For the second time since Aug. 2013, online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned.
Over the past several weeks, a number of banks have shared information with this reporter indicating that they are seeing fraud on cards that were all recently used by nomorerack.com customers. Turns out, nomorerack.com has heard this as well, and for the second time in the last seven months has called in outside investigators to check for signs of a digital break-in.
Vishal Agarwal, director of business development for the New York City-based online retailer, said the company was first approached by Discover Card back in August 2013, when the card association said it had isolated nomorerack.com as a likely point-of-compromise.
“They requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave,” Agarwal said. “Trustwave came out with a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.”
Then, just last month, NoMoreRack heard once again from Discover, which said that between Nov. 1, 2013 and Jan. 15, 2014, the company had determined there were more incidents of fraud tied to cards that were all used at the company’s online store.
“So, as of last week, we engaged with Trustwave again to undergo another audit,” Agarwal said. “We have been hearing the complaints from banks, but apart from that, and we’ve done our analysis and due diligence, and there is nothing seriously we can find that may have resulted in customer cards being compromised.”
NoMoreRack also has engaged with Trustwave to ensure that its systems are compliant with the Payment Card Industry (PCI) standards, a set of requirements designed to ensure that all companies that process, store or transmit credit card data maintain a secure environment.
For the purposes of PCI compliance, merchants fall into one of four tiers. The tiers correspond to the volume of cards a merchant processes per year: For example, Tier-1 merchants are those which handle more than 6 million transactions a year. Tier 4 merchants, on the other end of the spectrum, are those which process fewer than 20,000 e-commerce transactions per year.
All merchants that handle credit card transactions are required to be PCI compliant, but most are able to self-certify that they are compliant. Only Tier-1 merchants are required to be audited by an independent “qualified security assessor” or QSA. However, companies that self-certify and later experience a breach may be required by their bank to place themselves into the Tier-1 category and undergo a QSA assessment.
Agarwal said NoMoreRack is now in the process of certifying itself this time as a Tier-1 merchant, even though the number of credit and debit cards it processed in 2013 placed it squarely in the Tier-2 range.
“What we’ve also done is we’ve engaged with Trustwave to do a full PCI compliance audit,” Agarwal said. “Not only are we going through another forensics audit, but we will be going through PCI compliance Level 1, just to make sure our systems are secure and that we are doing everything we can to protect consumer data. We are hoping that Trustwave can point us in the right direction so we may plug any gaps that are there already.”
NoMoreRack has grown significantly since its founding in October 2010. In 2012, the company had online sales of more than $100 million; by the end of last year, sales had reached $340 million annually. It’s possible that this rapid growth is what has been contributing to a poor reputation for consumer complaints against the online retailer. That is, at least according to the Better Business Bureau, which gives NoMoreRack a rating of “F” (its worst).
Can you say incompetent?
Whomever wants to trust their credit card with this business please raise your hand?
Good grief! How many more of these are we going to be reading about? It’s like a tsunami of these just came out of nowhere.
It’s been going on the whole time… Krebs is just the only one making them public.
Very true. The breached companies would prefer that the news remain under the cyber-rug. Brian obviously has many contacts within the security industry.
People should contact their Congress-critter and demand that legislation be passed to require companies to take their security seriously.
This is different than the other ones. Target, URM and all those incidents were of bad people breaking into the security system. If you look into NoMoreRack you’ll see that they are doing the fraud themselves. They have an F with the better business bureau. They charge people’s credit cards even if they are unable to ship the product (which is illegal) They send phony tracking numbers, broken products or cheap knockoffs (when genuine was advertised). The reason they have so many people file fraud is because NoMoreRack ITSELF is ripping people off.
I would say that there is something else going on here, if the independent auditor didn’t find where data was being pilfered, then they need a new auditor, not the same one. If the second audit/auditor returns the same results, (i.e., we have no idea) then are we looking at some kind of APT that is not being detected?
I agree that they need a new auditor. Also, they should not be using the same forensic auditor as they are using for their PCI audit.
This seems that it would be a conflict of interest.
Indeed, my first thought was that they should hire a different firm to do the second audit instead of constantly going back to the same firm. If you keep talking to the same group of guys who keep running down the same checklist to detect problems…
This isn’t a knock against the company providing the audit by any means, it’s just a fact of life that everyone has their own way of doing things, and putting more eyeballs on a problem can yield results where the same (tired) eyeballs looking at the problem over and over won’t.
