August 15, 2014

The news wires today are buzzing with stories about another potentially major credit/debit card breach at yet another retail chain: This time, the apparent victim is AB Acquisition, which operates Albertsons stores under a number of brands, including ACME Markets, Jewel-Osco, Shaw’s and Star Markets. Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

QWhy do we keep hearing about breaches involving bricks-and-mortar stores?

Credit and debit cards stolen from bricks-and-mortar stores (called “dumps”) usually sell for at least ten times the price of cards stolen from online merchants (referred to in the underground as “CVVs” or just “credit cards”). As a result, dumps are highly prized by today’s cyber crooks, and there are dozens of underground “card shops” online that will happily buy the cards from hackers and resell them on the open market. For a closer look at how these shops work (and how, for example, the people responsible for these retail break-ins very often also are actually running the card shops themselves) see Peek Inside a Carding Shop.

Okay, I’ll bite: Why are dumps so much more expensive and valuable to attackers?

A big part of the price difference has to do with the number of steps it takes for the people buying these stolen cards (a.k.a. “carders”) to “cash out” or gain value from the stolen cards. For example, which of these processes is likely to be more successful, hassle-free and lucrative for the bad guy?

1. Armed with a stack of dumps, a carder walks into a big box store and walks out with high-priced electronics or gift cards that he can easily turn into cash.

2. Armed with a list of CVVs, a carder searches online for stores that will ship to an address that is different from the one on the card. Assuming the transaction is approved, he has the goods shipped to a guy he knows at another address who will take a cut of the action. That is, *if* the fraudulently purchased goods don’t get stopped or intercepted along the way by the merchant or shipping company when someone complains about a fraudulent transaction.

If you guessed #1, you’re already thinking like a carder!

Snap! But it seems like these breaches are becoming more common. Is that true?

It’s always hard to say whether something is becoming more common, or if we’re just becoming more aware of the thing in question. I think it’s safe to say that more people are looking for patterns that reveal these retail breaches (including yours truly, but somehow this one caught me– and just about everyone I’ve asked — unawares).

Certainly, banks — which shoulder much of the immediate cost from such breaches — are out for blood and seem more willing than ever to dig deep into their own fraud data for patterns that would reveal which merchants got hacked. Visa and MasterCard each have systems in place for the banks to recover at least a portion of the costs associated with retail credit and debit card fraud (such as the cost of re-issuing compromised cards), but the banks still need to be able to tie specific compromised cards to specific merchant breaches.

Assuming we are seeing an increased incidence of this type of fraud, why might that be the case?

One possible answer is that fraudsters realize that the clock is ticking and that U.S. retailers may not always be such a lucrative target. Much of the retail community is working to meet an October 2015 deadline put in place by MasterCard and Visa to move to chip-and-PIN enabled card terminals at their checkout lanes. Somewhat embarrassingly, the United States is the last of the G20 nations to adopt this technology, which embeds a small computer chip in each card that makes it much more expensive and difficult (but not impossible) for fraudsters to clone stolen cards.

That October 2015 deadline comes with a shift in liability for merchants who haven’t yet adopted chip-and-PIN (i.e., those merchants not in compliance could find themselves responsible for all of the fraudulent charges on purchases involving chip-enabled cards that were instead merely swiped through a regular mag-stripe card reader at checkout time).

When is enough enough already for the bad guys? 

I haven’t found anyone who seems to know the answer to this question, but I’ll take a stab: There appears to be a fundamental disconnect between the fraudsters incentivizing these breaches/selling these cards and the street thugs who end up buying these stolen cards.

Trouble is, in the wake of large card breaches at Target, Michaels, Sally Beauty, P.F. Chang’s, et. al., the underground market for these cards would appear to most observers to be almost completely saturated.

For example, in my own economic analysis of the 40 million cards stolen in the Target breach, I estimate that the crooks responsible for that breach managed to sell only about 2-4 percent of the cards they stole. But that number tells only part of the story. I also spoke with a number of banks and asked them: Of the cards that you were told by Visa and MasterCard were compromised in the Target breach, what percentage of those cards did you actually see fraud on? The answer: only between three and seven percent!

So, while the demand for all but a subset of cards issued by specific banks may be low (the crooks buying stolen cards tend to purchase cards issued by smaller banks that perhaps don’t have such great fraud detection and response capabilities), the hackers responsible for these breaches don’t seem to care much about the basic laws of supply and demand. That’s because even a two to four percent sales ratio is still a lot of money when you’re talking about a breach involving millions of cards that each sell for between $10 to $30.

Got more questions? Fire away in the comments section. I’ll do my best to tackle them when time permits.

Here is a link to AB Acquisition LLC’s statement on this latest breach.


