July 21, 2014

Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports.

goodwillHeadquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. The organizations sell donated clothing and household items, and use the proceeds to fund job training programs, employment placement services and other community-based initiatives.

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

The U.S. Secret Service did not respond to requests for comment.

It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

It is also not known at this time how long ago this apparent breach may have begun, but those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.


84 thoughts on “Banks: Card Breach at Goodwill Industries

  1. Let it begin

    Let the discussion on how we need chip + pin commence now

    1. Get Educated

      You need to read up on EMV pal. It doesn’t address encryption of card data at all. Target (and most likely Goodwill although there are no details as yet) would still have been vulnerable.

      1. AndrewJ

        Whilst card data is still sent in the clear with EMV, the card details can only be easily cloned onto magstripe (not chip) of a cloned card or alternatively used in Card Not Present fraud. If stores don’t accept magstripe then it becomes a lot harder to launder the fraudently obtained card details. As the US is one of the only countries still accepting Magstripe, that’s where the actual laundering of card details into cash/cash-like goods happens.

        The researchers at Cambridge University deal a lot with the UK & European experience of EMV and have a lot of good content on their blog – see https://www.lightbluetouchpaper.org.

        1. Nick Parlante

          Actually the EMV transaction does not include enough information to make a magstripe. The EMV transaction includes the CC number, but not CVV1 (for the magstripe) or CVV2 (for card-not-present transactions), so the EMV transaction data is pretty low value on its own.

          EMV has some problems, but it is a huge increase in security vs. the woeful situation with magstripe. Probably the easiest way to abuse an EMV card would be for the bad guy to put up a fake EMV reader with a “EMV broken, swipe card” message, and then just grab the swipe data that way. Of course as EMV becomes more prevalent, the issuer anti-fraud detection will become increasingly suspicious of swipe transactions off EMV cards, so that’s not going to work forever.

      2. Christoph

        Why should the data be encrypted, when it is rather useless to exploit in the first place?
        EMV data doesn´t have chip-CVC so you can´t produce magstripe clones.
        EMV data doesn´t have CVC2 so it can be used in very few CNP scenarios, if at all.
        EMV data can´t be replayed because of the dynamic transaction signature.

        Is EMV the final answer to all security issues? Hardly.
        Is it miles better than the crappy, cloneable magstripe? Heck, YES!

      3. JohnD

        No, Chip and PIN does not encrypt the card number, because that is not the security that is needed.

        There are three different concepts at work here: identity, authentication, and authorization. Your identity represents you and your bank account. Your authentication is proof that you are legitimately associated with your account. Your authorization is your short-term permission to take money from your account and give it to someone else.

        Your identity does not need to be kept secret. What does need to be protected is the proof that you are associated with an account, and your permission to transfer money.

        The PIN offers a way to prove the cardholder is associated with the account on the card. The chip takes the transaction data, (amount, account number, retailer, etc.) and the user’s PIN, and produces an encrypted message that represents your permission. Your bank will take that message, ensure the PIN is valid, then allow that message to transfer money – one time. They will disallow the transaction if the PIN doesn’t match, or if the message has been processed already.

        The “weaknesses” in Chip and PIN are that an attacker can use a dedicated computer to attack a specific transaction or a specific card. Successfully attacking one transaction or card does not reveal any global secrets that allow for attacking the other cards in the system. That means if Goodwill (or Target, or whoever) is somehow attacked, it might mean the attacker can divert funds from Goodwill to Evilbank, but it doesn’t put their customers at risk. It moves the risk appropriately.

    2. JCitizen

      Cow chip-N-pen! How I get tired of hearing about that expensive tech, that has already been cracked, and there are better technologies out there, way cheaper!

      1. US EMV

        The “crack” you are referring to was done using a card that did not follow best practices for encoding. When the cards are issued and encoded correctly, they are nearly impossible to defraud. Unfortunately, when folks have term papers to write, sometimes they choose a dramatic story line as the subject matter and their posted results are not fair and balanced but one-sided. The impact is that those not in the industry tend to adopt it as a gospel viewpoint, which it isn’t.

        1. SeymourB

          If Target had been following best practices they wouldn’t have accepted unencrypted data from the card reader and passed along unencrypted data to their servers.

