Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.
According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.
Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.
The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.
Asked about the banks’ claims, Staples’s Senior Public Relations Manager Mark Cautela confirmed that Staples is in the process of investigating a “potential issue involving credit card data and has contacted law enforcement.”
“We take the protection of customer information very seriously, and are working to resolve the situation,” Cautela said. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
You know, Brian, this could go a lot faster if you’d just report on who HASN’T been breached… 🙂
I was just about to say the same thing!
From what I ready though it is fortunate for the majority of car users who are still dumping their account numbers into point of sale terminals 3 or 4 times a day that only a small percent of the account numbers stolen are actually sold and used by the hackers.
Me? I QUIT.
I’ve gotten to the point where I just don’t care anymore about these breaches. I had used my credit card at Target, Home Depot, P.F. Changs and Albertsons during their breach periods, yet Bank of American only replaced my credit card after the Target breach. And so far, I haven’t experienced any fraudulent charges related to any of these breaches. I do, however, check my credit card account at least once a day, and I’ve stopped using my debit card for purchases completely. Occasionally, I’ll use the debit card at a bank branch ATM inside a grocery store. That’s it.
Richard Steven Hack wrote:
“just report on who HASN’T been breached…”
This would, likely, be difficult as some proportion of those businesses that haven’t been breached really have been breached but it remains undiscovered.
It’s interesting that the discovery of breaches at many organizations have been made by banks and credit card companies rather than the organizations that have been breached. Do organizations not monitor their own systems? And, if so, is their monitoring ineffective?
I suspect that it is easier for banks to identify fraud than for retailers. Customers report fraud directly to banks, who can then correlate fraudulent transactions to determine which retail locations the fraud happened at. Retailers, on the other hand, simply process transactions, which are either accepted or denied by the bank (with no reason for denials given to the retailer). This makes it very tricky for retailers to identify fraudulent activity.
That said, retailers could do a better job of identifying data breaches *before* fraud happens, though this requires investment in technology and personnel to actively monitor the environment.
Jon wrote: “retailers could do a better job of identifying data breaches *before* fraud happens, though this requires investment in technology and personnel to actively monitor the environment”
How much does this “investment in technology and personnel to actively monitor the environment” cost an organization relative to the costs associated with a major data breach? I suspect that it costs *much* less.
Here’s a link to an article from 2008 on just this topic:
“The real cost of a security breach”
The article also includes tips for preventing a data breach which are centered around “information assurance”.
Learning from one’s own mistakes is a good thing, but learning from others mistakes in addition to one’s own mistakes is much better. There doesn’t seem to be much learning going on out there…
Ugh, so over it!
Interesting to see if this is just target stores in one location or if it is in fact a larger breach with only cards in that area being used.
That is what I was wondering?! I’d like to know what the other Staples stores are doing right!?
What are other stores doing right? I’d guess they’re being lucky. Though it’s tough to say for sure until we learn how this exploit worked.
Are Staples stores (or groups of stores) owned independently, or do they all have similar equipment & procedures?
All Staples stores are owned by Corporate, and unless they have upgraded their equipment in the last 2 years they are using Windows CE on their POS and XP on their accounting computers.
Public WiFi was on a different network than the POS, but most stores had a customer facing terminal (computer) running a kiosk version of XP for doing “ship to store” orders. The USB was enabled on these beasts, and they were on the same network as the POS (might have been VLAN’d out, was not able to dig that deep in my tenure.)
POS terminals are currently on XP with upgrade to 7 coming soon. Staples maintains multiple VLANS to name a few: POS, .COM KIOSK, Store Terminals(manager computers), ET NETWORK DMZ, HOTSPOT DMZ, VOIP, Motorola RF Gun Hand helds, CPC, Rental PC stations. These are just the ones I know about. They are all seperate from one another. All PCS are on XP except the GM PC on 7 and Customer rental station on 7 and Server on server enterprise 2008 or something along those lines plus some of the cpc pay at self serve stuff is on xp embeded. The network is extremely complex and would take a skilled hacker to gain access not likely done via a KIOSK terminal as previous user suggested.
The complexity of a network has very little to do with the ability of trained, competent, driven penetration professionals (i.e. Hackers) to own a network. In many cases it makes it easier. A complex network creates a whole host of challenges for the defenders, it is hard to monitor, it is hard to manage, much of the network knowledge ends up in indivdual heads.
Tru Dat !
Brian, perhaps reporting on mag stripe POS systems that have not been compromised would be a more worthy endeavor, They sure as heck would be harder to find,
60% of the blame for all the recent breaches should be laid on the shoulders of VISA, MasterCard, American Express, and Discover. They own, operate, and manage all aspects of the antiquated, insecure payment networks that lie at the root of all of these breaches. They decide what technologies to deploy and force upon the merchants and their member banks. Don’t for one second believe anybody who tells you the US is behind a decade in EMV adoption because of the merchants. Representing payments technology for one of the largest merchants in the world for the last 20 years I can assure you we had nothing to do with that. Who did? The guys responsible for the other 40% of the blame.
JP Morgan Chase, Bank of America, Citi, Wells Fargo and a handful of others – the actual puppet masters for VISA and MasterCard (less/not so for AmEx and Discover). These guys GET ALL OF THE BLAME for the slow adoption of EMV in the US.
Merchant, that is a pretty narrow view. It is the responsibility of all payment ecosystem participants to maintain the integrity and protect the data end to end. I see you place the root cause of these breaches on insecure payment networks, but how did the hackers get access to the memory of the Point of Sale? How was the malware placed? Don’t merchants have a responsibility to secure and monitor their own networks? Put in password protocol for applications and limit vendors access rights? Limit access to the entire network when hacker gets through on a HVAC vendors credential?
