August 15, 2014

The news wires today are buzzing with stories about another potentially major credit/debit card breach at yet another retail chain: This time, the apparent victim is AB Acquisition, which operates Albertsons stores under a number of brands, including ACME Markets, Jewel-Osco, Shaw’s and Star Markets. Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

QWhy do we keep hearing about breaches involving bricks-and-mortar stores?

Credit and debit cards stolen from bricks-and-mortar stores (called “dumps”) usually sell for at least ten times the price of cards stolen from online merchants (referred to in the underground as “CVVs” or just “credit cards”). As a result, dumps are highly prized by today’s cyber crooks, and there are dozens of underground “card shops” online that will happily buy the cards from hackers and resell them on the open market. For a closer look at how these shops work (and how, for example, the people responsible for these retail break-ins very often also are actually running the card shops themselves) see Peek Inside a Carding Shop.

Okay, I’ll bite: Why are dumps so much more expensive and valuable to attackers?

A big part of the price difference has to do with the number of steps it takes for the people buying these stolen cards (a.k.a. “carders”) to “cash out” or gain value from the stolen cards. For example, which of these processes is likely to be more successful, hassle-free and lucrative for the bad guy?

1. Armed with a stack of dumps, a carder walks into a big box store and walks out with high-priced electronics or gift cards that he can easily turn into cash.

2. Armed with a list of CVVs, a carder searches online for stores that will ship to an address that is different from the one on the card. Assuming the transaction is approved, he has the goods shipped to a guy he knows at another address who will take a cut of the action. That is, *if* the fraudulently purchased goods don’t get stopped or intercepted along the way by the merchant or shipping company when someone complains about a fraudulent transaction.

If you guessed #1, you’re already thinking like a carder!

Snap! But it seems like these breaches are becoming more common. Is that true?

It’s always hard to say whether something is becoming more common, or if we’re just becoming more aware of the thing in question. I think it’s safe to say that more people are looking for patterns that reveal these retail breaches (including yours truly, but somehow this one caught me– and just about everyone I’ve asked — unawares).

Certainly, banks — which shoulder much of the immediate cost from such breaches — are out for blood and seem more willing than ever to dig deep into their own fraud data for patterns that would reveal which merchants got hacked. Visa and MasterCard each have systems in place for the banks to recover at least a portion of the costs associated with retail credit and debit card fraud (such as the cost of re-issuing compromised cards), but the banks still need to be able to tie specific compromised cards to specific merchant breaches.

Assuming we are seeing an increased incidence of this type of fraud, why might that be the case?

One possible answer is that fraudsters realize that the clock is ticking and that U.S. retailers may not always be such a lucrative target. Much of the retail community is working to meet an October 2015 deadline put in place by MasterCard and Visa to move to chip-and-PIN enabled card terminals at their checkout lanes. Somewhat embarrassingly, the United States is the last of the G20 nations to adopt this technology, which embeds a small computer chip in each card that makes it much more expensive and difficult (but not impossible) for fraudsters to clone stolen cards.

That October 2015 deadline comes with a shift in liability for merchants who haven’t yet adopted chip-and-PIN (i.e., those merchants not in compliance could find themselves responsible for all of the fraudulent charges on purchases involving chip-enabled cards that were instead merely swiped through a regular mag-stripe card reader at checkout time).

When is enough enough already for the bad guys? 

I haven’t found anyone who seems to know the answer to this question, but I’ll take a stab: There appears to be a fundamental disconnect between the fraudsters incentivizing these breaches/selling these cards and the street thugs who end up buying these stolen cards.

Trouble is, in the wake of large card breaches at Target, Michaels, Sally Beauty, P.F. Chang’s, et. al., the underground market for these cards would appear to most observers to be almost completely saturated.

