. Given the merchants affected and the general consuming public (everyone who buys goods and services with credit cards) ends up paying for credit card breach costs, why would the networks or the banks be motivated to do anything more? Particularly when an increasingly desensitized credit card user who continues to receive state mandated breach notification letters, or reads daily about the latest credit card hack, observes no direct personal impact for such events.
The history lesson is all good, but I submit that most blue collar and white collar customers would happily pay a higher cost of goods and services for the convenience of carrying a few pieces of plastic versus wads of cash or blank checks with imprinted MICR lines, name, and address. Notwithstanding identity theft, there is no risk to the cardholder [as long as they keep their debit cards in their pockets]. I for one don’t mind. I’d much rather lose a credit card over my checkbook.
There is no way to secure against your information being stolen. Things are changing more rapidly than most of us can even imagine very clearly. Any electronic card can be hacked.
While it is true that the costs of breaches (and all credit card fraud in general) are effectively part of the overall cost of doing business for the banks/card brands and they are passed along in the transaction fees and interchange rates to merchants and eventually consumers, it is wrong to think that the banks aren’t interested in reducing fraud.
The reason for this is that they will NOT automatically pass the savings from reduced fraud back to the merchants and/or consumers. They have established a market rate for credit card services that merchants are paying today. If they can reduce their overall costs, they stand to increase profits without having to increase their revenues.
Every dollar saved in fraud costs is pure profit to the banks.
The biggest evidence of this is the way that Apple is getting paid for transactions run through Apple Pay. Apple receives 0.15% (if the public reports are accurate) of the dollar value of transactions run through Apple Pay. This is coming out of the banks fees – it is not being passed along to the merchants or customers. The reason for this is that the banks believe that the EMV tokenization spec that Apple Pay is an implementation of is secure enough to warrant paying Apple for the facilitation of its use in retail.
That is a small percentage – enough to be considered part of the cost of doing business, but Apple Pay stands to drive more use of the credit card system – increasing top line revenues AND reduce the potential for fraud.
For Apple, it is a matter of scale… right now Apple Pay isn’t really likely to be generating much revenue for them but if you look two or three years down the road with hundreds of millions of iPhones/watches with Apple Pay deployed and more retailers using them, it is reasonable to believe this will be a revenue stream worth hundreds of millions of dollars a year to Apple… basically money that WOULD have gone to fraudsters.
thats why soon future you will be have rfied chip under your skin:)
thats why this things can only take place,such as cybercrime:)
Robb – One of the great aspects of science fiction is that we can present a society that has those attributes such as embedded identification. The drawbacks are clear. Consider The Net in which some person is linked to the medical records of someone else. Treatment is provided appropriate for the records and fatal to the person. Or another person whose data has been altered to be a criminal. Law enforcement response is appropriate for the criminal, but not the person.
A long running “gag” is when a clerk says “According to the computer you are dead.” Response: “I’m standing and talking.” Clerk: “I can’t serve dead people.” “I’m NOT DEAD!”. It is a losing argument.
We started as people.
Then we became people with data.
Then the data became more important than the people.
Maybe Orwell was off by a few years?
Jonathan @nc3mobi