With one of the large breaches late last year, if im not mistaken, there was more non-card data exposed than card data, is that also the Associations or banks fault for not moving to EMV?
EMV is not the holy grail and will not stop future breaches. EMV does make the card data more difficult to monitize in a Card Present environment, as of now, but unless the merchant is also utilizing encryption and tokens the customer name, account, exp will still be in the clear and open to breach. We do not know what lies ahead in 2, 5 or 10 years in regards to the safety and security of EMV, a 20 year old technology.
Breaches will continue to occur post a full EMV deployment. The data they are after may be different and that data may be other non-card internal customer data to that entity. Whose fault will it be then?
Hardly. The payment system has been ill-prepared to go electronic since its inception. There is zero native encryption built into traditional magstripe cards, which dominate the payment landscape. Card brands push the liability to the banks, and the banks hand merchants cleartext data, putting the onus on the merchant to protect data that they had no hand in generating or mandating. Its a completely moronic approach, and the PCI-DSS was invented to circumvent the the obvious forthcoming regulation of people who completely need and deserve oversight (card brands and issuers). You can’t get pissed at Staples for not implementing some control or missing a breach when you aren’t holding the brands who represent your payment details to the same standard.
Here we go again..
Does anyone release statistical information about what fraction of transactions are EMV? I wouldn’t expect it to be much at all right now – it will be interesting in the months to come to see those number climb..
I’ve noticed that a lot of stand alone, starbucks “franchise” or non-corporate owned stores are still running on very.. insecure card terminals. That, and the POS system is not the same at every store, making compliance or security updates, very troublesome to do, and run.
Idk, it’s not really relevant to this, but, I can see how different POS Systems at different stores, can make security such a bother to keep track of.
Jon Marcus – On the other hand, the disjointed system makes such a chain less attractive to the BGH’s(Big Game Hunters)…
(posted from a seat at local Starbucks, where I paid my way in cash)
As I noted in another comment. The defender challenges created by disjointed systems are an advantage all to frequently.
There seems to a common theme surrounding “security by obscurity”. Hackers are better at finding those holes than defenders are at controlling them. If its “complex and a big fat mess” then the “BGH” will avoid it. Not the way it works. They target it.
I’m beginning to think these XP Embedded systems are a significant risk and something should be done to move to a more secure POS system.
It is my understanding that most POS systems are not compatible with anything other than XP. Additionally, if they only lose .48 of their annual revenue, the folks in charge may suggest that they should not replace the XP OS because will cost more then the breach. Sure would be nice to see companies consider their customers first and the cost of doing business second…..yes upgrades are the cost of doing business.
These POS breaches are not going top stop until the physical devices start using stronger encryption methods ,along with the use of EMV cards
Onion- EMV won’t help the growing volumes of card-not-present transactions unless we start using a device in addition to our chip-enabled cards.
See www. dot nc3.mobi/references/emv/#C&D
Better encryption, fancier locks, more locks, more hardware, all combine to be more complex and a simpler solution is a concept shift to where merchants never have the confidential consumer credentials. What merchants don’t have, crooks can’t steal. Simpler is cheaper too and remember who, in the end, is paying the bill. WE ARE!
EMV will absolutely help in a breach.
A compromised EMV transaction will yield the crook something that looks like a magnetic stripe track but isn’t. It can’t be used to make a fake swipe or EMV card. There is also no security code (the 3 or 4 digits printed on the card) limiting its abuse in card not present.
There are several card not present scenarios:
1. e-commerce with security code – not vulnerable
2. e-commerce without security code – vulnerable but shame on the merchant who will deserve the charge backs they will get
3. Other – likely vulnerable (personally if someone asks me to fax or phone in my security code then I’ll walk first).
New devices may ultimately help but they need to be widely deployed. Many require buy in from Issuers and brands. Also they need to be evaluated as well because they are another potential attack surface.
Dr. Weaver – You wrote clearly about who pays for fraud in EMV card present transactions. What about in the growing volume of electronic and mobile commerce?
Dave – There is little doubt that EMV provides additional security in card present commerce. The cost for that additional security is huge. Target alone has a budget of $100M. Nationwide, who knows? Card present transactions with EMV have weaknesses documented at least back to 2007 – see www dot nc3.mobi/references/emv/. I’m also worried about the change in the presumption of innocence shifting financial responsibility for fraud to consumers (see previous URL). Electronic and mobile commerce can benefit from EMV, but that imposes another burden on consumers, the portable EMV device – see www dot nc3.mobi/references/emv/#C&D.
The total cost of a solution should to be less than the total cost of the crime. By that metric EMV is reasonably priced, but comparing the cost of EMV to a breach is a misleading comparison. If speeders were caught 100% of the time they wouldn’t break the traffic laws. Sadly, charge card crooks don’t get caught 100% of the time. Comparing a cost with 100% assurance (the “sunk” cost) to the costs of breaches which may or may not happen is apples-to-oranges.
For same-fruit comparisons evaluate the cost of EMV to the cost of other solutions. This measures their relative efficiency. If a “solution” isn’t effective then any cost may be too much. Effectiveness should be in all commerce forms including physically present (card present), electronically present (via computer), mobile presence (via smart phone when not physically present) and non-present (ex: in a train without internet access). By that metric EMV appears to have less bang for more bucks compared to other solutions.
Of course that is just my opinion. I could be wrong. (thank you Dennis Miller)
Your link takes me to Google. Is that what was intended?
Henry Hertz Hobbit – To which link do you refer? Mine or someone elses and which?
For mine, generally you have to replace the “dot” with a period.
