04
Dec 14

Banks: Credit Card Breach at Bebe Stores

Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores.

Image: Wikipedia.

Image: Wikipedia.

Earlier this week, KrebsOnSecurity began hearing from different banks about a pattern of fraudulent charges on customer credit cards that all had one thing in common: the cards were recently used at Bebe (pronounced “bee bee”) locations across the country.

This author reached out to Bebe via email and phone early Wednesday. Officials from Bebe Stores have not yet responded to requests for comment.

On Wednesday, this author heard from an East Coast bank which had purchased several of its customers cards that were being sold on a relatively new cybercrime shop called (goodshop[dot]bz]). The bank acquired cards from a batch that Goodshop released on Dec. 1, called “Happy Winter Update.” The prices from that Happy Winter batch range from $10 to $27 per card.

The bank found that all of the cards had been used at Bebe Stores in the United States between Nov. 18 and Nov. 28. It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014.

The card fraud shop "goodshop[dot]bz" is selling thousands of cards in its "Happy Winter Update."

The card fraud shop “goodshop[dot]bz” is selling thousands of cards in its “Happy Winter Update.”

There is no data to suggest that the apparent card breach at Bebe extends to the company’s online store. The items for sale at Goodshop are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Home Depot, Target, Neiman Marcus, Michaels and other break-ins first detailed on this blog were all powered by malware that thieves planted on point-of-sale systems.

Tags: , ,

48 comments

  1. How does it work when a bank buys its customers’ cards? Is there an understanding that the seller won’t sell the info to anyone else? Do the sellers honor the understanding, knowing that if they don’t, the banks will stop buying from them? Do the banks trust that the breach for those cards have been mitigated, or do they issue new cards, knowing that they still probably saved money by cancelling the cards before fraudulent charges came through?

    • Yes, most card shops will only sell each card once, and when a card is placed in one’s shopping cart (yes these sites all have shopping carts) it disappears from the inventory — unless the buyer doesn’t “check out” and pay for the cards — in which case the cards return to the available inventory after some period of time.

      Most of the smaller banks will just re-issue cards that are suspected of being breached.

      • It seems to me there is a fundamental issue with any Bank purchasing stolen cards “back”, no matter how much money it might save them or headaches for the customer. Just think if the United States thought it prudent to start negotiating with terrorists.

        • GL: They’re not buying *all* of their cards back. They generally buy just a handful of the total available (fewer than 10), which is enough to see if there is a pattern in the purchases that would point to a breached merchant. It really doesn’t make economic sense for them to buy back all of their cards, and frankly I’ve never heard of a bank doing that.

          So your comparison to rewarding terrorists is not apt here. By buying back a few cards, they can gain first hand intelligence and confidence to know the source of a breach before the company itself has acknowledged it, and cancel those cards that were in the affected breach window time frame — thereby heading off much more expensive future fraud costs on those cards.

          • Interested in weather the banks identify themselves as “the bank” or go through the buy back process “incognito” style as a way to uncover these thefts.

            I was really surprised when I read they buy back the cards

            DG

            • More than likely, banks, especially smaller ones, hire this practice out and “security researchers.” The security researchers are doing this legwork for all of their customers collectively, and then reporting back the info to the banks which have hired them.

            • Unless I’m missing something … what possible advantage could there be to identifying themselves? I can’t see any.

        • What do you mean, “if” the US started negotiating with terrorists?
          Bergdahl, multiple releases from Gitmo, on and on…

        • GL – The U.S. has found it prudent to negotiate with terrorists on occasion. Search for “The U.S. Does Negotiate With Terrorists” at foreignpolicy.com to see what I’m referring to.

      • Kinda makes me want to spend some time writing a script that puts large numbers of cards into a cart and leave them till it times out, then do it again, and again… multiple ‘ghost carts’ running from rotating source addresses on different servers… What are the ethics of DOSing these card shops…?

        • Ugh! You just gave me nightmares! DOS’ing these sites is like playing with nitro. This is most likely the Russian organized crime involved with some of these sites.

          Their sense of ‘justice’ is a bit more severe than what most of us are used to.

          Just thinking about going to one of these sites to look around gives me the Heeve Jeevies. IP addresses can be easily traced to physical locations.

          Brian is very brave just to look at these sites.