I had suspected nomorerack was compromised since my elderly mother had her card stolen recently. She does very little shopping with her card other than when she discovered nomorerack and did some Christmas shopping. My wife also had her card stolen around the same time (another nomorerack user) but she uses her card in other places that could have been compromised.
Both cards were used for several small transactions prior to larger transactions that were caught.
Sounds like it could be an inside job. I may have missed it, but do we know if any other cards besides Discover are affected?
Discover is just the card network that, erm..discovered the alleged breach. There is no reason to believe other card brands wouldn’t have seen the same.
FWIW, I’ll publish a story later this week about some other ColdFusion botnet victims, both of whom were initially notified by Discover.
the scope of cold fusion vulnerable sites is insane. Add on to that metasploit makes is point and clickable for any idiot to exploit them with invoker you got a recipe for disaster. but companies only care about “windows” patches so it figures.
Hi Todd, You need to visit no more rack consumer complaints and hate page on facebook. Here you will find all the answers you are looking for.
Good article!
Just a quick comment. Level 1 merchants have required on-site QSA assessments since day one, but now MasterCard is requiring Level 2 merchants to validate with on-site QSAs now as well.
//Source: I’m a QSA Assessor
This is a common misconception regarding the MasterCard mandate, the requirement for Level 2 merchants offers a choice:
1. Have an Internal Security Assessor (ISA) attest to their compliance
2. Have a QSA attest to their compliance
IMHO, if an organization is processing 1 million-plus Visa OR MasterCard (remember, it’s by card brand), they need to move beyond the check-the-box mentality that is fostered by the SAQ.
AR
Or 3. – the card companies take their toys away! I had a sloppy vendor that lost their online card rights, and is now required to take the number over the phone each time, and they can’t even store your number in their system at all!
It serves them right, because they let some cracker get my card data, once – and Discover wouldn’t admit they lost some Online Secure card numbers, but no one lost any money on those – the crooks got zero! >:)
Not long after I switched to Online Secure credit card numbers, they lost their credibility with the card services. I’d like to think I had a small hand in that! They do have a good product though, so I’m glad they survived. They also fired their outsource company and hired Americans to do US sales now. Huge improvement!!
A couple corrections Brian,
1) Since the “MasterCard Mandate” came out a couple years ago, level2 Merchants are obliged to treat themselves as level1 Merchants and submit a ROC (Report on Compliance) completed by either a QSA or an ISA;
2) The Security Standards Council is very careful to refer to an “assessment” rather than an “audit”. I’ll also point out that they are very careful to emphasize that ROCs are an assessment of the environment at a specific point in time. They also state that there has never been a breached entity that was compliant at the time of the breach.
And again, with Sally Beauty saying that they have been audited and found no sign of breach, I ask the question…
Should we start to suspect that there is a breach being executed downstream of the merchants – either at a processor or an acquiring bank?
I agree that nomorerack.com should hire different security auditors/QSA than the first time they were audited, but I’m really starting to get the feeling that there is a problem at a different level of the system than we’re used to looking for.
@Dj – If the PCI Council / bank said they needed to have a formal PCI Forensics Investigation (PFI) conducted, then yes – their QSA and PFI could not be from the same organization.
It sounds like they went from doing a Self Assessment Questionnaire (SAQ) to full PCI ROC for the sake of showing their customers ‘hey we’re compliant’.
Unfortunately, compliance does NOT equate to secure. I’ve done audit work for companies who are certified ISO 27001 compliant that had multiple security holes that required remediation.
And organizations like this still don’t get it. I found this quote particularly disturbing “Not only are we going through another forensics audit, but we will be going through PCI compliance Level 1, just to make sure our systems are secure and that we are doing everything we can to protect consumer data.” Passing a PCI Assessment demonstrates you’re doing the bare minimum to protect your customer’s data. It is a far cry from doing “everything” you can and should be doing to protect customer data. I fully expect this will not be the last time NoMoreRack is in the news if this is their attitude (sadly that belief is still shared by far to many organizations).
In the old days business was cash and carry and no sensitive information was left behind with a merchant. These days when you buy something as simple as a impulse item you are leaving behind information that can be both potentially costly and disruptive to your life. Merchants and credit card companies have to come up with a better system for these two entities to operate. Why risk a purchase if its going to cause headaches down the road. All merchants that accept credit cards should be PCI tier 1. They get audits for taxes and need to have security audits when they accept credit cards. To save a buck is giving the who industry a black eye. The customer being indemnified is small comfort.