Suppose the following happens:
– I use my Chase Visa on a Staples purchase.
– Miscreants steal my card-info and sell it on the black market
– Thieves use my data to buy $1000 worth of electronics at Best Buy, and Visa doesn’t flag the transaction
– I spot the transaction and promptly complain.
I’m not out any money. How much of the loss is borne by Mastercard? By Chase? By Best Buy? Does Staples bear any direct loss if their POS systems are found to be noncompliant?
My understanding is it would go something like this.
Assuming it is a Chase Visa Credit card,
I’m not out any money. How much of the loss is borne by the Card brand (Visa/MC)? Minimal, 2 to 2.5 % transaction fee, which is recoverable from merchant’s acquirer.
By Chase? 1,000 as your issuer, however, they can get the money back from the Merchants Acquiring Bank. They also would have to pay between $2 and $20 to issue you a new card.
By Best Buy? Cost of goods sold + transaction fee. Recoverable by Liability Insurance. In turn their Insurance rate will increase.
Does Staples bear any direct loss if their POS systems are found to be noncompliant? The merchant will be fined by their Acquirer in response to the Cardbrands fines (Visa, MC, AMEX, JCB, Discover). They will/could be fined by the FTC, they will/could be fine by all State Attorneys Generals in which residents are effected. The must pay to become compliant to the finest detail of PCI DSS.
On Oct 1, 2015, the merchant will also become liable for all fraud if they are not EMV ready. Meaning other merchants and banks could approach their bank for all losses. Fraud, card issuance, COGS etc.
DavidT – using a “credit card” you have great protections. As long as you make “prompt” notification you should be zero out of pocket. Yet, in the end, all of us consumers pay the bill whether losses are borne by merchants or providers. For more see
www dot nc3.mobi/references/debit_vs_credit/
Brian – I didn’t get my email notice. I found out about this from Reuters!
DavidT – (part 2, sorry it got split)
Most of the loss will come from the merchant pocket, but the prices they charge us includes a risk premium to cover such losses (they hope). That is why, in the end, it is us consumers who pay the bills for crime.
Jon, unfortunately your response is absolutely incorrect. It is the bank that absorbs the majority of cost to 1) reissue the plastics and 2) bear the cost of the fraud on the counterfeit card present transactions that occurred due to the breach. You are correct in that we all ‘pay’ the price through higher prices across both the retail and banking sectors.
In David’s example, the loss for the actual fraudulent usage of the plastic would fall on Chase. MasterCard and Visa are networks and bear no loss responsibility for bad debt or fraud, Best Buy will bear no loss as they swiped the card, following the association rules and averting a chargeback.
Stables will also lose money, but this does not include the direct expense of covering the banks increased costs to reissue/monitor cards and losses caused by the counterfeit cards created from the breach. Their expense is around fixing the issue, to include PR costs, securing their network, fixing their reputation, possibly decreased sales/stock value and potential fines from the associations. If the event qualifies, the banks may recover pennies on the dollar from Staples through the association’s Account Compromise Recovery Programs.
DavidT wrote “I use my Chase Visa on a Staples purchase.” and did not specify card present or not. Then he wrote “How much of the loss is borne by Mastercard? By Chase? By Best Buy?” Then he wrote “Does Staples bear any direct loss if their POS systems are found to be noncompliant?”Perhaps I should have guessed that he meant that the initial purchase was at a POS system. For that I am sorry. “Losses” can include “expenses related to loss” and providers definitely have expenses associated with their contract with their consumer. In any case it is not clear-cut as whether or not bank or merchant is liable for the cost of product or service taken and ultimately unpaid. It also depends on how the transaction was made. Here are references from 2003, 2005 and 2014. Even if the provider pays, they get revenue from merchants and merchants get revenue from us. We the consumers pay.
from 2005 www dot businessweek.com/stories/2005-06-20/the-truth-about-credit-card-fraud
From 6/11/2014 www dot lowcards.com/pays-fraudulent-credit-card-transactions-24850 [ Some sentences removed and highlighting mine ]
Lastly you wrote “Best Buy will bear no loss as they swiped the card, following the association rules and averting a chargeback.” As described above, if the provider proves “poor security” or “technological issues that allowed the merchant to be compromised” then the merchant will bear the loss even in a card-present transaction. In the end the lawyers will argue one way and the other and we’ll probably never get told about it all, but here is one report:
12/23/2013 www dot cnbc.com/id/101293579 << worth reading the whole article
In regards to the Card Not Present fraud you bring up, you are correct in that ~80% Card Not Present liability, in the U.S., falls on the merchant and ~60% falls on the merchant in the International market due to the liability shift under 3D Secure, i.e. MasterCard Secure Code, Verified by Visa and American Express Safekey. As the U.S. industry continues to move towards EMV, I suspect more U.S. merchants will take advantage of this, on the scale we see in the International markets. Internationally, many governments require these programs with their merchants.
There has been no successful significant lawsuit that I am aware of, between a bank and a merchant around poor security as the merchant has no contractual obligation with the bank. The bank has a contract with the Card Brand and the merchant has a contract with the Card Brand. Most merchants have been successful in getting these breach lawsuits dismissed that are using poor security/technology that allowed a breach causing the issuing bank a loss.