          Best practices are a wonderful goal to strive for but frankly hardly anyone actually uses them because they’re not forced to use them.

    3. Tony B

      One of the problems with EMV will be consumer behavior. I expect it will take some time for consumers to actually use the EMV Reader slot vs. swiping the mag stripe. The new installed readers contain both options. You can provide all the security features to the consumer, but if they don’t use them, the features are useless. Case in point: the most popular 4-digit PIN is: 1234.

      Also, I thought it interesting that Target is installing the new EMV Readers, but I’m not aware of their Red Cards being converted to EMV! So this reinforces the consumer behavior of swiping the card. I find it ironic…and possibly moronic.

      1. Chris

        Damn, guess I need to change my PIN. Fits anyone knew if 1111 is taken?

      2. Emily Booth

        I am a Target red (debit) card user. I used my card 2X during the breach period. I was not affected. Target notified me by mail that their red cards were not breached and I believe this was also announced publicly. Just to be on the safe side, I changed my password but I don’t think it was really necessary.

      3. Mike S

        I have a card with the chip. When I go to Walmart I have to use the chip slot in the bottom of the reader. If I try to swipe the mag strip I get an error. The cashier said “I have one of the new cards so the mag strip won’t work anymore”. When I go to other places like Lowes or Home Depot they have the chip slot in the bottom of the reader but they don’t work. I have to use the mag strip in those stores. I also noted the time to complete the transaction at Walmart using the chip is much longer than using a different card with only they mag strip.

    4. Tim McCracken

      Well that was an exercise in futility.

    5. Kristin

      No!! that is the scam that JP Morgan, et al. WANT you to do-

      Just pay CASH. Cash! As in money. This whole non-cash thing must end- before we are completely screwed. People are much too trusting and not asking “why”. It’s just like that phony healthcare dot gov deal, it was all about collecting data and nothing whatsoever to do with insuring the populace. Do you really, really think the govt “cares” about insuring everybody??

      1. Elaine

        I stopped using credit cards and started paying with cash and find I’m spending much less and getting only those things I need. How liberating!

        No more subsiding banks and criminals.

        Now if I could figure out how to stop subsidizing our criminal federal government I would be wealthy beyond imagination.

      2. SeymourB

        Weird Al made a video for you, look it up: Foil.

      3. Wayne

        And here I though cards were being peddled due to the huge interchange revenue potential (even with the throttling of debit card interchange fees). Those damn men in black!

    6. Dorothy

      It’s about PCI + EMV + all the dynamic data points in the payment cycle. VeriFone’s Point addresses this really well.

  2. Mark Allyn

    Ouch. I use these folks for the raw materials that I use for my jewelry that I make as a hobby. I have bought over 200 pounds of stainless flatware the last six months alone from Goodwill branches here in Portland, Oregon.

    So far there has been nothing in my credit card statement. Thankfully, I have not used the debit card there.

    However, this begs a potentially stupid question on my part (I am an engineer and an artisan; not a financial type).

    I understand that Goodwill consists of many separate (autonomous) business entities; one of with is for each geographical location.

    If these business units are autonomous, then how can one attack more than one at once? I am assuming at autonomous business units are like totally separate businesses (John’s Hardware is separate from Helen’s Bakery) that an attack on one will not impact the other.

    Perhaps is this an indication that Goodwill’s definition is not accurate in that it is indeed one unified business unit with one infrastructure that is one single target?

    Hmm. Now I will have to do cash only there . . . . ..

    How frustrating 🙁

    Mark Allyn

    1. Adam Lininger

      Separate business entities may use and share the same data. While the separation of each store as a separate business entity helps in limitation of liability (think lawsuit), it doesn’t prevent them from using the same databases.

      In this case, each individual store probably pays a franchise fee to the parent Goodwill. Part of what they get for that fee is likely access to the same payment solution that is then maintained by the parent.

    2. Likes2LOL

      Between all the credit card breaches and consumer profiling/tracking going on, one could easily argue that using cash more is a GOOD thing…

      My grandfather taught me that carrying a couple hundred in your wallet was a smart thing to do — tow truck drivers often don’t take credit cards, and if you ever get robbed by a deranged drug addict, you don’t want to upset them further by having only a little bit of cash on hand.

