17
Jul 15

CVS Probes Card Breach at Online Photo Unit

Nationwide pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.

cvsphoto

“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” CVS said in a statement that replaced the photo Web site’s normal homepage content. “As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com and our pharmacies. Financial transactions on CVS.com and in-store are not affected.”

Last week, Walmart Canada warned it was investigating a similar breach of its online photo Web site, which the company said was operated by a third party. The Globe and Mail reported that the third-party in the Walmart Canada breach is a company called PNI Digital Media. 

According to PNI’s investor relations page, PNI provides a “provides a proprietary transactional software platform” that is used by retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year.”

“Our digital logistics connect your website, in-store kiosks, and mobile presences with neighbourhood storefronts, maximizing style, price, and convenience. Last year the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products.”

Update: 11:35 a.m. ET: The above-cited text from PNI’s Investor Relations page was removed shortly after this story went live; A screenshot of it is available here). Someone also edited PNI’s Wikipedia page to remove client information.

Original story: Neither CVS nor PNI could be immediately reached for comment. Costco’s online photo store — costcophotocenter.com, does not appear to include any messaging about a possible breach.

Interestingly, PNI Digital Media was acquired a year ago by office supply chain Staples. As first reported by this site in October 2014, Staples suffered its own card breach, a six-month intrusion that allowed thieves to steal more than a million customer card accounts.

Update, 11:33 p.m. ET: According to a review of customer data previously listed by PNI, we could be seeing similar actions from Sams Club, Walgreens, Rite Aid and Tesco, to name a few.

Costo, which also was listed as a customer of PNI, just took its photo site offline as well, adding the following message:

“As a result of recent reports suggesting that there may have been a security compromise of the third party vendor who hosts Costcophotocenter.com we are temporarily suspending access to the site. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers.”

costcophoto

Tesco’s photo site — tescophoto.com — currently says it is “down for maintenance.” Rite Aid’s photo site also carries a notice saying it was notified by PNI Digital Media of a possible breach:

“We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data. The data that may have been affected is name, address, phone number, email address, photo account password and credit card information. Unlike for other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information. At this time, we have no reports from our customers of their credit card or other information being affected by this issue. While we investigate this issue, as a precaution we have temporarily shut down access to online and mobile photo services.”

No other online or mobile transactions are affected. This issue is limited to online and mobile photo transactions involving PNI. RiteAid.com, Rite Aid Online Store, My Pharmacy, wellness+ with Plenti, and in-store systems are not affected.”

riteaidphoto

Tags: , , , ,

46 comments

  1. With so many concurrent breaches going on at the moment, I’m wondering how the analysis algorithms are coping in finding single commonalities between credit cards that have been used fraudulently.

    Surely there must come a point where the algorithms are (metaphorically) going to throw up their hands and say “…it’s no use mate, every US retailer is pwned” 😉

    • They use common point of purchase analysis, which is pretty good at figuring it out. Basically you just take a batch of cards with fraudulent transactions and look at the common places they all shopped. When its a national retailer, its pretty easy, you just take cards from different geographic areas to eliminate other commonalities. You generally only need about 30 cards to have a pretty good idea who the retailer was.

    • I guess it depends on how often you use your credit card. If you only use the thing once every two weeks, then it could be pretty easy to work out who might have been breached. But if you use your card 5 times a day, then it gets a lot harder.

      Personally, I pay cash wherever possible. Which doesn’t work for online, of course, but every time you use your card, you are potentially exposing your card number to the crooks.

      • Right, but wrong emphasis. As a past retailer, every time you use a card, on line/offline, it don’t matter, it can be stolen. They all get the number and use approval from a retailer, a bank, a credit card agency, and ad infinitum, any one of which can be in the process of being powned, as you are using it.
        The security backdoors must not only be open, at everyplace, so you can use the card.the approvals should all carry a date and timestamp of some kind, could that be a trackback mechanism?

    • everyone is owned. act accordingly.

  2. Abubakar Tokarawa

    Well, I think it’s quite difficult and time-consuming to cope with those Cyber Criminals.

