September 16, 2014

C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.

cksystemsOn July 21, 2014, this site broke the news that multiple banks were reporting indications that Goodwill Industries had suffered an apparent breach that led to the theft of customer credit and debit card data. Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed “third-party vendor.”

Last week, KrebsOnSecurity obtained some internal talking points apparently sent by Goodwill to prepare its member organizations to respond to any calls from the news media about the incident. Those talking points identified the breached third-party vendor as C&K Systems, a retail point-of-sale operator based in Murrells Inlet, S.C.

In response to inquiries from this reporter, C&K released a statement acknowledging that it was informed on July 30 by “an independent security analyst” that its “hosted managed services environment may have experienced unauthorized access.” The company says it then hired an independent cyber investigative team and alerted law enforcement about the incident.

C&K says the investigation determined malicious hackers had access to its systems “intermittently” between Feb. 10, 2013 and Aug. 14, 2014, and that the intrusion led to the the installation of “highly specialized point of sale (POS) infostealer.rawpos malware variant that was undetectable by our security software systems until Sept. 5, 2014,” [link added].

Their statement continues:

“This unauthorized access currently is known to have affected only three (3) customers of C&K, including Goodwill Industries International. While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25.”

C&K System’s full statement is posted here.

ANALYSIS

C&K Systems has declined to answer direct questions about this breach. As such, it remains unclear exactly how their systems were compromised, information that could no doubt be helpful to other organizations in preventing future breaches. It’s also not clear whether the other two organizations impacted by this breach have or will disclose.

Here are a few thoughts about why we may not have heard about those other two breaches, and why the source of card breaches can very often go unreported.

Point-of-sale malware, like the malware that hit C&K as well as Target, Home Depot, Neiman Marcus and other retailers this past year, is designed to steal the data encoded onto the magnetic stripe on the backs of debit and credit cards. This data can be used to create counterfeit cards, which are then typically used to purchase physical goods at big-box retailers.

The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1” includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s name.

An example of Track 1 and Track 2 data, together. Source:  Appsecconsulting.com

An example of Track 1 and Track 2 data, together. Source: Appsecconsulting.com

Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).

This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.

ENCRYPTION, ENCRYPTION, ENCRYPTION

Breaches like the one at C&K Systems involving stolen mag stripe data will continue for several years to come, even beyond the much-ballyhooed October 2015 liability shift deadline from Visa and MasterCard.

Much of the retail community is working to meet an October 2015 deadline put in place by MasterCard and Visa to move to chip-and-PIN enabled card terminals at their checkout lanes (in most cases, however, this transition will involve the less-secure chip-and-signature approach). Somewhat embarrassingly, the United States is the last of the G20 nations to adopt this technology, which embeds a small computer chip in each card that makes it much more expensive and difficult (but not impossible) for fraudsters to clone stolen cards.

That October 2015 deadline comes with a shift in liability for merchants who haven’t yet adopted chip-and-PIN (i.e., those merchants not in compliance could find themselves responsible for all of the fraudulent charges on purchases involving chip-enabled cards that were instead merely swiped through a regular mag-stripe card reader at checkout time).

Business Week recently ran a story pointing out that Home Depot’s in-store payment system “wasn’t set up to encrypt customers’ credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit.” The story observed that although Home Depot “this year purchased a tool that would encrypt customer-payment data at the cash register, two of the former managers say current Home Depot staffers have told them that the installation isn’t complete.”

The crazy aspect of all these breaches over the past year is that we’re only hearing about those intrusions that have been detected. In an era when third-party vendors such as C&K Systems can go 18 months without detecting a break-in, it’s reasonable to assume that the problem is much worse than it seems.

Avivah Litan, a fraud analyst with Gartner Inc., said that at least with stolen credit card data there are mechanisms for banks to report a suspected breached merchant to the card associations. At that point, Visa and MasterCard will aggregate the reports to the suspected breached merchant’s bank, and request that the bank demand that the merchant hire a security firm to investigate. But in the case of breaches involving more personal data — such as Social Security numbers and medical information — very often there are few such triggers, and little recourse for affected consumers.

“It’s usually only the credit and debit card stuff that gets exposed,” Litan said. “Nobody cares if the more sensitive personal data is stolen because nobody is damaged by that except you as the consumer, and anyway you probably won’t have any idea how that data was stolen in the first place.”