For example, in my own economic analysis of the 40 million cards stolen in the Target breach, I estimate that the crooks responsible for that breach managed to sell only about 2-4 percent of the cards they stole. But that number tells only part of the story. I also spoke with a number of banks and asked them: Of the cards that you were told by Visa and MasterCard were compromised in the Target breach, what percentage of those cards did you actually see fraud on? The answer: only between three and seven percent!

So, while the demand for all but a subset of cards issued by specific banks may be low (the crooks buying stolen cards tend to purchase cards issued by smaller banks that perhaps don’t have such great fraud detection and response capabilities), the hackers responsible for these breaches don’t seem to care much about the basic laws of supply and demand. That’s because even a two to four percent sales ratio is still a lot of money when you’re talking about a breach involving millions of cards that each sell for between $10 to $30.

Got more questions? Fire away in the comments section. I’ll do my best to tackle them when time permits.

Here is a link to AB Acquisition LLC’s statement on this latest breach.

117 thoughts on “Why So Many Card Breaches? A Q&A

  1. Cal Paterson

    Why can’t carders use CVVs in stores? Is it that CVVs just contain card numbers but dumps contain the enough to make a fake card?

      1. Dylan

        Well CCV1 is in track2 MS data and CCV2 is on the back of the card for an Online purchase.

          1. RSS

            CVC1 = Mag Track 1 and Track 2 security code used to authenticate when card is swiped. It is a 3 digit MasterCard value embedded in the mag stripe.

            CVV1 = Mag Track 1 and Track 2 security code used to authenticate when card is swiped. It is a 3 digit Visa value embedded in the mag stripe

            CVC2 = Security code is a 3 digit MasterCard value on the back of the card

            CVV2 = Security code is a 3 digit Visa value on the back of the card.

            If you purchase a card from a carder site and the card starts with a 4 it is a Visa card and will have a CVV value. CVV1 for Mag and CVV2 for back of card.

            If you purchase a card and it begins with a 5 it is a MasterCard and will have a CVC value. CVC1 for Mag and CVC2 for back of Card

            AMEX PANS start with a 3 and are a 4 digit value referenced as the CID (Card IDentification) number

  2. Jeff Nathan

    This covers some of the economic comparisons between dumps and CVVs, but as a question as to “why so many card breaches”, it’s really one dimensional.

    Any thoughts on a follow up regarding the deeper, fundamental problems?

    1. BrianKrebs Post author

      Why do you say it’s one-dimensional? Are you asking for a deeper analysis of why retailers suck at security? Or why Visa and MC and the card associations have set things up for failure?

      1. Merchant

        “why retailers suck at security?”
        Hey… I don’t think that’s entirely fair!

        “Or why Visa and MC and the card associations have set things up for failure?”

        But that is 🙂

      2. Toby Pennycuff

        Brian, thanks for bringing us more of this news. Your earlier reply about the state of security in retailers is spot on (although it’s not limited to just retailers). The sad fact is that the initial attack vectors for access almost always rely on a poorly configured/maintained machine on the border of a corporate network that is compromised and then used to attack a connected database INSIDE THE PROTECTED NETWORK (DUH!!!). From there, an array of default admin credentials allow the bad guys to explore the network at will looking for sources of card or confidential data. Sadly, this story has not changed – even in the wake of highly visible exfiltrations. Until firms learn to fix these issues, and many, many others in their application code bases or network configurations AND pair these defenses with anomalous flow detection and response, the screen-bottomed boat will continue to sprout leaks.

        Thanks again for publishing these pieces of information.

    2. RSS

      I believe it may be more easily stated as:

      Criminals have vastly improved technology and capital to invest
      Merchants lack adequate resources and capital to improve security
      Card Networks do little to support good end-to-end security mgmt.

      Ten years ago, even five, criminals did not have access to the resources available today (cloud computing, big data, analytics, developers). They can harvest, move and manage very large amounts of information for a fraction of the costs previously with little to no change in other overhead costs.