  3. Up until a few weeks ago the local CVS (southeast US) was still on Win XP. I’ve been told that’s been replaced, but haven’t verified it myself.

    I don’t know if that was part of the cause of the breach, but it didn’t make me feel like they took security seriously at all.

    • If the POS systems were running one of the embedded versions of XP, I can’t remember the proper names for them, it is still supported for several more years. It was only the client / server versions that have gone out of support recently.

      • still updated != secure. Sure, updates make it better, but so does a total upgrade, as well.

  4. Those three retailer networks are also run by TELUS Communications Inc.

    • The Globe and Mail has an incorrect Wal-Mart domain; it should be walmartphotocentre.ca

  5. itsmeitsmeitsddp

    Costco will be next on the list then if all clients were affected.

  6. itsmeitsmeitsddp

    I just checked and the wikipedia page is restored to include key partners and a ref to this KOS article.

  7. Third parties are a big deal with security beaches as we keep hearing it over and over with how they are used as a lever to get to the big payload and hopefully that won’t be the case here. Here’s another service that CVS uses to “score” you with medication adherence that’s packed full of credit card data and worse yet, if you pay cash you are labeled an “outlier”. With all the medication scoring out there and being sold, your secret score you can’t have yourself can be sold too.

    http://ducknetweb.blogspot.com/2015/07/patients-who-pay-cash-when-filling.html

    • Wow.. that’s just plain evil.. rating people poorly so they’ll be interrogated, just to dissuade them from using a method of payment that reduces the ability for them to be tracked/profiled independent of their medical information.

    • @Brian Krebs: Sorry for the off-topic post.

      @Medical Quack: Cannot figure out how to leave a comment on your blog, so I guess I’ll have to leave it here, or not at all.

      I think you completely misunderstand what the CMS “star ratings” signify. They have NOTHING to do with individual patients. Rather, they rate medical providers (doctors, hospitals and pharmacies) on several metrics related to quality medical care and patient outcomes. NOTHING there about cash vs. credit, or anything even remotely related. Furthermore, I have read the article in ComputerTalk to which you linked, and I cannot find ANYTHING in it to support your assertions. I even searched the article for the keywords “cash” and “credit”. Neither word appears in the article. (Closest match is “cashier”, but the context in which it appears doesn’t fit with your theory.)

  8. Hmm! I wonder if their partner vendor followed PCI regulation which states that they must protect as-well as encrypt all card data in their database, or we talking zero day?

  9. “…independent vendor who manages and hosts CVSPhoto.com may have been compromised…”

    No one is responsible for anything. CVS is NOT in control of their photo website. This isn’t about CVS, it’s about their vendor. It’s about someone they put in charge of doing things CVS needs to do doing. Yes, yes, yes….I know, CVS is a drug store not an IT company. It THEIR website (or is it?). Who cares what OS they use on their registers or POS systems?

    See it for what it is!

    • Well what is it?

      Yes it’s a 3rd party, but how many people will use their same account name & password at CVS.com and CVSPhoto.com?

      The OS on the registers and POS systems is of major concern when it comes to OS’s that aren’t patched anymore and Microsoft won’t ever be closing known security holes on them.

      • If you or anyone else wants to use CVS for your photos, be my guest. There is no justifiable reason to (outside of lazyness), but whatever. Rather than worrying about the passwords being used, it would be better to NOT use this system for this kind of work in the first place. When the system isn’t used, it doesn’t matter what the OS is….at all.

        • So after insulting all the people that don’t do as you do, you fail to leave any actionable suggestions for them?

          That’s rather unfair and lame.

          • “…you fail to leave any actionable suggestions for them?”

            “…it would be better to NOT use this system…”

            “…As for me, I’ll stick with my personal electronic cameras that I can plug into my computer. I see no reason to ‘pay’ money or spend my time dealing with other people’s left-handed methods when I can keep my stuff under my control.

            There are too many ways a person can have and keep photographs. Life has changed and this isn’t the 60’s or 70’s anymore. There is no real purpose in any of this stuff (unless you just don’t care that what is yours is actually theirs).”