Maybe it’s best that most breaches go undisclosed: It’s not clear how much consumers could stand if they knew about them all. In an opinion piece published today, New York Times writer Joe Nocera observed that “seven years have passed between the huge T.J. Maxx breach and the huge Home Depot breach — and nothing has changed.” Nocera asks: “Have we become resigned to the idea that, as a condition of modern life, our personal financial data will be hacked on a regular basis? It is sure starting to seem that way.” Breach fatigue, indeed.

The other observation I’d make about these card breaches is that the entire credit card system in the United States seems currently set up so that one party to a transaction can reliably transfer the blame for an incident to another. The main reason the United States has not yet moved to a more secure standard for handling cards, for example, has a lot to do with the finger pointing and blame game that’s been going on for years between the banks and the retail industry. The banks have said, “If the retailers only started installing chip-and-PIN card readers, we’d start issuing those types of cards.” The retailers respond: “Why should we spend the money upgrading all our payment terminals to handle chip-and-PIN when hardly any banks are issuing those types of cards?” And so it has gone for years.

For its part, C&K systems says it was relying on hardware and software that met current security industry standards but that was nevertheless deficient. Happily, the company reports that it is in the process of implementing point-to-point encryption to block any future attacks on its payment infrastructure.

“What we have learned during this process is that we rely and put our trust in many systems and individuals to help prevent these kinds of things from happening. However, there is no 100% failsafe security solution for hosting Point of Sale environments,” C&K Systems said. Their statement continues:

“The software we host for our customers is from a leading POS company and meets current PCI-DSS requirements of encrypted data in transit and data at rest. Point of sale terminals are vulnerable to memory scraping malware, which catches cards in memory before encryption can occur. Our software vendor is in the process of rolling out a full P2PE solution with tokenization that we anticipate receiving in October 2014. Our experience with the state of today’s threats will help all current and future customers develop tighter security measures to help reduce threat exposure and to make them more cognizant of the APTs that exist today and the impact of the potential threat to their businesses.”

Too many organizations only get religion about security after they’ve had a serious security breach, and unfortunately that inaction usually ends up costing the consumer more in the long run. But that doesn’t mean you have to be further victimized in the process: Be smart about your financial habits.

Using a credit card over a debit card, for example, involves fewer hassles and risks when your card information inevitably gets breached by some merchant. Pay close attention to your monthly statements and report any unauthorized charges immediately. And spend more time and energy protecting yourself from identity theft. Finally, take proactive steps to keep your inbox and your computer from being ravaged by cybercrooks.


61 thoughts on “Breach at Goodwill Vendor Lasted 18 Months

  1. Sasparilla

    Just taking in all the large compromises over the last year or so….its hard to come to any other conclusion than the U.S. consumer credit card system is insecure.

    Great article Brian, keep up the great work.

    1. JD

      Its not that the system is insecure, its that the liability is just a giant circle, thus no one is willing to pay what it costs to secure it.

      You can basically remove 99% of all CC fraud with end to end or well implemented point 2 point encryption. But heres the rub, those solutions are per transaction costs, meaning, the retailer pays an extra penny +/- on every single credit swipe. That adds up to a LOT of money for a retailer, especially when the liability is on the card brand / issuing bank. The retailer isnt out that much in chargebacks, the customer isnt on the hook, the bank is, but they just pass the cost back to the retailer and consumer in higher fees. Thus, there is no incentive to lose money on every transaction.

      Not to mention, currently, PCI has made it almost too hard to implement e2e encryption, with the encryption standard. That is to change in Nov, and you will see the smart retailers moving towards p2p encryption with the more reasonable standards out.

  2. Tomi

    So, Goodwill is sorta saying, “Nothing to see here — move along,” eh?

    You make a good point: If they went 18 months, what’s next?

    And, the track-2 only sales on underground forums: Sounds like you almost have to be a cyber-thief (or play one) to know if/when you’ve been hit.

    Why the gap from August 12th to September 5th? If the malware wasn’t detectable until the September 5th upgrade… (?)

    Enlightening article (as always)!

    1. Tomi

      I’ll assume that they did like Chang’s and others and went to the manual system on August 12th? That would account for the gap.

  3. jeanne price

    Brian,

    My biggest concern after researching C&K since early September is that they boast over 500 clients. Goodwill units represented merely 20 on that list. C&K’s statement that just two other vendors were impacted seems questionable.

