Service Systems Associates, a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems.
Several banking industry sources told KrebsOnSecurity they have detected a pattern of fraud on cards that were all used at zoo gift shops operated by Denver-basd SSA. On Wednesday morning, CBS Detroit moved a story citing zoo officials there saying the SSA was investigating a breach involving point-of-sale malware.
Contacted about the findings, SSA confirmed that it was the victim of a data security breach.
“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”
SSA said it has been working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach.
“Though the investigation into this attack continues, the malware that caused the breach was identified and removed,” the statement continued. “All visitors should feel confident using credit or debit cards anywhere in these facilities.”
The company declined to name the individual locations that were impacted by the breach, but financial industry sources say the breach likely involves SSA concession and gift shops at zoo locations in at least two dozen cities, including:
Birmingham, Ala.
Tucson, Ariz.
San Francisco, Calif.
Fresno, Calif.
Sacramento, Calif.
Colorado Springs, Colo.
Palm Desert, Calif.
Miami, Fla.
Honolulu, HI
Boise, Id.
Fort Wayne, Ind.
Louisville, Ky.
Baltimore, Md.
Battle Creek, Mich.
Apple Valley, Minn.
Cincinnati, Ohio
Tulsa, Okla.,
Pittsburgh, Penn.
Columbia, SC
Dallas, Texas
El Paso, Texas
Houston, Texas
Nashville, Tenn.
Salt Lake City, Utah
Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.
In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.
We don’t have any zoo’s around here, just Beaches and the International Speedway.
You would think Donald Trump can spell the word “Yacht”
Are financial institutions to cheap to implement the chip in credit/debit cards.
All my cards are re-issued with chips now. The financial institution doesn’t seem to be the problem anymore, now its retailers too slow to accept chip instead of stripe!
The Financial Institutions are still part of the problem as they are choosing not to implement the PIN of “Chip and PIN” cards and the PIN is the most important part of the user security of these cards.
Actually, it’s not the banks, at least not the small banks. MasterCard and Visa put a fork in Chip and PIN claiming that US consumers wouldn’t be able to master both PIN and dipping their chip card into the new card readers/POS terminals. In addition, MasterCard has created a so-called easy implementation pathway for banks to issue EMV cards, but theis pathway only offers Chip + Sig, not chip + PIN. If a bank wants to go Chip + PIN, they add another 12 months onto the timeframe to rollout EMV cards.
And one more thing – Visa and MasterCard earn less on a Chip + PIN transaction than they do on a Chip + Signature transaction; another reason they are pushing Chip + Sig (this also is true for banks as well).
I think you missed the key point in the article. Both the merchant and the bank need to both support it, otherwise it goes back to the old card swipe. If You want the merchants to do anything you must make them pay the fraud loss. Once the liability shift happens you will be amazed how fast chip and pin goes. Financial Institutions wanted chip and pin 2 years ago.
I agree, except we are going to chip and signature, not chip and pin.
Not really. Many retailers don’t give two craps about the liability shift, because for a large number of retailers the cost of implementation for EMV is far more expensive then eating the yearly fraud associated with stolen cards. The retailer I work for is one that has decided to not worry about it for now.
EMV is only slightly more secure than magstripe. Its chip and signature, so stolen cards work fine, and as long as there are still magstripe cards around, almost all retailers are still going to accept magstripes, so creating a bogus card, once you have the card info, is only slightly harder than it is now.
“The retailer I work for is one that has decided to not worry about it for now.”
I don’t give that theory much life after October.
The smart retailers are planing to change even though there’s a cost. With a diminishing number of places that continue to accept swipe cards – where do you think that the crooks are going to go?
It’s like lions hunting a herd – you’re OK in the herd if the herd is big. As more and more animals get safely to high ground, those left start looking mighty worried. And rightly so.
Interesting.
But can’t the issuer deny authorization via magstripe if POS had EMV support and issued card was chip/magstripe?
That would make cloning of magstripe only for chip/magstripe cards pointless.
Replying to myself.
According to this document from 2011 http://dev.inversepath.com/download/emv/emv_2011.pdf all tested POS terminals will fallback to magstripe if chip is not detected (cloned card or damaged chip) and service code is 229 – use chip, online transaction.
Think chip/pin is difficult? Just wait to see how much screaming and kicking the retailers are going to do with the mandatory TLS 1.2 requirement of PCI DSS 3.1 next year.
6/30/16 – TLS v1.2 Day is going to make Y2K look like a cakewalk. 🙂
Y2K *was* a cakewalk.