          Mark Allyn

        • Had the same idea. However, that wouldn’t be very effective on the long term as they would probably change their model to make bundle of cards disappear from the inventory only when paid instead of when it’s added to the cart.

        • Well, if it would be so easy, someone would have already done this just for the sake of competition. There is a big competition among the different groups in this business, so I think this is not a way

  2. Wouldn’t it be easier just to name stores that aren’t breached at this point? How about just telling people to assume every card they have is probably exposed?

  3. Brian, you have an extra “were” in the last sentence.

    On another note, I’m thoroughly enjoying “Spam Nation”. Great work, as usual.

  4. Attacks on POS systems seem to be steadily increasing. I wonder how long it will be until consumers start feeling it, en-mass. If organised crime actually organised itself better it would be disasterous!

    • What are customers feeling? They are not responsible for the charges anyway so I don’t think its something that really bites them unless I am missing something? American’s love to shop on credit, no way they give that up.

      • What’s wrong with shopping with credit? That’s how credit works; you use it, then pay it off which increases your credit which decreases your interest rates and increases your ability to borrow larger amounts of money as needed. The only time using credit is a problem is when you have trouble paying what you owe.

      • You might not be responsible for the bogus charges, but ultimately someone pays for it, and the banks are just going to pass along those costs as higher fees.

        And one could argue that the cost of a breach also includes the need to be more vigilant in checking credit card statements for fraudulent charges, the costs of using credit monitoring services, and the potential for identity theft which can be a real pain in the neck if it ever happens to you.

        • I would argue that is the card companies force the install of chip and pin in every transaction then all of that cost would be passed on to the consumer and it would be much higher than dealing with some fraud here and there. Plus people think Chip and Pin is some magical fix, tell me how you insert that chip when you go to buy something from NewEgg?

      • As I understand it as a consumer you are not responsible for the direct losses but this can still mean considerable losses on flow on effects like late and dishonoured payment fees and so on even if you recover all of the original losses.

        Also it is just a considerable disruption to the persons life in many cases. I think it is far from being something you can just shrug off easily if it happens.

  5. I noticed a new security technique shopping at an office supplies store. The POS terminal popped up an color image of the card I used and the clerk compared it to the image. Not the signature, of course. No one does that. It’s interesting because this really is a technique to protect the store from cloned card losses. I wonder if their POS s/w is up to snuff too or they just figure the banks take the hit?

  6. One more credit card security breach to add to the LONG list that has happened this year. Business’s online and in store should be having their websites and credit card terminals scanned to PCI Standards as it is a requirement. For more info http://trust-guard.com/p213-24652

  7. What’s a reasonable estimate before the Registrar internetX (psi-usa.info) suspends goodshop[.]bz ? Dehosting by CloudFlare (US-based, proud hoster of carders)?

    http://whois.domaintools.com/goodshop.bz

  8. Brian has a good article in the Men’s Journal magazine (Dec issue) that touches on this very thing. If you saw last Sunday’s 60 minute special with the CEO of Fireeye, this gives you the reality of whats happening in the cyber world. And it has been going on with $$$ at the helm since 1998. It’s a very big business and there is no retailer that is immune from it. I have educated my entire family on only paying with credit cards but cash is safest. May not be the most convenient, but neither is dealing with a compromised cc account or ID theft. Our adversaries& miscreants know us better than we do. We are so predictable at a corporate level and consumer level and they prey upon it. Assume every infrastructure and company is compromised.

  9. I’m glad Brian pointed out in his Black Friday for crooks article that we might as well consider all our retail stores as compromised; because I’ve thoroughly believed that to be the case for some time now! :(

  10. Dr. Zackary Smith

    This just keeps going on and on , one retail breach after the other. It’s incredible that big banks have not pushed harder for wide use of chip and pin cards with better encryption at the P.O.S. device

  11. I’ve really evolved my use of credit cards in the last year, and I have to say that I am comfortable with where I have landed.

    First off… I’ve never used debit cards at retail point of sale (either for PIN-based or signature-based transactions)… it isn’t worth the hassle of potentially getting my checking account drained of cash and dealing with possible overdraft fees and bouncing checks for payments I have scheduled out of the account.