    3. Adam

      Mark,
      You original assumption about Goodwills regionally being separate business is correct. I am the Director of IT at Goodwill Industries of North Fl and I can tell you that we have not been compromised. Many Goodwills use a cash register system run by POS providers that are not PCI compliant. Here in North Fl we use a Point of Sale company that is PCI compliant and our networks are scanned regularly for PCI compliance. Because of this our customers data is protected.

  3. TheOreganoRouter.onion.it

    So this is another POS malware infection that compromises the merchant device and then scrapes the unencrypted data out of memory? Need more information?

    1. BrianKrebs Post author

      If I had that information, it would be in the story. Kinda early in the game to be able to know that, but it’s a good bet that yes malware was somehow involved.

  4. Jim

    Seems every retailer that has cards compromised play the “We take security seriously” tape while admitting the compromises are months if not years old. Reads like a moot statement to me.

    1. Rick

      Yeah, but I’m guessing that at least Goodwill didn’t ignore the warning from their NIPS as Target did. (Not having one is a better excuse than having one and then ignoring it.)

  5. Bart

    Within the past year all the Goodwills (PA) in my area switched over to “new” POS systems that certainly look like old systems either previously used or NOS.

  6. von

    “Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations…” and “…sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores…”

    Yet, “payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.

    Based on krebsonsecurity.com’s record, Goodwill Industries has very likely been breached.

  7. petepall

    Brian, great scoop as always. This is particularly sad since those using cards at a Goodwill store are the least among us (almost by definition) who can least afford a breach and abuse of their credit card information.

    Isn’t it about time for one of your “tutorials” on the efficacy (or not) of the “chip and pin” technology which we so seriously need (or not) in this country! If you have already done one, I missed it.

  8. Jim Dunbar

    Agree that “chip and pin” is way overdue but data security at the merchant level still makes me worry.

    Can’t tell you how much I appreciate your posts.
    Thanks Brian

  9. Laurel Rowe

    What about the online auction site shopgoodwill.com. Has that been compromised too?

  10. czarina

    This article caught my attention. I have shopped at several Goodwill stores over the past year in Ohio, Michigan, and Indiana. Discover Fraud Unit called last week to verify 3 recent charges on our account, the last of which was only $48 and some change but to a business we didn’t recognize. Our account had already been blocked by the security folks pending our response to their inquiry, so luckily no harm was done. The reason they were suspicious about the charge was that it was coming from China. We received new credit cards with a new account number the next day via FedEx. We checked all pending charges, and this was the only one we did not recognize. It appears this was a small charge being tried as a trial balloon. I wonder if the card information came from a Goodwill. Goodwill has no way that I know of, unlike Target, to contact its customers and I wonder what they intend to do about helping people whose information was stolen, finding them, etc. After the Target breach, we paid for credit blocks on all of our reports, so even if somebody gets our information, they can’t open credit in our name and social security number. Nevertheless, this is an annoying thing to have happen. In the past 10 years, we have had our Discover information stolen at least 4 different times.

  11. Ed Manley

    As a disaster responder for the American Red Cross we often give displaced residents a debit card with some varying amount of cash value. Goodwill and other thrift stores are often recommended as ways for these victims to get more value for their dollars when replacing destroyed clothing. Should we undertake some kind of survey to be sure that the debit cards we give our clients aren’t being hit with fraudulent charges?

    1. Nicholas Weaver

      Perhaps, but I’d not worry too much based on usage:

      Someone who’s just had a disaster strike and is relying on that debit card for recovery is going to pretty much spend the whole thing at once ASAP, so there is no money left to steal by the time it gets through the fraud ecosystem.

      Also, the fraudsters know their BINs (Bank Identification Number): They can see that these are low value disposable pre-paid cards, so I’d imagine they are lower priority for the fraudsters: they know the possible balance is low/zero by the time they try to sell them at McDumpals.

      Although there may be some (now, in the future?) which target those BINs, call up, get balance, and then immediately spend any who’s balance remains. But that seems a lot of work for rather low reward.

  12. David T

    I have recently made purchases at Goodwill’s at several locations in Houston and Columbus Ohio. But I paid cash. Why did I pay cash?
    A year or so ago I would have used a credit card. But since then, I’ve been reading Brian Krebs, and he’s told me about breaches at Target, Sally Beauty, Michchaels… Now I almost never use a credit card for anything under $60.
    Thanks, Brian!