117 thoughts on “Why So Many Card Breaches? A Q&A

  1. Eric

    A few days ago I got an email from BofA telling me that there had been a breach and they would be replacing my card. No word on which vendor had the breach – there weren’t that many, but I can’t narrow it down to one. The catch is that the card being replaced is an EMV card, and the costs of replacing those things is quite a bit more than the costs of replacing a non-EMV card.

    The upside is that I now have a suitable subject on which I can perform my own experiments. A good amount of data on an EMV card can be read from a properly constructed Windows application – that’s a starting point.

  2. Alex

    As a previous poster I’m not sure how to understand “I estimate that the crooks responsible for that breach managed to sell only about 2-4 percent of the cards they stole (…) what percentage of those cards did you actually see fraud on? The answer: only between three and seven percent!”.
    Does it mean that from the (surprising small) subset of actually sold card the fraud rate was above 100% ?! Or 3 to 7% of the card actually sold (at that would be a really low number IMHO) ?

    1. RSS

      The percentage is a reflection of the percent of fraud that the issuing bank has seen in the cards they have identified as having been exposed during the timeframe estimates they were provided. Those exposure estimates are seldom giving with great accuracy. Most compromise timeframes are not know exactly and often the estimates stretch over many months.

      Because of the window of exposure is a guesstimate the rate of fraud will vary. Many banks also reissue cards relatively quickly, which quells the rate of fraud.

      In a well executed breach we could see close to 100% which was the case with RakBank and Bank of Muscat in Oman in 2013 resulting in millions of dollars in fraud in just hours.

      The point has been made that millions of cards have been compromised. Some have been reissued and some have not. Carder sites provide fraudsters with tools to test their samples before they purchase. From that point its up to fraud detection solutions and consumers to spot behavior.

      Most banks can spot elevated fraud early, the difficulty is determining the common point of the breach, which becomes more difficult as larger retail chains are attacked as this is where most legitimate purchases are also made.

      The largest fallacy is criminals primarily purchase high ticket items. The top 3 most common locations for fraud are Grocery, Pharmacy’s and Home Improvement stores. All sell tens of thousands of Gift Cars. Electronic stores are in the top 10, but not the primary target.

      As large retailers close the door on Mag Stripe fraud will drift down to the weaker smaller merchants. The pain of fraud will most certainly be the death nell for many post October 2015 if they have not converted over to Chip.

  3. Yagii

    I think for sharing purposes, the best approach for everyone is to share use cases for detection. A small retailer/company might have some Security Operation Center or techie Administrators that can help the define the newly acquired use cases . Armed with the information (use case for detection) on what to detect, we can help mitigate immediately the problem. So, again, big companies should share their use cases on detecting such fraudulent actions.

    These are high tech crimes, thus, need high tech response.

  4. Chris

    So for years debit cards have been replacing cash for a few reasons, but mainly convenience and security. So you do not have to go to the bank as often and you don’t have to worry about being mugged for your cash. But what if the security issue flips and the public sentiment changes because it is now riskier to use debit than it is to use cash, plus by using cash you gain side of your privacy back. Does the pendulum swing back in the other direction and counterfeiting start to overtake card fraud?

  5. Brian Ogilvie

    Thanks for this analysis! Just a minor correction, though: the October 2015 deadline set by MasterCard and Visa is for chip cards, but that can include chip + signature cards as well as chip + PIN cards. My bank sent me a replacement card this spring with a chip, but no PIN. That made it useless when I was in the Netherlands and tried to buy a train ticket from a machine. I’ve heard that one reason US banks don’t want to use chip + PIN is that the PIN is programmed into the chip and can only be changed by an ATM equipped to do so, and since most Americans don’t travel abroad, the banks think that the convenience for people like me would be outweighed by complaints from people who don’t get the PIN they want and can’t change it. Retrofitting all of a bank’s ATMs would be an expensive proposition.

    1. Shawn A

      Banks have or are in the process of upgrading their ATMs to be EMV compatible. ATMs are “required” Visa has established the following timelines for ATM transactions, across all Visa and/or Plus branded products:

      •Effective April 17, 20151 – U.S. third-party ATM acquirer processors and sub-processors must be able to support EMV chip data
      •Effective October 1, 2017 – Liability will shift in the U.S.

      Most banks are also useing this opportunity to also shift off Windows XP.

      FYI, in the U.S. Mastercard is going primarily Chip & PIN; whereas, Visa is going primarily Chip & Sig.

    2. Peter

      Not completely useles.

      The EMV device detects whether a PIN or signature is required. I’ve been using EMV’s without PIN in Europe.

      Of course these vending machines don’t allow signatures as they have no means of input and verifying. That is similar to many US gas stations machines that leave Europeans puzzled on what to input as their zip-code as it insists on 5 digits, while the actual zipcode matching their card doesn’t have that format 🙂

      (BTW 5 zero’s often works for them.)