    For credit cards, I used to use pretty much one card for all of my retail and online purchases… that way I only had one statement to review each month – but it got a LOT of traffic, so I was spending a lot of time all at once reviewing dozens of transactions.

    I got caught up in the target breach last year – no fraudulent charges, but my bank reissued my card – and had the hassle of having to change all of the auto-billed subscriptions from the old account number to a new one.

    So I took the opportunity to do the following:

    1. One card is dedicated to ONLY being used for auto-billing, recurring billing relationships. That card is never used at a retail point of sale. It is used for about 10 or so regular rebilling relationships that I have with merchants (cable co., cell phone, EZ Pass tolls, etc). I might have to change this card some day if one of those specific online merchants has their online database hacked, but the exposure of that card is much smaller than my daily purchase card.

    2. I have one account that my wife and I used for daily purchases and that one is allowed to be swiped at retail point of sale. That account happens to have a different card number for each of us – even though it is the same account and all charges appear together. Similar to what AMEX does, but this is a MasterCard.

    3. If the primary point-of-purchase account ends of being breached, we have a third account that is active, but dormant and we switch to using that card immediately – for at least the length of time it takes the bank for card #2 to get us a replacement card.

    This system has served us well since we switched to it earlier this year. There is no worry about having to re-enroll all of those utility/cell/cable bills with a new automatic billing arrangement, and we did have fraudulent charges appear on our daily use card ($2500 of charges from a Nordstrom in Miami – we live in PA and have never been south of Orlando). Our bank contacted us immediately, we told them that they were not our charges and the card number was re-issued. We switched to the other card for the remainder of that billing cycle, paid it off at the end of the month and went back to Card #2 (we like the rewards on that card better).

    No real inconvenience at all – except for the fact that I had to remember to swap out the card I was carrying in my walled with the backup card before I left home that day.

  12. Its a pain, but how far out are we from doing MFA on every transaction? I swipe my card at Acme Bricks & Mortar, and a few seconds later my phone gets a text with the corresponding one-time PIN for that transaction. Go ahead, make a digital copy of my card – without physical possession of my phone, you’ll be wasting your time. Inconvenient? yes. More secure? certainly.

    • Eric – what happens when I forgot my phone? Or, I am one of the tens of millions to don’t have a phone? Or, I am in a dead-zone for my carrier? Or in an airplane buying a drink? Or have a contract that charges me for each text message?

      The hours spent processing every transaction (at least in part) twice is huge and the traffic generated is significant compared to the total volume of traffic already in use.

      There is at least one better way.

      Jonathan @nc3mobi

  13. I think this is a trend. Maybe Target was a beta ground, a POC to see if it could be done. BeBe is expensive! Brian in his 60 minutes interview said that one of the factors on online sales is Credit Limit!

    Maybe they are tired of selling cards for an avg of $20.
    Hacking into a much higher clientele service or retail vendor to find higher credit limit cards seems to be the logical progression.

  14. what was the OS in all the POS system in all the breaches.

  15. How was the theft happened i.e how does the stores acquires the transaction from the customer? what type of pos devices they use? any information to share.

  16. Hi Brian,

    I receive every some spams promoting a porn vid. I’ve clicked on it with a proxy. It links with a hacked website, redirecting with a porn website.

    Here is below one of the last spams I’ve receipt. Do you know if many other users receive this kind of emails ? Do you know who is behind ? How to stop it ? It’s awful

    Busty driver Shelby Moon
    together, to organize, to rehearse.”

  17. Funny thing about all of the breaches is that most of these companies have a distrubution center or a fullfilment center. That alone sets off a bell because as an IT tech I can say it is very easy for a person to drop a payload as a joe shmoe employe in such a facility as I have witnessed. Alot of the work stations are not locked down or, if they are circumvention is only two keystrokes away. I can only imagine how weak some corprate offices are.
    I was canned from a pretty good job for the mention and soultion however the record will show otherwise according to the company.

  18. Brian, thanks for bringing this to my attention.
    I contacted InterNetX who is the registrar of goodshop.bz and alerted them to your article. Now you will find that the domain has new name servers
    Name Server: ns1.locked-by-rdn.name
    Name Server: ns2.locked-by-rdn.name
    Created on 2014-10-07 – Expires on 2015-10-07 – Updated on 2014-12-09