            ——————————

            This is VERY actionable. This is available to everyone. You think I’m the one bringing on the insults? It is interesting that no one seems to see all these data breaches, vulnerabilities, and insecurity issues revolving around personal data across websites to be insulting. People are ‘PAYING’ money for much of this and are being takin for a ride. The insults are not from me…..the insults are from them.

  10. Looks like costcophotocentre.ca has been shut down now as well. Costco never had pay online, so no risk of credit card breach, but customer’s certainly have an expectation of privacy for their personal photos. I wonder if PNI was considered tier one for PCI compliance. It’s always struck me as strange that a large company can blindly accept a PCI audit for a third-party without any further due diligence, especially if it’s a lower tier. Well, I guess Blacks/Telus had the foresight to shut down before this blew up.

  11. i think it’s time, –most likely past time,– for us to recognize the mag-stripe card business is,– pwned.

    “all your cards are belong to us”

  12. And, so the use of rfd, is more secure? No! The most secure is cash in hand, but, even wells Fargo gets robbed. Their are crooks, now, that can unload your bank card at 500 ft, doing 50 kph thru the banking district, now. These new encrypted cards will do the same approval of sale as the magstripe does, and credit agency will be set up to handle the new cards? None, the same process, will stay in place. The same OS languages, at the pos will be in place, etc…no other improvement will take place. So what will make one of these cards more secure? They are just going for the low hanging fruit first.

  13. CitiCards offers “virtual numbers” for all online and phone transactions. The numbers act similar to an email alias, look just like your regular card number, but are not the same and are good for one transaction only. If someone tries to use the number again…voila…CitiCard has a link to the violator. It’s not a big deal to get the numbers from your account and worth the extra level of security.

    • One Use Only cards impose a major PITA for consumers. Having to enter a different number each time for an on line purchase is time consuming and error prone, both are penalties for consumer and the merchant. As for cards with chips – where is the slot on my computer or phone to use them? They only work in one avenue (physical presence) of commerce.

      There is a better solution.

      Jonathan @nc3mobi

      • I think you are promoting smth different JJ, don’t know what it is, but as mentioned in my preceding replies to others, AP is super safe as it anonymizes the CC number and provides the single use pin to authorize. As more merchants add AP functionality into their apps (and sites) in addition to physical POS devices (by October, almost all should be POS capable), card number pilferage will largely become a thing of the past for AP users.

  14. USA Ohio calling

    Why are the different sites giving different messages to their customers about this data hack, surely they should also be reacting the same?

    • Former OH'an answering

      Guessing the domain name owners have some level of input into their owned sites.

    • Not all site admins, IT admins, or companies in general will interpret the data the same way. Many people simply refuse to see the truth that’s right in front of them. Then there is the politics of the business. There are those that just wont admit to things and try to hide the truth.

      • Security is all based on ROI. Is it worth the extra cost to implement stricter security policies? Do you tighten down to the point where a customer will be turned off by having to jump through too many hoops? Would the average consumer want to buy their photos online using 2FA or simply clicking Submit?

        These are all large scale retailers also. BBK mentioned the CVS Photo kiosk was on XP just a few weeks ago. Another ROI decision, I’d bet. Why not go to one of the POS Ready Embedded OS’s? I would imagine the cost of upgrading thousands of kiosks is expensive (time, licensing, development of migration path to retain data, etc) and is a factor in the ROI calculations for any large company. They simply have passed the buck on to a 3rd party to “fall on the sword” if/when a breach happens.

        Well it appears one happened and all the major retailers that provide photo services have their patsy to avoid the cost of bad media coverage. Again, that probably in their ROI calculation also….

        • lol…..

          the politics of the business…..

          I see no reason to involve myself with any of this nonsense. You certainly put a fine tip on the ‘corporate thinking’ that creates soooo many of our problems. But, if that’s what the average joe shmoe thinks they have to do in order to have pictures, more power to them I guess.

          As for me, I’ll stick with my personal electronic cameras that I can plug into my computer. I see no reason to ‘pay’ money or spend my time dealing with other people’s left-handed methods when I can keep my stuff under my control.