      When Willie Sutton, an infamous bank robber was asked why he robbed banks, his answer was quite simple. “Because that is where the money is.” Why are criminal focused on compromises, same answer and the other is because in many cases anyone with very low capital costs can play with very very little risk of incarceration or penalty. We are now seeing a much broader audience of criminals such as the Mexican Cartels joining in this opportunity of quick cash where resources are abundantly available and no one is shooting at you.

      Compromises will continue at an accelerated pace into 2016 and beyond until the cost to acquire (risk and return) are no longer tolerable. That future is not something we will see for some time.

  3. Shawn Acker

    There are 3 types of CVVs, CVV1 is in the magstripe of the card, cvv2 is the one written on the card, cvv3 is computed as part of a chip and pin transaction. All are separate and distinct.

  4. Jim Mall

    As I understand it, fraud in Europe is on the rise. Chip cards don’t seem that secure.

    1. Bart

      For a recent trip to Russia and Scandinavia we got a new chip and sig card and were very glad to have it. Card readers in a few smaller shops in Oslo wouldn’t take our chip and sig card and many more would have refused our old chipless card.

      We did have a PIN assigned to our new card but were only prompted for it at unattended ticket kiosks. In all other stores and museums with cashiers we needed to sign.

      People over there in the larger cities seem to use chip and PIN cards for all purchases.

    2. Alexandru Dan Balan

      As I understand it, fraud in Europe is on the rise. Chip cards don’t seem that secure.

      Depends. My bank blocked all transaction in countries where atm read only the magnetic stripe. Its simple. A chip card its not vulnerable in countries who migrate to this technology.

    3. Peter

      Fraud in Europe is on the rise, but the rate of rise has slowed down for countries introducing EMV.

      Also the rize is only for total. Card-present fraud typically dropped massively when introducing EMV. Only part of it shifted to online fraud.

      The next step is forcing online merchants to use the CVC2 code on the back. (I personally never saw any merchant during the last 10 years that still accepts that, but popular folklore states there still are many of those.)

      A last step is encouraging 2FA for customers. Several European banks already do so. You get directed to a separate page from the creditcard company to input a password when doing a (large) online transaction.

  5. Cosmic

    Brian, You speak of the dumps being used in brick & mortar stores (i.e. card present transactions). What happens with the growing number of small retailers, using Square, PayPal and (now) Amazon low end readers ? Are those also card present transactions ?

    1. BrianKrebs Post author

      If it involves a transaction where someone swipes a card, it can involve counterfeit cards (dumps).

    2. SinCos

      Square shows up as a card present transaction. PayPal and Amazon I do not know.

  6. Esther M.

    rescator surely has not updated his site.. not sure who is selling all of this stuf who has it!

  7. Chad G

    2 questions:
    1. Is there a single root cause (specific vulnerable PoS software, Insider staff planted, etc) that is common across multiple of these known retailer breaches?

    2. Have any of these retailers detected the breach using their own internal security processes/technology or have they all been detected by Visa/MC, Law Enforcement or 3rd party researchers with visibility into the sale of stolen cards?

    Thanks Brian…useful insight as always.

    1. BrianKrebs Post author

      I have no insight into this particular breach, but it sort of depends on the size of the breached merchant. Most of the small restaurants, liquor stores, pizza shops and car washes that are getting breached left and right are getting hacked because they have enabled remote access on the Windows computers that run the point-of-sale (cash register). This is done usually by the third-party company that gets paid to maintain the IT systems of the breached merchant, to help that IT vendor remotely troubleshoot systems.

      Unfortunately, it’s super common for these remote administration terminals to be protected by just a username and password, and not very good usernames and passwords at that. In fact, in many previous breaches like this, the vendor has simply used the same username and password at all customer locations, making it stupid easy for the crooks to steal payment card data from any of the IT company’s customers.

      1. Chad G

        Makes sense. Thanks for the additional context Brian.