    My source was a government document that required breached entities to list any third party vendor involved. You were tipped to C&K when you obtained an internal email. If neither of those documents had become public, I can’t help wondering how long C&K would have operated in anonymity. Makes you wonder many hundreds of breaches are still flying under the radar.

  4. DaveN

    As a small business, if we don’t meet the security requirements, we’re automatically spanked with a higher discount rate that raises the cost of every transaction. It seems like big merchants like Target and Home Depot just get away with whatever level of security they want. You never hear about a major hack of Mom’s Diner, because Mom plays by the rules while the major retailers disregard them with impunity.

    1. Sasparilla

      I’m pretty sure that we don’e hear about the hack at Mom’s diner (and tons of other owned small businesses) because it’s not big enough to pop up on the radar of multiple banks and make a noticeable showing on the underground sales sites for stolen card numbers (where our Mr. Krebs picks up on these things).

      In some senses this is a good thing (for these businesses) as few small businesses could handle (the sales dip) of having a publicized scarlet letter of “we let your credit card numbers get stolen here” ladled on them.

    2. Anon.

      > As a small business, if we don’t meet the security requirements, we’re automatically spanked with a higher discount rate that raises the cost of every transaction.

      Incorrect. That only happens if you *admit* to not meeting the requirements.

      Small merchants also lie (wittingly or not) about their compliance with PCI DSS. The difference for big merchants is they pay a QSA to make the assessment instead of answering the SAQ.

      You’ll never hear of a mom-n-pop breach because:
      a) attackers will not waste time on small merchants when the big ones offer greater reward for the same risk and effort
      b) the headline “literally dozens of cards data compromised” doesn’t generate enough interest

    3. Carl 'SAI' Mitchell

      The PCI-DSS and other standards for credit cards are woefully insecure. Even if you follow all the industry best practices your store can still be hacked, and your customer’s data stolen. Big businesses are targets mostly because they have lots of customers, not because they’re any easier to steal from.

      Credit cards have a single number (the account/credit card number) which can be used to make multiple transactions. This is inherently insecure, anyone who gets your credit card number (and expiration date, and CVV2 code, and name) can make as many transactions as they wish. A secure system would require a transaction ID to be cryptographically signed by the user’s secret key. That has significant implementation difficulties, mostly to do with key management. But until such a system is implemented these data breaches will continue to be successful.

    4. Reader

      As others have mentioned, Mom’s Diner won’t be hacked, because it’s not an attractive target. But it’s more than that.

      The volume of sales of major retailers requires them to choose between long checkout lines, hiring more cashiers, or maintain Internet-connected systems that can process credit card payment authorizations very fast. Overwhelmingly, these major retailers have opted for shorter lines (which consumers prefer) and hiring less cashiers.

      For them, speed and lower labor costs are a priority, not security, since they currently bear no financial responsibility for fraud made possible by their Internet-connected systems.

      Mom’s Diner doesn’t have to be concerned about lines or cashiers. They can use a simple dial-up credit card processor. This frees up Mom’s Diner from being connected to the Internet and helps it from being easily hacked.

  5. Matt

    I think this is the calm before the storm. We have a credit card that we coincidentally use very few places except Goodwill. After reading about this and the Home Depot breaches, I reviewed our transactions and found one booked last Saturday at a pharmacy in Rome. When I called the CC company to dispute it, they said it was a manual entry and canceled/reissued my card.

  6. Eric

    The other day we had take-your-cat-to-the-vet day, and at the end of it all when I went to pay, I noticed that the vet had a credit card reader with an EMV slot. And unlike Home Depot and other such stores, this one was active and it worked properly.

    Some here have speculated that smaller merchants would be the last to upgrade their equipment to support EMV. And in my own experience, it was a small merchant who was among the first to upgrade.

  7. John Doe

    C&K is not a payment processor its a POS vendor who provides hosted POS services. I think its funny that C & K offers “PCI-DSS Secure Environments”. I hope Goodwill is getting back some fee’s that C & K charged them for this service.

    1. David

      The whole area of outsourcing and “service providers” wasn’t being handled well in practice. Things were assumed when they shouldn’t have been. Things fell between the cracks.

      The standards and processes around this have changed and become more thorough. Unfortunately new standards and processes take time to kick in and catch up and actually happen after they’ve been published. That hasn’t happened yet.