  13. K.B.

    I wouldn’t stop shopping at the Goodwill, nor would I not use my credit card there. If you haven’t had fraudulent activities on your card yet, don’t worry. Just keep an eye out for such charges if they occur & contact local police as well as your credit card company or companies if you find such odd charges on it that you didn’t put there. No need to panic or quit using your cards.

    I’m pissed about the fact that our credit card info might have been stolen by some underground thieves, but I’m not going to worry about shopping anywhere. In fact, I’ll be shopping there at local Goodwills this week and or this weekend.

  14. IA Eng

    Its a good bet that they too are running the antique style POS systems, and its only a matter of time before we know for sure. RONCO has to have a better way.

    I am sorry anyone thats in business that hasn’t woken up to the fact that breaches are happening all around them, and sit on their behinds and wait for it to happen without any initiative to correct – if the MO is the same as many others – is just wrong.

    In the end, no matter what, these organizations AFTER a breach can say the party line, but, what I think they really mean is; We’ve gone as far as we can on this antiquated system getting as much profit as we can. Look like its time to update our security posture. We’ll offer you a year of worthless credit monitoring and hey, you’ll forget about it and be back in the store real soon.

  15. Mitch

    Brian, so with all of these Credit Card breaches, have the Credit Card companies noticed a change in consumer behavior? Or a drop in Credit Card use? For example, my wife and I have stopped using our debit card (always used the credit card option) for purchases where possible and instead only use Amex or cash. This is going to start hitting their bottom line in multiple ways and will force a change. It took years to get consumers to switch from cash and check writing to using credit cards… Will consumers switch back just as quick?

    1. FARO

      I actually got a US credit card company to issue me a chip and pin card. Problem with checks to merchants is checks bounce. As a merchant I would be reluctant to accept a check. These crooks have no shame, what harm is Goodwill.

      1. IA Eng

        Its an avenue to your credit cards and pin / debit info. Its probably the same crooks that stand up these awful ‘charitable” sites when a major disaster hits. Not only do they get your “donation”, they get your payment info, email and postal address. Talk about “paid and agony”.

    1. RAJ

      Joseph:

      I think so . . . See separate comment

  16. EricB

    I’ve used my cc at the Goodwill Computer Works in Plano, they still have the “old fashioned” cc reader that is connected to a phone line (not ethernet) and an older register (not ethernet connected). No breach, yet. As one commenter pointed out perhaps it is isolated to certain combinations of cc machines, registers, and unprotected pc’s.

    This brings up an interesting scenario, if workers who process donated pc’s powers up a pc with a malicious infection hopefully they do this with the Ethernet cable disconnected. In the scope of these small computer stores I wonder if they’re testing them on a isolated network segment. In a coordinated effort of poisoning donated PC’s across the country, all it takes is one worker not following procedure.

    1. Moike

      Re: donated infected PCs –

      It’s actually a difficult problem to cleanly reload most donated PCs because they don’t include the original CD or a recovery partition. Their only choice is to apply some sort of AV – with only limited success in removal.

      1. jon doh!

        from what i’ve seen of the local computer works location, they contract with Microsoft to get refurb licenses for just about everything they sell. machines donated are wiped without being first booted, imaged, and then tested.

  17. RAJ

    I got nicked on this back in late January.

    VISA ate $4700+ on two charges;
    $2560 at “Mucho Gusto Peruvian Cuisine”, (a fast food restaurant) in Fontana, California one day
    $2174 at “The Sock Drawer” (a “Sock” store? Really?) in a small Brooklyn mall the next day.

    The only transaction for that month was an online auction purchase from Goodwill in Seattle.
    The Goodwill security person said he knew nothing about it then but he would follow up on it.
    I didn’t go any further because VISA cancelled the charges and started a fraud investigation.

    1. Harry S

      @RAJ – if your online transaction was compromised then that would indicate a back-end server compromise as opposed to a POS problem.

      I see elsewhere that Goodwill became PCI-compliant back in 2006 FWIW.

      1. RAJ

        Yeah, as I said, I didn’t follow up on it so I don’t know how the CC# transmission is handled. I had assumed it was a compromised server like you had indicated. I don’t know if the problem was at the local Goodwill level or somewhere beyond that.