  8. Nicholas Weaver

    The shocking part of the news about the Albertson’s breach. This is the first recent breach I can recall that wasn’t first reported by Krebs… 🙂

  9. Eric

    In these breaches, how are the costs divided up? From what I’ve read, before the breach is detected it is likely to be the card issuer who gets hit with charge backs. After the breach is known, does the breached merchant pay? What happens when a card is identified as compromised but the issuer decides not to pay?

    1. BrianKrebs Post author

      Eric, I think most of your question is answered in the story above. E.g.,:

      “Certainly, banks — which shoulder much of the immediate cost from such breaches — are out for blood and seem more willing than ever to dig deep into their own fraud data for patterns that would reveal which merchants got hacked. Visa and MasterCard each have systems in place for the banks to recover at least a portion of the costs associated with retail credit and debit card fraud (such as the cost of re-issuing compromised cards), but the banks still need to be able to tie specific compromised cards to specific merchant breaches.”

      1. Thierry

        Can’t match the content of that paragraph to Eric’s questions, Brian. I’m sure the meaning’s clear to you, but it’s not transferring.

        1. RSS


          The simple answer is that 99% of the fraud losses from card present face-to-face transactions hit the bank that issued the cards bottom line. Only in extreme cases such as TJMax, Heartland or Target is there any time of reimbursement and that is a negotiated take it or leave it amount that covers only a fraction of the banks losses.

          That will change as the rules for who own the liability for loss will change in October of 2015. In this model the entity providing the “weakest” security at the POS will absorb the loss.

          I hope this helps.

    2. Bob

      How are costs from a breach divided up? It’s an important question. I know that for routine cc theft, the first person who may have to pay is the customer with the credit card. If he complains, then the onus is on the merchant. But I don’t know at what point the bank has to shoulder the loss. As a merchant, I don’t recall any notice from the bank that they are taking back some of the cc income we received because of a bad cc. I’ve twice had my own cc numbers stolen, so I had to call up each merchant to get them to refund the charge. The question remains, when do the banks pick up the costs?

  10. Shawn A

    J. Mall, identity and card not present fraud is up. Card present fraud has fallen dramatically.

    Cosmic, yes, those are still card present transactions; however, you would have to tap into the app or the O/S (IOS v Android) and phone jack through which Square is used in order to steal the credit card. The card is transmitted securely out of the app to Square or Paypal

    Chad G. The common OS is windows. Nearly any application that runs on Windos may be compromised if you have either Admin or System privileges; such that, the memory utilized by the app can be captured. Once the memory is captured you simply pull the credit card. This is all automated of course. The SW cost between $2,000 and $5,000. The vast majority of breaches are found by Visa, Mastercard or the merchants acquiring processor. (~90%)

    1. Jamie

      The large percentage of mobile card readers encrypt within the reader itself, providing point to point encryption(P2PE) back to the mobile payments gateway. Square moved to encrypting readers over two years ago. PayPal, Intuit and others have always had encrypting readers. MPOS applications need to assume the mobile device has been jail broken.

      1. Shawn A.

        I stand corrected on the newer mobile card readers not encrypting at swipe. It seems the majority do now. Although, the new Square reader is almost identical to the old Square reader. So by casual glance I’m not sure the average Joe would know the difference. Caveat emptor.

  11. Andrew Conway

    Hey Brian, did you catch the presentation at Black Hat where a malicious chip and PIN credit card compromised a mobile point of sale unit, and turned it into a video game machine?

    I love the turn about of a malicious card compromising a POS rather than the other way around. Of course, instead of turning the POS into a game machine they could also have set it up to accept transactions from stolen cards without validating them.

    1. BrianKrebs Post author

      Hah! No, I missed that one, but then again I ended up mostly walking the hallways talking to people instead of attending the talks.

  12. Scott

    Why are the following relatively simple solutions not used?

    1. For “card present” transactions, the card must have a photo of the holder on the back (like my Costco / AMEX card). If the presenter doesn’t look like the photo, all sorts of additional ID (and maybe a fingerprint) should be required.