Sept 2014 article:
Your Comment: Lastly you wrote “Best Buy will bear no loss as they swiped the card, following the association rules and averting a chargeback.” As described above, if the provider proves “poor security” or “technological issues that allowed the merchant to be compromised” then the merchant will bear the loss even in a card-present transaction. In the end the lawyers will argue one way and the other and we’ll probably never get told about it all, but here is one report:
My Comment: Best Buy is where the fraudulent transaction took place, from the example, not the entity compromised. Best Buy will have no loss exposure from the swiped fraudulent transaction occurring at their location as long as card was swiped following Card brand rules. The breached entity, Staples in this example, has no dollar for dollar recovery obligation to reimburse the bank. The bank may see a small recovery down the road following any recovery through the Card Brand’s Compromised Account Recovery Programs, but those normally net pennies on the dollar. If, by chance, the Best Buy transaction was a Card Not Present, Best Buy would also currently have no financial loss as they are starting to participate in 3D Secure passing the liability back to the bank. Also, from a Staples type breach, with the information we know as of today, CVV2 was not part of the data stolen would should raise a red flag for those merchants processing transctions without it. It can be gained through other types of compromises, but not the most recent examples of Target, Home Depot, Michaels, Sally’s and the nameless other POS breaches.
Your Comment: Banks have sued merchants following large security breaches in the past. A 2007 hack of accounts at T.J. Maxx cost parent TJX Companies a reported $256 million in settlements with banks, credit card companies and others. And a 2009 breach at Heartland Payment Systems eventually cost the company $140 million, with more litigation ongoing.
My Comment: The figures you provide are total costs absorbed by the breached entity for all breach related costs, not just “settlements” paid to the banks, credit card companies and others. For Visa specific issuers, TJX offered Visa $40.9 million (the other Card Brands received less) and Heartland offered $60 million for issuers to Opt in to receive the proposed “settlement” and avoid the unknown costs and results of pursuing a court action. Some issuers did not opt-in to the TJX settlement and TJX settled with those banks separately for $525,000. These two “settlement” amounts were a drop in the bucket of total losses/expenses realized by Visa and other Card Brand issuers. From an actual fraud loss perspective, the recoveries realized, by one larger bank, represented a 13% and 14% recovery against actual losses tied to these breaches.
A small correction. In most cases the merchant contracts with the processor/acquirer/bank who in turn contracts with the card brands. Merchants typically have no contract with the brands (well Visa and MasterCard not sure about the others).
I think you attributed some of the quoted material to me and not the cited sources. In any case we agree, in the end, it is the CONSUMER that pays and I, for one, am a little tired of replacing my card, again and again.
Thanks to PaddyC I have a phrase that makes my point clear: “I’m mad as hell and I’m not going to take it anymore!” That is why I spent 3 years on NC3.
IIRC, the lawyers, staples, and best buy end up hashing it out. And the bigger problem is Chase trying to nail Staples with the cost of replacing a ton of cards that could POTENTIALLY be used fraudulently.
This actually is the big lever to get everyone on board with EMV.
Effective October 2015, if the purchase was with a swipe but the card supports EMV, the merchant eats the cost unambiguously.
If the merchant supports EMV but the card does not, the issuing bank eats the cost unambiguously.
@Nicholas Weaver… the liability shift actually to the merchant is actually predicated on whether the credit card terminal is EMV chip card CAPABLE – not actually whether the specific transaction was a chip read or a magstripe read.
For October 2015, if at least 75% of a merchant’s transactions go through EMV-capable terminals, they are not subject to the liability shift.
This is kind of arcane, but the reason for this is that the banks haven’t issued the EMV chip cards in the US yet. Mostly they haven’t issued the cards in the US because there are so few EMV terminals deployed in stores.
With this step-one of the liability shift based on having EMV capable terminals, the card brands now have incentivized the merchants to upgrade terminals… which will then incentivize the banks to issue the cards.
But… I believe for a long time it will still be a matter of having systems CAPABLE of using chip cards – not a matter of what method a specific transaction will use.
This is because the choice of whether to dip the card in a chip reader or swipe the card is still most likely to be up to the customer… and customer behavior is the hardest thing to change.
There is another reason that many banks have not issued chip-enabled cards. In the wake of the Home Depot breach, I asked a number of smaller to mid-sized banks if they were finally now going to issue chip-cards when they reissue. They all said the same thing: no, the chip cards cost us twice as much to reissue, and we’ll just have to reissue 5-10 times in the wake of additional big retail breaches to come over the next year, so we’ll just wait until we get closer to the Oct. 2015 deadline.
The reason this approach makes sense for the smaller institutions is that they have traditionally relied on reissuing as an anti-fraud mechanism, because many FIs don’t have the fraud detection mechanisms that many larger FIs have in place.
There are always counter-examples though. I finally got my wife to stop using the debit card for regular things, and get a credit card instead – from a local community bank. And when the card came (a few weeks ago), it had a chip on it.
She did mention that she had been at Staples with the new card.
It would have been much simpler to have her simply write a check on a designated house checking account for her purchases. Saving you (and her) the possibility of overseas fraud and also the merchant the discount they pay to a card processor. That way you all win, excepting for the overseas thief.
My bank offers a number of ‘free’ checking accounts. Many smaller secure community banks and credit unions do.
So instead of just doing it now they will hope that no further large breaches happen – which will cost them more than just issuing the new cards now.
Very interesting conversation with the smaller banks. It’s my humble opinion that smaller banks like what you mentioned in your magazine potentially could be lost soon. Im saying, gone as so much fraud will force some of these banks into shutting their doors.
That’s not quite true. My experience is that if you have a chip card, and you try and use a chip terminal by swiping the card the old way, it will ask you to insert the card into the other slot so that it can instead do an EMV transaction. As a consumer, you do not seem to get a choice in which way to use the card.
1. some PoS terminals have EMV readers which aren’t enabled
2. some PoS terminals have EMV readers which don’t support various programs (AmEx)
If you put your card in backwards ~5 times, the EMV reader will give up, and suggest you try swiping.