      Some of the changes:
      * more focus and details on PCI responsibilities in contracts and company compliance programs
      * better validation that things are being done by someone. In some cases the merchants may have to include 3rd parties in their own audits and not just point to contracts and/or SAQ forms.
      * Broader definitions of service providers such as managers of firewall services and others
      * Card brands trying to get service providers registered so they can track them better

      While some organizations are doing this now, you wont see broad adoption until 2015.

  8. LC

    In general it’s still assumed that PCI (compliance) = (guaranteed) security and that is not the case. Whether or not the general populous will push for security instead of (only) compliance remains to be seen. While not feasible, it would be interesting to see a rating system – similar to that of restaurants – for information security of an organization (eg A, B, C, etc.) – performed by some kind of 3rd party. If you frequent an establishment you could make a more educated decision whether you want to use a card, cash, or continue using them at all.

  9. Paul

    When will restaurants stop the archaic ritual of taking my credit card out of my sight to process my transaction?

    1. John

      YOU are the one required to pay, not your waiter. Just get up and go pay for it yourself.

    2. Reader

      Get off your butt and walk over to the cashier. Problem solved.

      1. John

        In Europe waiter will bring mobile POS terminal to your table. Taking card out of sight is prohibited practice.

    3. Peter

      I was robbed to pay you! Cleveland area has bitcoin eateries that won’t eat your plastic.

  10. PeterM

    C&K provides hosted POS services. Hmmmm. There is another meaning to the acronym POS that seems to apply.

  11. Elizabeth

    If you insist on using a debit card, make sure it is run as a credit requiring signature.

    1. G.Scott H.

      It does not matter if a debit card is processed as a credit transaction for the safety of the account it accesses. Money comes out of the account either way even for the miscreant. Signatures are rarely checked. Follow Mr. Krebs advice to use a credit card instead.

  12. Ralph Daugherty

    Some comments on C&K:
    The statement that only 25 cards have been reported as lost is as disgenuous as it can get. While technically true at the monent it was spoken, it implies was a minor inconvenience. We know that most of the credit card data over last 18 months was stolen. We know because that’s what the malware does. To get to “reported” the card data has to be purchased and used. It’s just a matter of someone hasn’t purchased and used it yet. For that transgression on top of transgression, I hope they pay dearly.

    On top of those trangressions, they say that it’s impossible to secure because malware will scan memory. There are so many points on that they shouldn’t be entrusted with anyone’s data.

    The “malware” is only possible because this company and their customers are using Windows PC’s for POS terminals and the Windows PC’s are being hacked to install this Windows program that steals card data. All that is needed is a flash memory of the POS software. There shouldn’t even be a way to install software. Dumbest thing I have ever seen. Companies like this and these retailers are flat out incompetent and should be made to pay for their transgressions.

    On top of that the card data should be encrypted end to end. No reason not to do it other than they can get away with it and customers pay. I hope a lot of people are major league inconvenienced enough to force business to use competent and secure technologies. They exist. They just aren’t businesses pretending to do professional work on “Updates ready” PC’s.

    Plus very few people getting the info out like Brian. Like shedding light on cockroaches.

    1. Ralph Daugherty

      What I mean by all that is needed is flash memory is that that is all that is needed to stop the malware on POS terminals. No install devices, just a chip with software on it that can flash updated on the rare occsions that the POS software has a new release.

  13. Thanks For Donating

    Thank You for donating more of your plastic money via Goodwill to everyone’s favorite hackers both here in the USA and in Russia.

  14. AlphaCentauri

    Everyone keeps treating these breaches as if they are unique failures. It’s as if every new surgical infection at a hospital were greeted with shock and surprise, and no one ever tried to figure out where the germs were coming from.

    The Secret Service and or Visa/Mastercard should be studying the retailers who aren’t known to have had breaches and comparing them to the ones who have. Once someone has had a breach, their employees are going to be too defensive to be able to assist much. You need to be able to see what happens on a typical boring day, when people don’t have their guard up. You need to see what security procedures are considered unreasonably burdensome and figure out a more realistic way to deal with them. You may even detect attempts to infiltrate your “control” retailers and even set up a honeypot to more about preventing these breaches.

    1. Bait and Switch

      A colleague of mine does work for a government agency tasked with investigating breaches. The majority of these breaches are coming from Eastern Europe, Russia, Africa and Chinese. The issue here is the host governments are either indirectly supporting or completely turning a blind eye to what is going on. Until those governments start turning up the heat on this type of financial warfare, this will be a continued problem. Even with EMV or ApplePay, it won’t stop until those governments start prosecuting and punishing and stop profitting.