But it paid well!
All that sweet sweet y2k cash.
Makes me want to code again.
Where does that EMV card go into my computer when I am doing electronic commerce? That avenue is growing faster than physical presence. For that matter, my cell phone does not have an EMV reader and mobile commerce is growing too.
Instead of saddling merchants with $$ for hardware upgrades how about using something that addresses all of today’s avenues of commerce including person-to-person?
There has to be a better way.
Jonathan @nc3mobi
There is no one solution for everything, and we can no longer afford to sit around and wait for the perfect solution.
I just want to bang my head against my desk. Preventing these breaches just is not that hard. Application whitelisting will nullify almost every attack to steal card data during the transaction.
Maybe I just need to start a flipping card security consultancy and go help retailers actually secure their POS’s….
It’s not that simple.
“Preventing these breaches just is not that hard. ”
Anytime someone says this, they don’t understand how hard something actually is.
+1
Application whitelisting is only effective on new apps that try to run. Existing dll injection continues to work.
Chip Card numbers can still be skimmed as part of a POS malware breach. These card numbers can then easily be used for “Card not present” transactions that are done online.
These theives already know where they are going to go – they are going to continue to breach retailers to acquire account numbers in mass quantities and then use them for online transactions. This is evident by the increases in “Card Not Present” fraud seen in other countries where Chip and Pin/Signature is already implemented.
Chip and Pin is not the panacea that will solve all of the security problems. The real fix for this is for retailers and banks to encrypt and tokenize the card numbers so that if their POS systems are compromised the theives will not be retrieving usable card numbers in any form (either on counterfeited cards or used online).
Nora – you are so right. If the credentials are in the merchant system anywhere as plain text they are vulnerable.
What merchants don’t have can’t be stolen.
Jonathan @nc3mobi
Though tokenization and P2P encryption will solve a majority of these issues there still is no silver bullet to prevent all type of hacks. Think about Michaels and h ow they have had their physical terminals manipulated multiple times that caused customers to be compromised. We must continue to be proactive not only as a customer but also in the POS world to try our best to prevent this as best as we can. Security is not just one or two items i its layers. Eventually you can get through these layers but the hope is that it will be such a painful experience that hackers will attempt to exploit someone else.
This is why Apple Pay is good. The “card number” used for the transaction is not valid on an actual card.
So it’s mind-boggling that Home Depot STILL refuses it. As well as chip cards (you still have to swipe if you have a chip card).
Wasn’t being hacked once enough of a lesson ??
ApplePay is very good for protecting your card data, but can be used to exploit previously stolen card data. From the user perspective it is great, but from the merchant perspective it has issues. Not mind boggling at all.
The reason is that most of these big retailers are members of CurentC (a dead on arrival direct access to your checking account payment system that wouldn’t cost retails the fees that Debit and Credit transactions cost).
As part of being members of CurrentC they have to turn off their NFC (near field communications terminals, CVS, RiteAid did this) so users can’t use alternative forms of payment (ApplePay) until after CurrentC is out. CurrentC envisions sharing all your purchasing information among its retail members, yeah the ones that keep getting hacked. CurrentC seems to have only been drawn up with desires of retailers in mind – which is why it’ll be DOA. Wallmart is a prime mover behind it.
http://www.forbes.com/sites/paularosenblum/2014/10/27/cvs-and-rite-aid-turn-off-apple-pay-why/
What about good old cash, no chip needed,
Sure… We would be going back to good ol’ fashioned muggings too. Enjoy having a knife pulled on you? How about a broken nose? Yeah. Let’s go back to cash only.
Then you get mugged the old fashioned way.
Ha. I should have reloaded the page before commenting. Andrew beat me to the same comment.
Anyone know the POS system or systems in use at these locations?
I haven’t seen anything official, but I forwarded this to the local news tip line in Tucson. They checked with the director at Reid Park Zoo who says they were not affected.
I know, third party source, but I figured they would have better chance of getting an answer than I would. 🙂
Thanks for the heads-up. I’ve cancelled my card as a precaution.
24/7 security monitoring can be applied at the POS system level. Merchants can be provided with the mechanism to shut down potential breach activity before it becomes a breach, and be given an audit-trail that can be used to defend against heavy fees and penalties imposed by the Payment Processors and banks when a sustained breach occurs. Merchants can now have the ability to detect any intrusion or questionable internal activity in a timely manner, allowing for faster remediation and response.
Take a look at http://www.trustedmetrics.com/elastic-soc-point-of-sales/