It’s about time. Seems like their window has expanded three or four times now.
They bring in an audit factory (Trustwave) who, they said themselves was brought in over 3 times..so they will bring them in AGAIN??? Do we know the definition of insanity?
They hired the same auditor twice? They don’t need Trustwave, they need Mandiant!
I investigate fraud for Discover, of the cases I work nomorerack.com is just one of many popular retailers that fraudsters use the cards at, they are constantly changing. Consistently I’ve seen walmart.com but last year it was all woot.com playstation online entertainment etc.
nomorerack.com always grants the chargebacks but that company definitely
needs to make some changes
needs to make some changes.
comment not long enough comment not long enough comment not long enough comment not long enough
needs to make some changes.
HA! I love your broken record post their anonymous! Got to have some fun once and a while! 😀
The site “Nomorerack.com” looks to me like a super over priced seller of foreign made junk . From what I’ve seen on their main page, I wouldn’t buy from them. It looks like over stock and close out items Why anyone would use a credit card on this website is anyone’s guess. Then again the perception of items being ” cheap priced” is the new American way, and everyone is getting into the game to take business away from China-Mart (Wal-Mart)
I don’t get how the domain name fit’s into what they are are selling? Furthermore, the site does not have a toll free number or a site location address, a big tip off not to buy anything from this website.
Derp
How many more of these will be needed for the banks and merchants to wake up and realize that a system reliant on a shared secret (the credit card number) is inherently insecure as compared to one using PKI?
Need your help/advice! My partner got a fraud alert from Chase today. Somebody made several large purchases online (including a $340 charge on Walmart.com) in the last 24 hours on her card – all fraudulent. Chase reissued the card and on a lark we decided to call Wal-Mart corporate (the phone number incidentally was listed with the fraudulent charge on her Chase account online).
Ended up getting a really nice CSR (surprised, actually), who not only told us everything about the charge, including that a new Walmart.com account was set up in my partner’s name, but also confirmed, without us informing her, our home address (same billing address as the Chase card). This address does not appear in any online databases as we moved this fall and all of our publicly available info – even voter information, etc. – is still listing our old address. We rent, so no property title/taxes/etc.
We’re kind of freaked out, to be honest.
To make matters worse, the order (in my partner’s name) was originally a “Ship to Store” order for a Wal-Mart not too far from us (maybe an hour away – we live in the Northeastern US). The CSR stated that her “account” (which the thief created on Walmart.com) contained a shipping address in San Jose, CA.
Obviously this was credit card fraud….but should be worried about identity theft? The fact they had our very specific, complicated, not publicly accessible home address has our hair on end. We cannot think of a way they would have gotten this information.
“should be worried about identity theft?”
It does not sound like they have either of your SSNs or DOB, so probably not.
“they had our very specific, complicated, not publicly accessible home address”
Think outside the moving box. Who knows your address? Cellphone provider, utilities, auto insurance company, etc. Someone there may be dishonest or a CSR may have been a victim of social engineering. Good luck trying to determine that, however.
“Somebody made several large purchases online (including a $340 charge on Walmart.com)”
typically the fraud pattern matches the types of charges walmart.com indicates no device (card not present) (least risk involved for fraudsters) rarely do I see identity theft cases that involve these
“This address does not appear in any online databases”
>_> sure it doesnt, its listed somewhere though because walmart has it
“the order (in my partner’s name) was originally a “Ship to Store” order for a Wal-Mart not too far from us (maybe an hour away – we live in the Northeastern US).”
sounds like your partners info is compromised not yours or they had the address leaked through something they did. that address in san jose is probably a drop address and not the actual fraudster, ship to store just allows them to come in with a fake id because thats all they check at walmart and best buy is id and not the original card, and if they dont have a drop address they just use the store(the adddress listed online for san jose is probably just for future orders if your card continues to work for them). the people that do this are trying to get product to resell they dont care about you the people that actively seek out high credit line cards and make calls pretending to be someone else those are the identity thieves if youre bank/issuer hasnt gotten any of those calls I would say theres nothing to worry about it.