That said, w/ an AmEx, I often get to do:
1. Swipe -> Rejected “please use chip”
2. Chip -> Rejected “unsupported; please swipe”
3. Swipe -> Accepted “please sign”
(I could skip step 1 if I wanted to, but, it’s more fun to see the whole series.)
This is because the machine thinks it supports EMV (and it does, for Visa/MasterCard) and it thinks your card supports EMV (and mine does), and therefore, it really wants me to use EMV. But, when the EMV from the AmEx talks to the EMV of the Terminal, the Terminal realizes it doesn’t support the application, and gives up. — This is by design.
For more fun, I can try paying w/ NFC (my AmEx supports Swipe, Chip, and Tap, and as with Chip), the NFC support is limited due to the fact that a number of vendors haven’t added the NFC AmEx Application support to their Terminals — even if they have added AmEx EMV support for Chip.
The Australian solution has been to require a PIN instead of a signature, and not to allow fallback to the mag stripe if the card has the EMV chip (which the vast majority do). No problem changing customer behaviour when they’re given no other option.
Its my opinion that it really is just an inconvenience (had 2 replacement cards in the last 60 days as part of PF Changs and Home Depot) to the consumer, as long as it is their credit card.
Regarding the non-compliance……..well, keep in mind, that the PCI-DSS is a standard and there is very little anyone can do to force that on anyone. It is purely optional.
I will say it over and over…..laws, policies, and dsclaimers to not mean your secure…its all for after the fact once the bad guys is captured.
Was in a staples in SW Pa a week ago. They were having so much trouble / the register software they declare they could not cash anyone out and I left. I had already decided to switch to cash after seeing them fight the POS terms…..
What caught my attention versus your other blog posts is that this breach mentioned “debit card fraud”. Do you know whether PINs were compromised?
Technically, there are at least two potential PINs floating around,
one is the PIN used for swipe, and the other is the PIN used for Chip.
And here’s where the difference between using the two matters: If you have distinct PINs (you almost certainly don’t), then if you use a compromised terminal, and enter your pin and you’re using the chip, then someone now has access to an arbitrary number which they can use to talk to _your_ _physical_ card’s computer. Once your walk away w/ that card, the fact that they have the Chip’s pin is not very helpful, since it’s useless w/o the computer (this is a form of 2FA — something you have “the card’s computer”, and something you know “the pin”).
BUT, if you have swiped (at any point), and your PIN is the same (or you just swiped and entered your PIN), then someone can perform a future transaction against your card — and if it’s actually a Debit card, they can probably do anything they want to the account.
How are the hackers breaking into these point of sale systems ?
Swipe an card encoded with malware ?
Break-into insecure wireless access points ?
Or is this an example of the “inside drive-by” ?
Now companies like Officedepot use hand held scanners to process credit card transactions.
They send someone at the company a phishing email, get them to install malware, then proceed to jump up the privilege chain and gain access to everything they can gain access to.
Eventually they reach the server(s) the POS systems talk to, which means the server(s) can act as a gateway to those POS systems.
The communication paths can get rather complex though, as they’ll have to use a system that can talk to the internet as their initial entry point and for all inbound/outbound communication, then internally map the target’s network so they can route traffic from their malware from system A to system B to system C and back again so they can maintain contact along the way, and also in this way manage to take the data off systems that are blocked from direct access to the internet (POS servers) and blocked from direct access to even other company systems (POS systems).
This is just one hypothetical way of doing this. Every intrusion is different. But it usually starts with an employee of the company with the right access level clicking on some emailed link to get a free ipad, or to discover who loves them, etc.
Perhaps this is another situation where POS malware(aka cash register, checkout, refund station, till etc malware) has been pushed down to a few stores during a POS patch to add new features, or a software upgrade cycle, resulting in compromise. This seems to be a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints, though of course this is speculative based on limited data on this particular scenario.
However, the only realistic way merchants can foil malware from stealing the mag stripe data is to avoid live card data arriving into the POS, period. For mag cards, and even EMV cards, this entails encrypting up-stream of the POS using contemporary one-way encryption in a logically and physically secured card reader all the way to the payment processing host, beyond the retail store network. This makes a POS malware attack far more difficult than exploiting a networked POS running a standard OS like Windows. The merchant must totally avoid any card entry such as manual keying, swipe, or EMV chip read directly into retail systems in stores. Such entry points need to be replaced with secure readers for card data capture so only secured data passes through retail IT to the host. Once the card data is secured up to the host, previously stored credit card numbers can be replaced by surrogate tokens which have no attack value. Many merchants deploy tokenization today. However, without securing the initial card read where the most valuable data is exposed, such as highly attractive track data, there’s an exploitable gap with numerous malware variants designed specifically for it.
If malware gets into the POS and steals track or card data directly in memory, then nothing can be done in the POS to mitigate. Tokenization of card data directly in the POS, which is sometimes suggested as a defense, would not achieve anything and worse, possibly expose an open tokenization interface itself to the attacker which could lead to higher levels of compromise. The current crop of Malware in the POS, like BlackPOS, steals track data as it arrives into memory instantly. Once grabbed, its game over as the data makes its way out to the malware controllers. Tokenization is only useful when combined with encryption in specially designed card reading equipment for secure end-to-end data capture to eliminate live data in vulnerable systems.
It will be interesting to see how this breach unfolds. In all probability, I would hazard a guess it was quite avoidable through contemporary encryption measures. Other large retailers who have suffered major breaches have already shifted gears to adopt such methods, based on years of success with their early-adopter peers who’ve not had a single incident since deployment.
@Mark Bower – Thank you for saying this EXACTLY as you said it.