    2. For online transactions, the card issuers should provide an easy mechanism to generate one-time-use numbers and refuse to authorize any purchase that doesn’t use one.

    Yes, these things would add some annoyance to merchants and card holders. But they’d probably also cut out millions of dollars of fraud.

    Solutions are out there. I do not understand why the industry is not using them.

    1. DW

      In answer to your point number 1, a photo on the card is not reliable if the card is a copy. If they’re making a card they can make one with their own photo (or just no photo at all which is cheaper).

    2. Jordan

      POS terminals have been set up in retail spaces that it faces away from the clerk to encourage a safe shopping experience, and mitigate employee fraud. Therefore not a lot of merchants are not looking at cards. Also keep in mind many transactions do not have clerks such as pay at the pump gas stations, and self check out services.

      As far as a code authentication…it has already been created. It goes under 3d Secure (Verified by Visa) or MasterCard SecureCode. The merchant and the issuer (bank) must be enrolled. The adoption rate of this product is pretty poor hence why e-commerce fraud is high.

      1. kyle

        the only fraud isn’t employee-run. it’s POS malware infected with the likes of dexter from darkode, or so on. And considering most is leaked online, it’s not hard to get and use.

      2. timeless

        They were also incredibly crappie. The reset mechanisms and all.

      3. Kevin

        Verified by Visa is awful. I got an Amex card after that horrible system screwed up a ticket purchase. Yeah, I really want to spend ten minutes trying to get the damn pin set up when I have two minutes to complete the ticket purchase.

    3. Bob

      The reason is that up until recently, the cost of cleaning up after fraud was less than the cost of taking additional steps, such as you mentioned, to reduce the fraud. So, the banks and card issuers had no incentive to do anything more.

    4. kyle

      because first of all, most carding that’s done by actually “intelligent” carders, is done online where pictures are impossible.

      second of all, because as it’s been stated, many forge cards with the stolen data, which would make pictures obsolete, as they would be put on the card of the person owning the stolen data.

    5. timeless

      Photos on cards run into the same problem that state / college IDs for “age of majority” have: it’s pretty easy to forge a photo. And you don’t have to copy the real one, you include your own.

      College students have been forging photo IDs for decades. Anything that tries to go in this direction is really misguided.

    6. Hav0c

      A really effective way is to inhibit the use of dumps in brick & mortar is to have the POS force the employee to enter the last 4 digits embossed on the card into the POS and have the POS compare that to the last 4 of the PAN from track1/track2. This can be done manually too, but relies on employee’s diligence rather than a system.

      This will prevent the use of dumps since they take the dump data and encode it on the back of existing cards. The existing card likely has the picture and name of the person using it – but this is not the same data as encoded on Track1 or 2.

      1. RSS

        I agree there is a strong lack of review at the POS at the majority of merchant locations. It seems simple, match the last four with what is embossed on the card. That presents a opportunity for conflict at the checkout and training of staff in retail settings where turnover is very high and the maturity of the clerks is very young. Turning down a sale when you have no skin in the game for loss is hard to cost justify.

        I have counterfeited my own card many times onto hotel cards, white plastic and gift cards and used them at all merchants, even those asking for the last 4 digits. I even used a sharpie and wrote across the front in large numbers the last 4 digits of my card so when asked I would just show them the card. The 18 year old behind the counter didn’t even blink. The POS terminal came back with and Authorization Code and that was all that was needed.

        This will change come October 2015 and when merchants start eating multiple $5k chargebacks there will be a wake up moment at the POS. Many smaller merchants could find themselves out of business as a single transaction could wipe out their entire profit margin.

        So, as Brian points out “Banks are out for Blood” because banks are eating all the loss. When that changes the POS experience will also change, but not before and that is an unfortunate reality of where we are today. In the end the consumer pays from endless reissues of their cards, time lost and higher fees.

      2. bob

        Some of the bigger carding operations actually print there own cards that match the details encoded on the card.