  15. TheOreganoRouter.onion.it

    I get out of this article that once C&K Systems corporate attorneys get involved then they will do what’s best for the company not the consumer who ends up suffering more from the hassle of reporting the card numbers being stolen.

  16. Stratocaster

    The WSJ article you cite does a good job of explaining the lesser-technology liability cascade. But it doesn’t explain what happens if the technology used by the bank and the merchant are the same. If the bank issues a chip-and-PIN card, and the merchant uses a chip-and-PIN terminal, and fraud still occurs, WHO IS LIABLE? Hopefully not the consumer….

    1. RSS

      All banks have a zero liability policy when it comes to fraud. It doesn’t matter what the technology is. In Europe some of the older check out terminals enabled fraudsters to guess what are supposed to be unpredictable values and get the PIN. In the US few if any banks are going to require pin for any transaction. This safeguard is for stolen cards, which in the future would be stolen digital devices.

      All should expect the no signature required limit to increase from the standard $25 to around $100 or even higher for some merchants.

      Next comes tap and pay with apple and google. The idea of a card will begin to drift away over the next five years. Think in terms of having a revolving spending account that you can use for purchases or to pay a friend with a lot more opportunities to manage what you spent where and what discounts and rewards you have.

      The consumer will never be liable for purchases the did not authorize.

    2. David

      It’s a bit more complex than that because the different methods of using the card (Chip, Stripe, Tap/Wave). Each type of transaction is a bit different and liability is based on the method used.

      If a Chip and PIN card is breached at a store where its all chip there is something that resembles the mag stripe track but bits of it change based on crypto in the chip and the bank that issued your card. The PIN is also encrypted in the terminal. The cash registers (where all this malware is hitting) never sees it in the clear. Fraud there is the consumers liability AFAIK.

      The tap/wave also has a faux track.

      However, there is data in that faux stripe that could be used to make an online purchase where they don’t take the security code that’s written on the card. That fraud would NOT be the consumers liability.

      Hopefully clearer.

  17. george

    Any speculation regarding why “less than 25 cards had fraudulent charges” claim after an 18 month breach ?
    How could that be, why were the thieves sitting on the stolen data ?
    Isn’t it more likely that far more than 25 cards were used fraudulently and C&K does not know or does not admit it ?

    1. BrianKrebs Post author

      I’ve contacted multiple banks that have had fraud on plenty of cards related to this breach. In any case, why would the banks bother to report back to C&K about fraud? They wouldn’t.

      If you’re a payment card vendor, and crooks who plant card-stealing malware and steal card numbers for a living have unfettered access to your network for 18 months, they’re going to steal card numbers, and a lot of them. Those card numbers are no good to anyone if they just sit on a shelf for ages, so they tend to try to sell them very quickly.

      I’ll grant you that the thieves who stole all these cards from Goodwill locations probably managed to sell only a fraction of the cards they stole, but nevertheless C&K’s claim about 25 cards is just a distraction, and doesn’t represent reality. IMHO.

      1. george

        Thank you for clarification, Brian.
        This raises though another question:
        If the banks do not bother informing C&K Systems about a fraud instances, does it mean the only financial drawback for C&K is the lost reputation and potentially lost customers as a result of this event ? I would imagine if all or part of the fraud would be claimed from C&K, they would have a more clear image over the extent of the fraud. Or is it too early for that ?
        I realize you mention in the article the fingerpointing that is going on between those actors and with so many hacking incidents going on at the same time, it might be indeed be very hard to establish a particular cloned card data was stolen in one place or another.

  18. jim

    I’m,wondering, look at how business is run. Target like all businesses, and nonprofits are run buy the same profit before upgrades occur, trained MBA’s. Not salesmen but used car salesmen. The type you would not trust to date your daughter.
    They cut the business to the bone, and look to save a few more cents by delaying anything that they can. You know, standard MBA schooling. Rember, half of the class was smarter then these guys. To be remembered, those were the party organizers.
    So would they be high in their training and implementation budgets? Or hiring the better security guy’s? Or even think of security till they get caught in in clutches?

  19. Shane

    Could you please expand on why there is less risk in using a credit card than a debit card? My understanding is that there consumers are covered by zero liability rules relative to fraudulent transactions… Thanks in advance.