          There are too many ways a person can have and keep photographs. Life has changed and this isn’t the 60’s or 70’s anymore. There is no real purpose in any of this stuff (unless you just don’t care that what is yours is actually theirs).

          Even if I wanted a more professional set of photos taken, I still would not be dealing with CVS or Sams or Walgreens.

          As for the use of XP…..I see absolutely no indication anywhere that a very secure operating system even exists; XP or anything else. I also don’t even as much see any connection between the real issues at hand regarding this ‘vendor’ and whatever OS happens to be on any particular computer at all.

          So unless you can bring to light some new information specific to this ‘vendor’, I hold to my position.

  15. Thanks for sharing. Question.. Do you know about Binfer? It is a secure way to share digital media.

  16. Across the pond Tesco site MSG suggests it may not all be compromised and just PNI IT admin closing data flow at dc to lock down while they search logs?

  17. Sams Club = photo.samsclub.com: “At this time, … do[es} not believe customer credit card data has been put at risk”.

  18. Donald J Trump, Billionare I own a mansion and a yacht.

    I find it rather odd that a big fortune 500 company like CVS would host cvsphoto (dot) com in Canada (Telus) and use ATT as the domain name server provider Check it out!

  19. I certainly got a kick out of the first commenter’s post. However, maybe that is the mentality we need? Maybe we need to plan and prepare for the worst case scenario and expect our data to be breached at some point? Is this what it has come down to? It’s like that line from Enemy at the Gate, “Only what you keep in your head is safe.”

  20. Race fans, you can cover most of your exposure by:

    1) Call you CC providers and report your card lost every 6 mo or so. I travel every week and have been doing that for 10 yrs or so. If you are a good customer (apparently I am) and insist they overnight your new card, the inconvenience is minimal.

    2) Pay cash for small items. I never charge under $20 unless there is a reason. Less use is less exposure, esp at mom & pop merchants.

    3) Don’t use your debit card for retail. Do I really have to say that? Also, instead of withdrawing $50 at an ATM, get in the habit of walking into you bank and withdrawing, say, $500 and make you sock drawer your private little bank. Of course your cashflow, bank loc’n might not make that always possible.

    4) Put a credit block on your name at the 3 big CC clearing houses. Sure they make it a pain and you have to periodically re-do, but that pain is much less than unraveling the mess of someone using your credit (happened to me 20 yrs ago).

  21. I think the issue is not whether the credit cards are encrypted or not, it’s really how quickly can you deduce the necessary keys to be able to decrypt the data. Think about this for a second: The list of IINs are in the public domain, and the last 4 digits of a card–which contains the all important luhn check digit–is generally stored in cleartext. All that’s left to be deduced is the middle 6 digits of a credit card; that’s only 1 million possible combinations.

    I have seen a brute-force attack to decipher the encryption key against a system that used a fairly large encryption key be completed in a matter of minutes when only the last 4 was available. When a list of IINs was thrown in the time it took to break it shrank significantly.

    I personally don’t think EMV will save us either, because statistics have shown that in places where EMV was mandated card-not-present fraud increased significantly. I believe that until the payment card industry devices a mechanism where no part of a credit card number is available in clear text (which would mean that IINs have to go away) we’ll continue to see credit card breaches happening.

  22. Brian Beesley

    I’d like to know the status of all the on-line stored photo albums. I’m sure many users leave albums up in case they wish to go back in and place further orders at some later date. All those millions of photos are sitting in a data base somewhere and their rightful owners no longer have any access!

  23. CVS/Costco doesn’t believe that in store purchased has been affected at this time. That makes me feel insecure-they are saying “at this time”. What ? Are they saying that maybe next week they will announce that in store transactions are affected? Are they afraid of losing business and therefore downplaying the entire issues at hand?

  24. From NBCNews. CVS shut down its online photo center after a security breach may have compromised customer credit card information, the company said Friday.

  25. Does staples use PNI technology? I see some product on Staples.ca copy and print are now not available e.g. Photo mugs has there been a security breach at Staples using PNI technology like Costco?


Read previous post:
The Darkode Cybercrime Forum, Up Close

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law...

Close