  13. Jonathan

    The simple solutions are not used because it was cheaper to simply eat the cost. Most industries have that rule of thumb…safety issues arent fixed until the cost of folks dying (including reputational costs as well as those associated with civil and criminal prosecution) exceeds the cost of fixing the safety issue. Fraud was tolerated when it was a small percentage of profit. But the fraudsters have gotten greedy and attracted attention…even still, how many POS machines run windows xp? When was the last time windows xp was updated 😉

  14. Jeff Hall

    The US is NOT getting Chip and PIN, it is getting Chip and Signature. Apparently years of using debit cards don’t count, so we still have to sign.

    EMV is great for stopping card present fraud which it did very well in Europe. But EMV does nothing for where fraud is rampant which is card not present (CNP) fraud.

    If you read the EMV specification, there are some nifty security features built into the standard that are not used such as a dynamic CVV and dynamic PAN. But, unbeknownst to most is the fact that the Chip is NOT encrypted, only certain fields such as the PIN block and CVV values other than the CVV that is printed/embossed on the card. As a result, Target style breaches are not going to be stopped by moving from magnetic stripe to EMV alone.

    All this said, the fraud detection engines at the card brands and major processors are fairly robust and do stop most fraud. But with CNP fraud, it happens so fast that by the time the fraud engines stop it, it’s too late.

    1. RSS

      You are correct EMV will not prevent online fraud. The ease of capture of card information from malware such as Zeus and BotNets will continue to harvest millions of cards (Name, PAN, CVC2/CVV2 and Expiry) to make online purchases.

      To be clear the PAN (Personal Account Number) is not enough to make an online purchase. In the majority of transactions the CVC2 value on the back of the card is required. The EMV terminal is masking the CVC3 value and no security value used at an EMV terminal can be used with the PAN for an online purchase.

      The online technology needs to migrate away from PAN, but there is no immediate elegant and simple means currently available. VbyV is not the answer.

      As we continue to see the adoption of Mobile Devices (SmartPhones) for payment we can envision a point where Q/R or other encoded images could be used to transfer one time tokens for online purchases.

      But you are correct, all online merchants should be improving their fraud detection capabilities as when the clock strikes 12 in October of 2015, there will be a bull rush of fraud in this channel.

  15. Esther M

    sir, CP transaction would still be vulnerable , a merchant would never refuse transaction if the CC had no photo.

    say banks begin issue card with photo in back, what about all shopper with old card? they must refuse them? lf one have track2 mag data of card with photo, just copy infos on to plastic with no photo 🙂 better yet, may even have picture of fraudster on it and with new stripe, it defeated.

    2. CNPtransaction would be hard, if you look as like securID from RSA, 60 second token which switch! this would be very expensive for bank and then all POS need change again. they all invest for new EMV POS register, not anyone would probably like to buy more POS with $$.

    sorry not want to sound like offensive user but this is best reply i gave you.

  16. petepall

    As always, Brian, instructional. Now we need a tutorial from you on chip and pin technology; its strengths and its weaknesses. I’ve asked for this before. Now seems like a good time, especially since its time is coming. Thanks!

  17. Berend de Boer

    Shouldn’t the title be “Why So Many Card Breaches IN THE US?”

    I can’t recall seeing this as a problem in other 1st world countries. Couple of reasons:

    1. They don’t use credit cards much (true, they have more sophisticated systems).

    2. Credit cards are better protected.

    3. US crime scene is more sophisticated.

    4. Much larger market (using credit cards, and for selling stolen credit cards).

    Any others?

    1. kyle

      not so much is our crime more complicated. as it should be obvious by now, most comes from mafia-related orgs in russia, and other Baltic/Eurasian countries, and former soviet satellite states.

      the only fact is NOT that it HAPPENS FROM the U.S., but that it happens TO the U.S. The crimes themselves are taking place THERE, targeting companies HERE, with buyers HERE and other places. The breach itself, however, usually does NOT happen here, at least not with regards to its original conductor.