It’s unfortunate that the retailers look at a layered security approach of P2PE + tokenization + future EMV implementation, and groan.
“I want to do Return to Original Card with Card not Present… but tokenization is too expensive.”
“I want all of my card data to be encrypted… except when I don’t care and want my cashier to manually key it in on the register.”
“What do you mean I have to have an IT security staff of more than one person?”
“But my customers love that we can look up their transactions by card number and I don’t feel like stabilizing on an enterprise-wide unified token platform with our ecommerce team.”
THEY SHOULD BE SO LUCKY.
Thank you for thoughtful and informative information on this issue. Many state as FACT things that aren’t.
Simply stated the best practice for making sure Malware isn’t able to grab card holder data at POS is to make sure the swiper encrypts the card data in hardware the hardware so the swipe data that is presented to the POS is already encrypted.
“We take the protection of customer data seriously”
Drink! This is said by everyone.
If they took it seriously then why is this happening ?
If I took a drink each time someone said this I would have to have my stomach pumped.
Would also be interesting to find out if their POS systems are still running Windows XP. There is still a lot of XP out there running on POS PCs and kiosks. Extended support from MS allows the merchant to get patches, but that does ‘t mean their XP machines patched.
The embedded version of XP used on POS terminals and other devices is a different form of the OS which remains ‘protected’ with regularly-issued updates from Microsoft through January 2016, rather than the general OS versions for which support ended last April unless you paid MS some pretty hefty bucks to extend that support.
‘Protected’ for Microsoft means a two week window before the next exploit is found.
Please say they won’t offer JUST a year of credit monitoring. It’s a PR Joke and someone needs to step up and do something more.
Got my free year of ID protection after the Home Depot breach.
Opened a Sears Mastercard a month later. Twenty-two days after opening that account the ‘protection’ vendor sent me a text asking if I had opened a new account.
Two weeks ago Navy Federal Credit Union shut off my VISA without notice. When I called to ask why they said that there was a 79 cent charge several states away, was that me? No. They sent me a new card. Haven’t heard from the ID protection vendor about that one yet.
I feel so protected!! Not. These ID protection services are useless pap to calm the masses and avoid doing anything real.
“We take the protection of customer information very seriously, and are working to resolve the situation,” Cautela said. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
In another word(s); We have been ignorant to the security incidents and poor security postures around us, and we too failed to recognize that a change was needed. We ran the profit gravy train for as long as we could, and now, looks like our infrastructure will get an upgrade. Your PII, if it is not already available to hackers may be now, but we will offer you some worthless credit monitoring, and hey, all will go back to normal soon enough. You all come on back now, ya hear?
That was Easy… 😉
“Staples’s Senior Public Relations Manager Mark Cautela confirmed that Staples is in the process of investigating a “potential issue involving credit card data and has contacted law enforcement.”
“We take the protection of customer information very seriously, and are working to resolve the situation,”
The same tired refrain.
Mr. Cautela should read NCR’s response during the interview with Brian to learn what to say in a real response.
So what’s the difference between taking the protection of customer information VERY seriously, as opposed to just plain old seriously?
Finishing my switchover to cash. I trust the ATM INSIDE the bank. But, I’ll still just withdraw cash from a real teller and use it for the week.
If we could do it in the 60’s-90’s without whining about being “soooooo busy,” then we can do it now just fine.
Wow, the thought of buying vegetables at the grocer’s and doing it anonymously with cash makes me swoon. I might even be called a terrorist for using anonymous cash.
Sticking to cash also helps people stay within a budget….
You can become semi-anonymous : put the serial numbers of the paper money on the Where’s George website.
So here’s the $64,000 question. How does NFC payments screw us or protect us? Looking at Google Wallet and Apple play, it seems like the one time acct number is hard to exploit at this time? So will there be rapid adoption of these systems?
Andy – not that expensive to answer. NFC has its own problems (see www dot nc3.mobi/references/nfc ), plus there are two big drawbacks.
NFC has no application in electronically present (via computer), mobile presence (via smart phone when not physically present) and non-present (ex: from a train without internet access) and those are the growing avenues of commerce. Secondly NFC is expensive for what NFC provides. Not all smart phones have NFC capability (Apple is a recent convert, as of 9/12/2012 they said they would not support NFC – see
www dot allthingsd.com/20120912/interview-phil-schiller-on-why-the-iphone-5-has-a-new-connector-but-not-nfc-or-wireless-charging/) and few stores have it.
A better solution would serve all those avenues of commerce without imposing new costs on consumers (for NFC capable smart phones) or merchants (NFC readers).
Send the $64k to Brian, but don’t use those fancy fakes!
I’m looking at it from this standpoint; I’m seeing more retail outlets accepting NFC at the POS. While I find it funny to see how fast I notice the fraudulent charges after a POS breach, I am getting tired of updating my account information with a handful of recurring charges I have set up. Additionally, finding out out about a breach when you’re out of the country pretty much can screw in getting a new card in a timely manner.
So, does the one time acct number used during POS hacks insulate me from the greater harm of the attack?
The one-time account number can only be used once. Crooks can clone it all they want, the charge should never be approved. (notice the “should”)
As for NFC – it is a communications mode, not a radically different concept. Information you provide winds up in the merchant system where, if there is a weakness, it can be exploited. A swipe requires a physical contact for communication. NFC is a radiating technology and subject to the interception techniques described at www dot nc3.mobi/references/nfc . It also does zippo for transactions other than card present.
here’s the scenario – card “A” from BIG BANK was used @ Home Depot during security breach…BIG BANK issued new card “B” and pin # was changed……credit monitoring offered from Home Depot is in place…….
then card “B” from BIG BANK is used at Staples…..is card “B” being monitored from previous HD breach? Should we now go to card “C” from BIG BANK?….and so on?