  6. Rod Flemming

    The interest of the banks to have full control of the customers by making them use cards, is way higher than their interest in security. I dont believe MC and Visa will change much in their business model. Use cash as much as you can and as long as you are able to! The idea of the banksters and their political lobbyists is to limit cash alltogether. Countries like Italy have been limiting it already down to 1000.-€/withdrawl ( not ATM but counter!) Dont believe in all these “safety” snakeoil talks, avoid these cards as much as possible. The gangsters will always be ahead. Chip&PIN wont make a difference.

  7. Craig

    Someone asked me if EBT (food stamps) cards are also vulnerable in these attacks. Does anyone know the answer to that?

    1. Alexandru Dan Balan

      Magnetic Stripe Cards – use additional verification (SMS Code/Authy) to approve a transaction. This will reduce fraud.

    2. JCitizen

      Yup! Cowchip-N-Pen is nothing but a big expensive fail. There are much cheaper technologies that would get us to the same goal, and at least if they failed too – we the consumer wouldn’t be left holding the big expensive FAIL bag!!

  8. shawn a

    Yes, EBT cards could also be captured; however, how does a carder in for esample Russia convert it to money. What is the cards value since it can only be used in certain states to perform in person fraud. You can’t purchase stuff with EBT online. Given what foodstuffs and household goods you can purchase; what could you resell to make money? There isn’t enough profit in the carder distribution chain at this time for them to be a target.

      1. Sophia

        This is not entirely true. I work for a online retail company where tons of purchases on these types of cards are approved; we see the fraud come and go. Usually purchasing a low dollar amount online gift cards, but oddly enough they reject any refunds. :/

        1. Merchant

          No US state EBT card allows for the purchase of gift cards. If the online retailer is accepting EBT cards for gift cards that’s on them. Unless you are talking about SNAP which is different.

  9. LJ

    Even though the crooks were in Rassia, 80% of the cashout happens here in US. Banks should work together with law enforcement to get these buyers in prison; We can easily get video footage from big relailers and track down these people who performed fraudulent transactions.

    Without these ‘buyer’, no matter how many cards hackers steal, it will be worthless or at least worth less to them.

    1. Eric

      A number of years ago a friend had his credit card stolen. He learned of a fraudulent charge not far from his office. He knew the dat and time. The cops wouldn’t do anything, so he went to the store. Security showed him the surveillance tape and he spotted the thief. He still couldn’t get the cops to go take a look.

      1. Paul Crowley

        I have had the identical experience, as have a number of other people that I have spoken with. In the US at least there is virtually zero prosecution of credit card fraud by any level of law enforcement, primarily because the credit card company isn’t interested in getting involved at all.

        What most people do not understand is that today all credit card fraud is charged back to the merchant – the banks and credit card processing companies do not accept any liability. Anyone in the US with even the most basic business insurance policy has coverage for credit card fraud. So all they lose is the deductible. Hence, nobody is all that interested in prosecution. So the police (correctly) see it as pointless to get involved.

        The “liability shift” that people think is going to happen with EMV cards in the US isn’t much of a shift from today. The merchant that accepts the card gets stuck with the bill if the card is fraudulent. In a small number of situations – very small – the issuing bank does have to accept liability, and these are generally limited to the card properly validating but the account not being active. Otherwise, the process is simple – the card is processed (correctly), identified as a fraudulent transaction and a chargeback is issued to the merchant who loses the money from the sale, the goods and a chargeback fee on top of it all.

        1. Van

          I had the same issue when someone stole my checkbook and wrote a bunch of bad checks. I went to the bank and filed reports on the checks they wrote to themselves and cashed at the bank. They had to use valid ID to cash them. I went to the police and their fraud expert told me that the bank had to file charges because they mostly just wrote off the losses, and would not bother to show up in court.

  10. JD Westmoreland

    Brian – relative to card dumps, have you seen any recent increase in card dumps being uploaded for sale in the underground…as it relates to the recent SUPERVALU and Albertson’s events? Thanks.

  11. Paul

    Considering the monetary and consumer confidence cost associated with these data breaches is huge why haven’t more companies and financial institutions switched to two-factor authentication? I understand the infrastructure cost and ongoing management is significant but I don’t think it compares to the cost of a data breach.

  12. Lou

    I concur with RSS. I have a couple of things to add to this. It has taken Europe 10 years + to fully implement EMV. I believe they are at 93-94% implementation now.

    The US market may face a similar time line. I also agree the mom and pop shops will face the risk exposure and liability because they did not have time/ money to convert to 2015 implementation date.