    2. timeless

      Of note, there’s a sampling bias here.

      US news is often covered worldwide, or at least throughout the English speaking world. You rarely head about Canada or New Zealand or even Australia. There are fewer people, companies, news reporters in each of those places. And while Brian learned Russian, most of us haven’t learned French, Spanish, Chinese and Russian, so we don’t really know what’s happening in the other large parts of the world.

      Thanks to Brian, we do know about major fraud in the Portuguese speaking world.

    3. FARO

      When I have traveled to other countries besides the US I tend to check the State Department website for information on the countries I intend to visit, get on their mailing list for alerts. Sometimes when I indicate I plan to visit a non-1st world country the State Department says don’t do so I don’t. Some 1st world countries I then visit, the State Department indicates the type of fraud to avoid. Avoiding ATM machines is high on the list, very high instances of fraud over there when it comes to credit card purchases.

  18. Kyle

    lesson #1 for carding class 101: DON’T CARD IN PERSON! Card with a vpn and proxy in the same town as the original cardholder, and ship to a friend, use drop-points.

    NEVER buy in person. Leave that to the dumb brutes who run violent gangs, not the stealthy cybercriminals, though nowadays, most SO-CALLED carders are wannabe script kiddies from HF.


    A lot of people don’t know that you don’t have to get into those illegal credit forum shops to gain fullz. All you have to do is access phishing scam links the right way and you can obtain the same information in a database like format.

    The problem is not only security breaches by way of P.O.S. devices but also good old fashion social engineering tactics.

  20. TL

    In less than a year, my credit card number has been stolen three times. First with Target, then an unknown entity, and now with Albertsons. I track my charges and noticed erroneous charges with each breach and contacted my bank immediately. Fortunately, I don’t charge a lot, so it is easy for me to spot criminal use. But even though I am careful and watch my charges, I simply don’t know what else I can do on my end, as a consumer, to prevent the illegal use my my cc number. Even the bank didn’t have any advice. Very frustrating.

  21. KB

    Cross-border transactions in Europe used to/may still -involve fraud if the merchant utilizes magnetic-swipe POS equipment, uniform across most POS, unlike chip and pin.

  22. Richard Steven Hack

    I’m working with a tiny business owner who has recently been approved to take credit cards with WorldPay using their Virtual Terminal product. She takes credit cards, swipes them through a card reader into the VT Web page in her browser. This is on a laptop running Windows 8.1 using wireless to connect to her SOHO router.

    Now she has to become PCI compliant. I’m finding out this is utterly impossible in her current setup.

    The fun thing is that all these VT payment processor companies tell the business owner they can use this simple VT Web browser stuff with a credit card reader and take payments in a mobile manner. But then they say the merchant must be PCI compliant – which is utterly impossible with such a setup. They tell the merchant they can use Self Assessment Questionnaire C-VT (for Virtual Terminal) while using a card reader. The PCI is very clear on that – you CANNOT use C-VT if you’re using a card reader.

    All this is from WorldPay – who got a huge breach a few years ago and were temporarily declared non-compliant by the PCI people.

    In other words, there are tons of SMB merchants out there being misled as to exactly what it means to be PCI compliant. It ain’t easy and it’s usually expensive unless you’re a totally Web-based company who sends the customer to the external payment page of a PCI compliant payments processor.

    So card breaches will continue until the credit card companies come up with a more secure card infrastructure. Relying on the merchants to be secure is a losing concept. As my meme says, “There is no security. Deal.”

    1. no-name-here

      Yes, they can. What they’ll have to do is purchase a router that can be equipped with a cellular modem. This will allow the user to connect her laptop via ethernet cable to the router. This is all that’s required (today).

      Theoretically, she should be able to use 802.1x on the wireless connection, but she’d have to undergo a real PCI audit to get his approved.

      1. JCitizen

        Huh? I see nickle and dime merchants at coin collector shows running cards though their cell phones. I doubt they are “PCI” compliant either.