Credit monitoring is not going to detect fraud on an existing card. Start using card C right away. That’s the joke of your card being compromised and then getting this stupid gift of free credit monitoring. Credit monitoring would actually be useful if you had your SSN or other personal information stolen. (What’s personal? Think of what credit cards ask to open a new account.)
I have learned the Lowes stores in our area are using IBM’s AS/400 (now renamed OS/400) in their POS systems. I assume that means they are using an OS/400 server in the back end. I would like somebody to comment on whether this makes using a credit card with them safer if you don’t use the credit card any place else compared to most others using Windows (some variant) in their POS systems.
Henry Hertz Hobbit – A long ago I took a AS/400 model B35 from multiple refrigerator sized shipping crates to operation. The “AS” stood for “Application System”. The operating system is named OS/400.
The AS/400 was renamed to the “eServer” series at the beginning of this century. It was renamed again in 2006 and again to “System i”. Many people I know in the industry still call it the AS/400.
Today’s machines are orders of magnitude more powerful and a heck of a lot smaller than what I used. My B35 had twin 500MB DASD each the size of a filing cabinet drawer. It had a whopping 20MB (not GB) RAM. The whole thing took up almost 100 square feet including a file cabinet sized UPS. It used multi-drop wiring to attach 40 terminals into a whopping 8 twin-ax (not co-ax) ports. Ah, the old days. At least I never suffered a green-screen of death!
Would it not be nice , if you suspect 7 staples stores, that you provide the details and let the consumer be aware, and in control of what they want to do to protect themselves, today?
How often are these breaches occurring at companies that do not integrate the customer card data into a POS? If the machine is kept completely separate from the network, and the card information goes nowhere near the POS systems…
Everyone here is ‘yammering-on’ about how wonderful it will be when EMV cards & POS terminals are implemented believing the sun will rise and the world of ‘buy-before-you-earn-it’ will be free of security threats. Hogwash.
What I see locally happening is a resurgence of stores, both large and small again promoting their in-store or small chain credit accounts/cards. I buy gasoline at a chain that now has around 1,800 ‘stores’ that sell gasoline, a few grocery items, some hot and cold food including pizza, lots of fresh brewed coffee, and soda. For many years they only accepted Visa and MasterCard. Recently they have begun promoting their own in-store credit card, where you get a discount when using that card. A small feed store I use is asking their customers if they can simply ‘put it on account’ when a customer they recognize is pulling-out a credit card to pay a bill for a few sacks of feed. “We’ll send you a bill at the end of the month.” The local hardware store and the auto parts store are doing the same thing. They don’t make the ‘offer’ when I pull out my check book. My bank, a well rated and very sound firm no longer has any ATM’s at any of their locations.
I have seen the above local changes over the past 18 months, but growing quickly. I suspect the cause is the same for all the businesses, expense of accepting nationally known credit cards and expense of security. I have also seen some massive national firms I use over the internet, begin to offer me in-house accounts. Many with a discount if I use the in-house account rather than use a Visa or MasterCard. Again caused by excessive discounts being demanded by the well known credit cards and also by the high security costs or Potential Costs.
In the future I see a blended use of in-house accounts and a nationally known credit system that uses EMV or some form of dual verification like Apple Pay. I am not sure EMV is the answer. I am also expecting to see a growth of discounts for cash (where permitted by law) offered by firms that don’t have some form of in-house credit system.
PS: I got an email this morning that one of my nationally known credit cards will be sending me a text for each and every credit card purchase, in real time.
Eaglewerks – “Hogwash”? such language! I’m glad to see it.
In-store (single merchant) charge cards are a return to the past and what may be a very thick wallet. Recognizing a customer and “putting it on account”, that is something I’d like to see. One problem may be that you (as a purchaser of a few sacks of feed) and me (as a seeker of quieter life) appear to live in the lesser populated areas where our merchants actually know their customers. For the majority of the population the consumers are faces in a sea of other faces and there are entirely too many crooks.
Apple Pay has a mixed beginning (see NYT story URL below) but suffers from a proprietary orientation and two basic design flaws. a) the confidential consumer credentials are actually in the smart phone. Yes, it is in a “secure chip”, but we’ve seen “secure” before and it is completely safe, until it isn’t. Impossible just means it hasn’t been done yet. b) The charge card information is on file at your mandatory iTunes account (see NYT story for more) and that has a history of compromises (three references below).
As for EMV – I’ve written before about it being too little bang (limited use in non-card present applications, history of problems from 2007 and more) for too much buck ($100M budget for Target alone).
We can do better.
Molly Wood writes on her use of the nascent Apple Pay
www dot nytimes.com/2014/10/22/technology/personaltech/shopping-with-apple-pay-seamless-in-stores-but-quirky-online.html
Stories from 2011 and 2012 describing iTunes accounts being hacked
As coverage of the apparent hack of the iTunes Music Store expands, so have the reports from readers. … been able to identify victims in at least five foreign countries. … Since the reports are not centered to one particular region per se, it’s likely this has become a worldwide problem for Apple.
From www dot betanews.com/2011/06/08/itunes-hack-goes-global-new-affected-games-identified/
Many of the iTunes users whose accounts have been hacked are increasingly frustrated with Apple’s customer service, saying the company at the very least has dithered in fixing the problem. Some accuse the tech giant of being indifferent to the problem. Most of the amounts stolen are at the low end, ranging from a few dollars to about $500. In most instances, Apple has agreed to restore the lost funds, as a “one-time exception to our sales policy”. The company will not comment on whether they are working on a permanent fix.