steps you can take if youre worried about cc fraud is to put vocal passwords on your accounts (verified on every inbound call) contact the big 3 cb’s (experian:888.5397.3742, transunion:800.680.7289, Equifax:800.525.6285) and put credit alerts/freezes whatever they call it, and dont be a dummy and put your info out there all willy nilly.
needs to make some changes.
perhaps the investigation should go to their CS in Philipines?
lol you’re a for profit name dropper Krebbs. Everyone knows this story we don’t need it repeated 30 million times. But u need those advertising $$$ because it’s the only way u can make $$$ because you’re not a hacker/coder/infosec pro lol
You should also actually try to learn some programming skills so people will stop thinking you’re just an attention hungry script kiddy. When they see you’re not just a script kiddy (this day may never come) – they’ll take u more seriously.
Until then, look, quick, it’s a CNN article on a hack – better go reword it and get it out ASAP and make it appear original!!!
Is this why you are on his site, as opposed to CNN .. in addition to the fact that you left a comment?
Get over yourself ….
NoMoreRack?
More like NoMoreTrust!
But seriously though, let’s count the penalties: two data breaches within a six month period, a ‘F’ rating by the Better Business Bureau and an security system that clearly ain’t the greatest…why would anyone shop there?
The prices are attractive, yes, but it’s really alarming thinking about the lack of safety for this website…think about the amount of people shopping there?! The horror! Hopefully this article gets a high SEO rating so when people go search for the website they get a fair warning by coming across this article first 🙂
I see NoMoreRack has absolutely NO communication about the ongoing investigation. Not surprising.
NoMoreRack?
More like NoMoreTrust!
But seriously though, let’s count the penalties: two data breaches within a six month period, a ‘F’ rating by the Better Business Bureau and an security system that clearly ain’t the greatest…why would anyone shop there?
The prices are attractive, yes, but it’s really alarming thinking about the lack of safety for this website…think about the amount of people shopping there?! The horror! Hopefully this article gets a high SEO rating so when people go search for the website they get a fair warning by coming across this article first 🙂
I see NoMoreRack has absolutely NO communication about the ongoing investigation.
I did some research on the owner of this company. At one point he had his name on 8,000 internet porn sites. He was investigated for automatic rebilling scams around the world.
It seems to me that the entire Nomorerack business model may in fact, be based on credit card theft.
Please notify the FBI if you have been victimized by this company.
They are also selling counterfeit goods. I bought a pair of counterfeit Kenneth Cole Sunglasses from them.
They also have some sort of insurance scheme set up where they send out empty boxes and then have you file a police report. (One customer had the good sense to look at the shipping label which showed that the postage was paid on an empty box.)
Many of their electronic goods are coming from China with no UL approval. In fact, battery chargers are destroying cell phones.
This company should have been shut down 3 years ago. It is a criminal enterprise.
I’m not trying to be mean, and believe me I’ve had my share of problems shopping on the internet, but I learned a long time ago that a quick Google search can save you a lot of grief.
The Better Business Bureau report on this company popped up on the first page of the google search I read. In addition to that there was the yelp review link showing a 1.5 out of 5 stars rating and several references to local investigations done by TV stations concerning customer complaints. All in all a woeful picture. I personally would find it incredibly difficult to conduct business with this company simply based on what I read.
…also, last year, NMR displayed the Google Trusted Sites Logo on their web page. This is basically a guarantee by Google that the transaction will be free of certain iissues …up to $1000 refund. In Jan of this year( 2014), google revoked that Trusted Stores Status.. Would be interesting to hear the back-story on this, but I suspect, the number of complaints was costing google( and NMR) too much money.. The GTS made it easy to complain .. NMR doesnt like to makr it easy to get a refund, so I guess that losing the GTS status also worked for NMR’s scheme of denying returns and refunds until really pressed.
Every time you put your credit card online you take a risk that your data will be compromised, but at the same time online retailers should be doing everything they can to protect that data. You can’t run an online business and get hacked at a semi-regular rate!
My husband purchased me a simple $10 Silver ring from Nomorerack back in December 2013, using his M/C debit card. Two days ago, there was an almost $600 debit from his checking account from BestBuy.com.
I immediately suspected Nomorerack because this is the ONLY website he has ever ordered anything from, and he has only had that debit card for about 5 months. The only other places he uses it is at the ATM, and a couple times at Walmart (brick & morter store, not online). It HAD to be Nomorerack.
Finding this article puts the nail in the coffin and proves it.