  23. thevictim

    I am very interested in knowing that who exactly looses the money in these kind of breaches?

    When a crook buys something expensive using a clone card, who has the pay the cost for the item? doesnt the shop keeper looses money or the issuing bank or who?

    who exactly bears the cost of those items? is are there insurance companies who cover up these losses?

    1. RSS

      The loss is born by the bank that issued the card for all in-store or what is many time referred to as “Face-to-Face” card present transactions. That is 100%.

      Brian references that banks recover costs related to the reissue of cards. That is somewhat correct. For large breaches such as TJMax and Heartland banks received a fraction of their costs back under 10%. For the vast majority of smaller breaches that have occurred in the past (Schnucks, Zaby’s, 5-Guys, Harbor Freight, etc, etc., banks receive no recovery. They eat all loss.

      The victims of fraud pay a price by having to reset all their recurring payments, losing out on purchasing capability and that is time they can’t get back, but they are not on the hook for any fraudulent charges.

      If however, the card information is used for an only purchase, the merchant bears the burden for Fraud, that is, unless the online merchant is enrolled in Verified by Visa or SecureCode offered by Visa and MasterCard. As noted earlier, this is not a very fluid checkout experience.

      The shift in cost occurs in October of 2015. That is when merchants that have not converted over to Chip will, I believe, pay a lot closer attention to who is buying what and with what.

      I hope this helps.

      1. RSS

        Sorry. typo in 4th paragraph.

        If however, the card information is used for an ONLINE purchase…..

      2. James E

        unless the online merchant is enrolled in Verified by Visa or SecureCode offered by Visa and MasterCard. As noted earlier, this is not a very fluid checkout experience.

        I’ve used Verified by Visa and all it is just another additional PIN required to facilitate the transaction. It rather fast.

        The reason for many of the breaches is that by the time shift to the chip card occurs it will make their job much harder. I have mentioned this to some retailers, their reaction is when we get around to it.

  24. Reuben

    If between 2 and 4% were sold, and between 3 and 7% had fraud, doesn’t that mean that an incredibly high number (between 50 and 100%) of sold cards were successfully used? Isn’t that a major financial institution failure?

    1. BrianKrebs Post author

      Not sure what you mean by “failure” exactly but this fraud was spread across thousands of financial institutions.

  25. Graeme

    The bit I don’t understand is why any of the card data touches the retailers’ network at all? Why is the card data not simply processed through a card reader terminal designed exclusively for the purpose that simply sends the encrypted data over a separate VPN to the processors’ network?

    How come the card data is processed through the Windows based PoS terminals at all? Do the retailers not just need an electronic message back from their processor to confirm the amount paid and a confirmation number to say the transaction was authorised?

    1. PCI101

      This is strictly a business decision. Some merchants and service providers have a business need for credit card authorization / settlement / chargebacks / reconciliation to retain some level of card data. Assuming a non-point to point encryption discussion, many if not all of the solutions require processing through point of sale server systems. The other line here is that the merchant could opt for a stand alone dial-up or broadband line and with some network hardware (firewall, IDS/IPS, etc), swipe cards on the device and have them sent outbound to the processor.

      Devices that store, process, transmit or are connected to the environment where credit/debit cards are processed are required to meet the rigor of the PCI compliance standard.


  26. JCitizen

    Embarrassed that the US hasn’t implemented Cowchip-N-pen? Not hardly; why would I want an out of date overly expensive technology that is no longer proven? I would be more embarrassed that the cheaper, better, more modern technologies haven’t been adopted across the continent. I still get the sneaking suspicion that even if this was fully adopted US wide, the crackers would simply shift the attack to a different window of the infrastructure. It seems like security system designers would be well advised to keep to the KISS principle.

    However it ends up, you can bet your bippy the customers will be left holding a very expensive proverbial bag, and the banks will cheerfully declare “problem solved”!

Comments are closed.