From www dot cnn.com/2012/02/07/tech/apple-itunes-hacking/
… victims have had their iTunes credit balances drained, some also saw fraudulent charges to linked credit card and PayPal accounts. … Apple’s insistence on ignoring both victims and the press not only keeps everyone in the dark as to why this continues to occur — from our research, now going on nearly a year — but also provides little solace to those hacked that these hackers do not have a way in that we may not be able to protect ourselves by password alone.
From www dot betanews.com/2012/01/19/itunes-hacked-apple-ignores-it/
I don’t have an iTunes account, but I have seen iTunes gift cards at the local HEB stores. I suppose that’s one way to limit the amount hackers can extract out of an iTunes account.
A couple of years ago I saw PayPal prepaid cards at a couple of Valero-branded gasoline stations, but the store closest to me doesn’t have any so I don’t know if those are still carried.
The old stories about iTunes accounts being hacked have nothing to do with the technical details of the way Apple Pay is implemented.
In Apple Pay, the actual account number for your credit card is never transmitted to Apple’s servers.
The card enrollment process establishes communication between your device and your bank’s servers. Once they validate that you are enrolling YOUR card (different banks use various methods to accomplish this) the bank basically agrees to accept a unique device account number as a proxy for your actual account number – and that account number is stored in the secure chip inside the phone.
From that point on, the only thing related to your account that is stored in the phone is that device account number, and for the device account number to be usable to authorize a charge, it has to originate from the phone along with a unique-per-transaction cryptogram that can only be generated by YOUR device and which the bank validates before approving the transaction.
Apple never gets the account number and doesn’t want to.
The device account numbers are not ever backed up off of the phone – you have to re-enroll your cards if you change phones or even restore your current phone.
Here’s the thing best thing about Apple Pay – it ISN’T Apple’s usual proprietary approach. In this case, they went with an open industry standard (EMVCo Payment Tokenization)… the thing that they brought to bear on the problem was TouchID and the device account number. Other than Touch ID, there isn’t anything in what they are doing that other companies couldn’t do… and I would expect that we will see other companies follow suit in the next year or so.
The biggest thing about Apple Pay that convinces me it is more secure is the terms that Apple as able to get from the card brands – Apple is getting 0.15% of the value of ALL transactions processed using Apple Pay as the method of presentment at retail… with no extra fees being passed along to the merchant or customer. This is coming out of the BANK’s end of the payment fees.
That says to me that the banks believe this will reduce their losses to fraud – they certainly wouldn’t be paying Apple if they didn’t think it would save them more money.
I think you hit that nail right on the head Eaglewerks; and I totally agree. Cowchip-iN-Pen is just an over-glorified expensive way to palm off the responsibility onto the consumer to make them pay for all the loss, and a bloated system that will still not be secure; and despite what I keep reading, rather obsolete. I remember chip cards way back in the eighties, and there is a good reason why they never made it in the US. TOO BIG TO FAIL!!
Do we know the time frame of these possible compromised transactions? It is my understanding that the possible compromised cards were used in store and not through the Staples website. Is this correct?
“If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
Oh so you are saying that Staples will be responsible for any fraudulent charges?
Nope, that VISA and MasterCard “Zero Liability” is picked up by the banks (big and small banks). These continued “Zero Liability” fraudulent charges are going to push the small/community banks out of the debit card market. Which is sad, because the small/community banks are the ones that have the proper security, but are the ones eating the fraud charges when the businesses are the ones not being held responsible for their lack of security.
I see a need for a change in the system here…………
Apple Pay is looking better every day.
I guess, it’s a lot easier for banks to detect such frauds as compared to the retailers. Yeah, really! This is because the customers report the frauds directly to the banks, that in return co-relate the fraudulent transactions and determine the exact location of the retail outlet where the fraud actually happened. This is the standard protocol in place. Retailers on the other hand, simply process these transactions that are either accepted or denied by the banks. It should also be noted that banks do not provide the denial reasons to the retailers. They have no logical (no matter how bad that sounds to a merchant like me) reason to do so. This again makes it tough for the retailers to identify frauds. But, its only if the retailers put in a little more effort and invest in reliable technology and actively monitor their environment, they could actually perform a much better job in identifying and preventing data breaches.
I was in there last month and the ‘rent by time’ computers were still on XP and using IE 7. I couldn’t even get Google Drive to load = pathetic. If their public facing computers are in this bad of shape then who knows how outdated their internal systems are. For a company like Staples to lag years behind on updates just to save a few bucks or precious time or whatever, well they deserve everything they get.
[Draft] HACK DAVINCHI 1:07 PM
We are the real deal in all degree of hacking. davinchis sagacity has proofs with confirmation from our numerous clients around the world. Our job is done without any trace. We render the following services at an affordable prize.
+University grades changing
+email interception hack
+email accounts hack
+Grade Changes hack
+Website crashed hack
+upgraded atm hack
+Word Press Blogs hack
+Retrieval of lost file/documents
+Erase criminal records hack
+Sales of Dumps cards of all kinds
+Bank accounts hack
+Individual computers hack
+Control devices remotely hack
+Burner Numbers hack
+Verified Paypal Accounts hack
+Any social media account hack
+Android & iPhone Hack
+server crashed hack
+Text message interception hack
+Credit cards hacker
+We can drop money into bank accounts.
We can also teach you how to do the following with our e-book and online tutorials
* Hack and use Credit Card to shop online
* Monitor any phone and email address
* Tap into anybody’s call and monitor their conversation
contact us at HACKERDAVINCHISAGACITY@hotmail.com