    1. BrianKrebs Post author

      If you have fraud on your credit card, you see the fraudulent transactions on your statement, you dispute the charge with your bank, and *poof* the charges come off your statement.

      If you have fraud on your debit card, and as a result you bounce your rent or mortgage payment, that starts a ripple of events that can be much harder to reverse and can take longer to recover from (consider bounced check fees, dinged credit scores for missing payments, etc). The point is, you may well get all of the money you lost back, but the other repercussions can be much more diffuse and harder to deal with.

      Finally, merchants usually pay more to handle debit transactions than they do credit, so you end up costing retailers more (only by a tiny fraction each time, but it adds up).

      1. Bait and Switch

        Brian, merchants in a card present (even card not present) environment typically pay less for debit, especially Durbin Debit. Durbin Debit Interchange is 0.05% + $0.22(fraud adj), where as a credit transaction in the same situation would be 1.51% + $0.10. Average ticket comes into play, but $50 would be $0.25 for debit and $0.86 for credit. You could then get into the rewards cards, corporate cards and those are even higher than debit. This of course is before you add in Assessments, Data Usage fees, APF Fees, Acquirers mark-up, FANF….etc…..Visa, MC and Discover post their interchange charges online, very easy to find with a Google search, very hard to understand unless your in the business.

      2. Brian Raaen

        Brian,
        What about debit card transactions that are run as credit using signature and the Mastercard system? Aren’t those different than strait PIN debit transactions?

      3. NotSA

        “The fact that we get away from physical problems doesn’t mean we go away from problems. The problems are really rarely physical.” Bucky Fuller

        So it’s not the cards. It’s the house of cards.

    2. ABWP

      Shane, if your debit account is hacked, the thief can clean out all of your CASH and leave you with literally no money to pay your mortgage and bills while the bank is investigating. Yes, ultimately the bank will hold you harmless — but I can personally attest to the fact that it will take at least a good couple weeks, if not longer, for the bank to return your cash. How long could you go without money?

      If your credit card gets hacked, any fraudulent credit card charges are borne by the credit card company — it’s their money that is on the line, not yours. Hence, using a credit card protects you while a debit card is a direct liability to your own pocket.

  20. Stephen J

    I find the acronym POS to be particularly appropriate for the retail and financial industries.

  21. Jeff

    Brian,
    The great work continues!
    Do we know enough about the upcoming Apple iPhone-based payment system to evaluate it?

  22. petepall

    Why not have the Congress pass legislation that cuts through all this and helps us all? Hmmm? Oh, wait. That’s right. Never mind.

  23. David Longenecker

    “If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.”

    Interesting oversight in disclosure laws. I doubt that is what the lawmakers had in mind.

  24. Michael B.

    “If the thieves are only stealing Track 2 data, a breached business may not have an obligation …” Great. Juuuuust great.

    “The crazy aspect of all these breaches over the past year is that we’re only hearing about those intrusions that have been detected.” Thank you for that! Really thought it was crazy too. Now I don’t feel so nuts.

    Thank you for this article, it really helped me understand a lot more about how things have gotten to this point and are the way they are. I’m glad that it’s been explained to me that this is the new normal, even though it gives me Lee Van Cleef squinty eyes and a scowl. I really appreciate the reporting. I mean, kinda.

  25. Dennis Wright

    I am glad I live in Australia when it is all chip and pin. No signatures accepted from last August. Tap/wave without pin for amounts up to $100.

  26. Tom G

    I’m actually curious to see what kind of due diligence (if any) Goodwill performed on C&K Systems prior to making the decision to use them in the first place…

  27. Merchant

    You’re probably already on this – heads up if not – the “Continue Reading”/More link for the latest post is not working, takes you to a 404 page.

  28. Thought

    What is you opinion on retailers offering the option of paying in BITCOIN? From what I have seen, it’s pretty secure and eliminates the risk of identity theft. More and more retailers are taking them such as Dell, Tiger Direct, Newegg, Overstock.com, and even paypal has hinted to integrating Bitcoin into its payment system.

    1. BrianKrebs Post author

      I’m not sure. I don’t see why, though, that Bitcoin would be any more security than anything if your computer were to be compromised.

  29. NotSA

    Bitcoin Boulevard US

    bitcoinboulevard.us/
    Bitcoin Boulevard US – A destination for Bitcoin commerce and community in … Tavern Company | 2260 Lee Rd | Cleveland Heights | OH | 44118

    Thrift shops could benefit too!

Comments are closed.