      2. RAJ

        @Harry S . . . It would be interesting to know there really is or was a problem with using a credit card for online Goodwill purchases. And if there was a problem, has it been fixed.

        Since they don’t readily accept other means of payment I haven’t purchased from them recently. I’m just not anxious to have a repeat of my January experiences.

    2. JLD

      Visa didn’t eat those charges, Mucho Gusto Peruvian Cuisine and The Sock Drawer ate those charges.

      1. Beth

        Actually, card present fraudulent charges are eaten by the card issuing Financial Institution, at least in the case of VISA cards. VISA requires the FI to report the fraudulent transaction, but we have no chargeback rights and take the loss.

        1. Robin

          True, true. Counterfeit/card present fraud result in losses to the issuer, not the merchant. All the merchant needs is to show a signature, any signature.

  18. mbi

    If you had told someone long ago about credit cards and how they worked, I’m sure they’d shortly ask how do you prevent fraud? We still don’t have an answer except pass the cost on to consumers and businesses. While this goes on and grows, the banks take their cut out of the middle in processing fees. This scheme is broken and the banks patching it is only putting off the inevitable.

    1. IA Eng

      While most credit card companies charge 3-4% per transaction, until they start losing money every day, they aren’t going to change their ways. They want the consumer to use the CC without much hassle, so through ease of use – not security – they can continue to make billions off the consumers.

      I don’t see a big change to the way the CC operate. The only way would be to have the CC be held accountable, or they were fount guilty at a trial which rewarded the individuals suing the CC company Billions, then change wont occur.

      Look at the banks – some of their tested, tried, true and trusted methods are pretty old, but like an old dog and new tricks, its probably not going to happen.

  19. Adetayo Sodipo

    I also shopped at the one of the Goodwill stores in Lake St. Louis, MO about a week ago and going through my bank transactions online on Monday July 21, 2014 I noticed several charges running through my account in the Atlanta area. This is shame..we need to wage a war on credit card and identification theft. This issues need to be tackled as a homeland security breach.

    1. jD

      How is this Homeland Security related? Next thing you know you got everyday robberies classified as a Homeland Security issue…

  20. Cinco

    I’m going to pop some boxes,
    Only got 20 NOP sleds in my socket,
    I – I – I’m fuzzin’, looking for a vuln,
    This is f**king awesome.

  21. brian colby

    I recently had a similar experience with Family Dollar Store. My Direct Express Social Security deposit for the month of July was wiped out in only a matter of hour after the deposit. Although I live in Delaware the charges made at Family Dollar were all located in Texas.
    Your readers should be aware that in the case of Debit cards, perpetrators do not need a pin number if the merchant allows the transactions to be processed as a credit card purchase.
    BEWARE…your pin number don’t mean SQUAT!
    Fortunately the Attorney General here in Delaware is pursuing
    an investigation into the credit procedures at Family Dollar.

  22. Dmitriy

    Hi Brian,

    Looks like Aaron Smith from CNN Money has misread the publication date of your article as July 14:

    KrebsonSecurity reported on July 14 that financial institutions were “tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide.”

    I’ve made the same mistake before. Would you consider changing the format of the date in the title of the articles to avoid future confusion?

    Respectfully,
    Dmitriy

  23. Lindsay

    Hi Brian,

    Nothing has been confirmed yet, but I keep checking your website for updates. 🙂 Is this a bad sign or are they really struggling to find something? What are your thoughts?

    1. BrianKrebs Post author

      It can take some time for these companies to figure out whether they’re compromised, and if so to understand the extent of the compromise and whether it is under control. Until they figure all that out, they’re unlikely to say much more.

  24. JimH

    In the mailbox this morning for my ‘breach’ notifications, I’m already seeing multiple locations stating publically “we’re good to go” (paraphrased).. will be interesting to note if any of the compromise actually DOES include those locations, and they just don’t know it yet.

    Again, as has been suggested MULTIPLE times before, we the USERS / holders of the CC have to take the responsibility to check for unauthorized events. Then again, let me say it this way (abusing a tv commercial).. it’s YOUR money.

  25. Nin75

    Years ago we interview the Goodwill CIO for a position. Their infrastructure was built on a LAMP stack. Wonder if the attack leveraged something on the Open Source side.

Comments are closed.