    What is not stated in this article is AFD’s don’t have a liability shift until late 2017 from my understanding, criminals will place focus on pumps for exploitation unless the AFD’s plan on having EMV in place by 2015 which probably won’t occur at that time.

    End result is by the time this is fully implemented I believe the miscreants will have their next vehicle in place for fraud because they always look for customer convenience loopholes to exploit!

    – Just my opinion.

  13. Jessica Dodson

    “One possible answer is that fraudsters realize that the clock is ticking and that U.S. retailers may not always be such a lucrative target.”

    I think that’s a fair theory. Most hackers are looking for the “easy win.” How can they do the most damage in the least amount of time for the least amount of work? Is security is getting upped across the board by Oct 15 why not hit as many retailers as you can now and get away with what you can?

  14. Craig

    An IT professor told me that chip-and-pin POS systems are only slightly harder to hack than the systems currently used in the U.S. Can someone please confirm or refute that opinion?

    1. Craig

      He also said that a better option would be end-to-end data encryption, but that retailers don’t want that system because it would eliminate their ability to collect customer data for marketing purposes. (Sending the pregnant woman ads for baby-related items, etc.)

  15. Sumeet M

    I cannot understand one simple thing. Why can’t every vendor enforce policies like showing ur ID card at the time of payment? I encountered something similar at a restaurant in Vegas this year. Is there a loop hole in it? Even if someone manages to forge the name on the card, the receipt will still have the original name. Please correct me if I am wrong.

    1. y

      When the stolen card credentials are counterfeited, the thieves can emboss or print any name they want on the face of the card…so it will match the ID they are carrying.

      1. Sumeet M

        Yes, I understand that. But as I have mentioned in my comment, would not the receipt generated after payment still contain the name of the original card holder? Correct me if I am wrong?

        So, the name on ID, Credit Card and the receipt should match, provided the receipt fetches the name of original card holder and not the one on counterfeit card.

        1. Keegan

          What about secondary cardholders, only the primary name shows up on the reciept. Also not every merchant is set up to print the name either

        2. Keegan

          Another thing i forgot to mention is the merchant isnt liable for the fraud loss so they have no reason to stop it. A fraudster is just another customer to them.

          1. Paul C

            Correct, the merchant isn’t really liable but this is because of insurance, not because the credit card bank or processor is taking the hit. In reality nobody is taking the hit. Which is why it is nearly a victimless crime in the US that isn’t prosecuted – unless the come across someone with 1000 credit card blanks in their car. You can get yourself in trouble if you try something on a large scale, but the small scale thief isn’t prosecuted. I know about this because I have tried to get people with stolen cards to get some sort of consequence.

        3. W Sanders

          None of my receipts (at least the ones I have not yet unloaded from my wallet right now) have my name. IIRC this information isn’t even returned to the vendor when the transaction is verified.

          This is a good thing.

    2. BT

      Most Carders only copy Track 2 data to a counterfeit card. Track 2 data does not have the name stored on the magnetic strip. In that instance no name would appear on the receipt. Advanced Carders will also change the Track 1 data, if that is what they purchased, before the re-encode their cards. The POS reads the Track 1 data (name) and will display the Fraudulent name on the receipt.

      You need at least Track 2 data to process a transaction.

  16. Lenny Gusel

    Hi Brian. Do I understand correctly that only 2-4% are likely to be sold, however you’re hearing that 3-7% are getting hit. If so, any insight into how the gap is being monetized by the data sellers?

  17. rick

    Brian, does anyone maintain a list of at least suspected companies with breaches?

    This is getting silly! Around 6/15 I had BOA call me and say one of the vendor’s databases was breached, I had to get a new card.

    I just about got all my auto billing fixed and blam! Same call last week. Right as I start vaca (with a restricted card).

    Has there been any attempt at introducing law to compel these companies be disclosed? It seems completely wrong companies can remain anonymous when they’ve compromised OUR data.

    I think banks will have to start issuing packs of cards to consumers. Use them till they get burned then go on to the next!

  18. W Sanders

    I’ve get a new email from CERT every week about Backoff. The latest one says more than 1000 entities, mostly small businesses, have been affected.

    So, how to report which entities have been compromised, when the list is so long?

  19. william roberts

    Where is the PCI consortium who have dragged there feet on Chip and pin or other newer technolgy that is newer than Mag stripe 1970’s technology. I guess credit card shareholders know what is best for american public. Does not seem to be working so welll, IS IT????

    1. JCitizen

      Phooey on Cow-chip-N-Pen! That is too big and expensive to fail! There are newer technologies that make more sense. If I were a shill I would repeat them ad-nausem, but I get tired of everyone screaming for an expensive tech that will cost the customer greatly, and still fail, and cause the liability to shift to the customer for no real good reason.

Comments are closed.