16
Mar 17

Google Points to Another POS Vendor Breach

For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant.

A little over a month ago, KrebsOnSecurity was contacted by multiple financial institutions whose anti-fraud teams were trying to trace the source of a great deal of fraud on cards that were all used at a handful of high-end restaurants around the country.

Two of those fraud teams shared a list of restaurants that all affected cardholders had visited recently. A bit of searching online showed that nearly all of those establishments were run by Select Restaurants Inc., a Cleveland, Ohio company that owns a number of well-known eateries nationwide, including Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati, Ohio; Parkers’ Restaurant & Bar in Downers Grove, Illinois; Winberie’s Restaurant & Bar with locations in Oak Park, Illinois and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, PA.

Google's search listing for Select Restaurants, which indicates Google thinks this site may be hacked.

Google’s search listing for Select Restaurants, which indicates Google thinks this site may be hacked.

Knowing very little about this company at the time, I ran a Google search for it and noticed that Google believes the site may be hacked (it still carries this message). This generally means some portion of the site was compromised by scammers who are trying to abuse the site’s search engine rankings to beef up the rankings for “spammy” sites — such as those peddling counterfeit prescription drugs and designer handbags.

The “This site may be hacked” advisory is not quite as dire as Google’s “This site may harm your computer” warning — the latter usually means the site is actively trying to foist malware on the visitor’s computer. But in my experience it’s never a good sign when a business that accepts credit cards has one of these warnings attached to its search engine results.

Case in point: I experienced this exact scenario last summer as I was reporting out the details on the breach at CiCi’s Pizza chain. In researching that story, all signs were pointing to a point-of-sale (POS) terminal provider called Datapoint POS. Just like it did with Select Restaurants’s site, Google reported that Datapoint’s site appeared to be hacked.

Google thinks Datapoint's Web site is trying to foist malicious software.

Google believed Datapoint’s Web site was hacked.

Select Restaurants did not return messages seeking comment. But as with the breach at Cici’s Pizza chains, the breach involving Select Restaurant locations mentioned above appears to have been the result of an intrusion at the company’s POS vendor — Geneva, Ill. based 24×7 Hospitality Technology. 24×7 handles credit and debit card transactions for thousands of hotels and restaurants.

On Feb. 14, 24×7 Hospitality sent a letter to customers warning that its systems recently were hacked by a “sophisticated network intrusion through a remote access application.” Translation: Someone guessed or phished the password that we use to remotely administer point-of-sale systems at its customer locations. 24×7 said the attackers subsequently executed the PoSeidon malware variant, which is designed to siphon card data when cashiers swipe credit cards at an infected cash register (for more on PoSeidon, check out POS Providers Feel Brunt of PoSeidon Malware).

KrebsOnSecurity obtained a copy of the letter (PDF) that 24×7 Hospitality CEO Todd Baker, Jr. sent to Select Restaurants. That missive said even though the intruders apparently had access to all of 24×7 customers’ payment systems, not all of those systems were logged into by the hackers. Alas, this was probably little consolation for Select Restaurants, because the letter then goes on to say that the breach involves all of the restaurants listed on Select’s Web site, and that the breach appears to have extended from late October 2016 to mid-January 2017.

ANALYSIS

From my perspective, organized crime gangs have so completely overrun the hospitality and restaurant point-of-sale systems here in the United States that I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery. I’ve received no fewer than three new credit cards over the past year, and I’d wager that in at least one of those cases I happened to have used the card at multiple merchants whose POS systems were hacked at the same time.

But no matter how many times I see it, it’s fascinating to watch this slow motion train wreck play out. Given how much risk and responsibility for protecting against these types of hacking incidents is spread so thinly across the entire industry, it’s little wonder that organized crime gangs have been picking off POS providers for Tier 3 and Tier 4 merchants with PoSeidon en masse in recent years.

I believe one big reason we keep seeing the restaurant and hospitality industry being taken to the cleaners by credit card thieves is that in virtually all of these incidents, the retailer or restaurant has no direct relationships to the banks which have issued the cards that will be run through their hacked POS systems. Rather, these small Tier 3 and Tier 4 merchants are usually buying merchant services off of a local systems integrator who often is in turn reselling access to a third-party payment processing company.

As a result, very often when these small chains or solitary restaurants get hit with PoSeidon, there is no record of a breach that is simple to follow from the breached merchant back to the bank which issued the cards used at those compromised merchants. It is only by numerous financial institutions experiencing fraud from the same restaurants and then comparing notes about possible POS vendors in common among these restaurants that banks and credit unions start to gain a clue about what’s happening and who exactly has been hacked.

But this takes a great deal of time, effort and trust. Meanwhile, the crooks are laughing all the way to the bank. Another reason I find all this fascinating is that the two main underground cybercrime shops that appear to be principally responsible for offloading cards stolen in these Tier 3 and Tier 4 merchant breaches involving PoSeidon — stores like Rescator and Briansdump — both abuse my likeness in their advertisements and on their home pages. Here’s Briansdump:

An advertisement for the carding shop “briansdump[dot]ru” promotes “dumps from the legendary Brian Krebs.” Needless to say, this is not an endorsed site.

An advertisement for the carding shop “briansdump[dot]ru” promotes “dumps from the legendary Brian Krebs.” Needless to say, this is not an endorsed site.

Here’s the login page for the rather large stolen credit card bazaar known as Rescator:

The login page for Rescator, a major seller of credit and debit cards stolen in countless attacks targeting retailers, restaurants and hotels.

The login page for Rescator, a major seller of credit and debit cards stolen in countless attacks targeting retailers, restaurants and hotels.

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a ridiculous number of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Finally, if your credit card is compromised, try not to lose sleep over it: The chances of your finding out how that card was compromised are extremely low. This story seeks to explain why.

Update: March 18, 2:52 p.m. ET: An earlier version of this story referenced Buffalo Wild Wings as a customer of 24×7 Hospitality, as stated on 24×7’s site in a many places (PDF). Buffalo Wild Wings wrote in to say that it does not use the specific POS systems that were attacked, and that it is asking 24×7 to remove their brand and logo from the site.

 

Tags: , , , , , , , , ,

71 comments

  1. “But no matter how many times I see it, it’s fascinating to watch this slow motion train wreck play out” – If I tweeted I would send this out. Once again, brilliant analysis.

  2. Will the new chip cards still be victimized with this?

    • If EMV Chip and PIN cards are implemented correctly, the PINpad only sends encrypted data to the merchant (either via a direct link or over the merchants network) and sends masked card data to the cash register for reconciliation. That has been the case in Australia and much of Europe for years, we down under watch in amazement at the antique US practices.
      John QSA CISA

      • It should be safe. The operand is should. That depends on where the card is encrypted. On the card, safe, at the terminal, unsafe. The terminal is the decided. I haven’t read anything about this yet. But there are universal identifiers that have to be in the clear, such as store, and credit card company. So, the simple guess, would be to copy all data, separate the store, card provider, data, and reverse engineer the data. Might take a minute, or be forever. Recopy to a web card, buy something on the web. See if it works. Fake the address’s and a mule.

    • No, that’s the whole point of both chip technologies (they’re not completely immune to poor implementation, but the risks are tiny compared to those inherent in the mag stripe). The late conversion to chip compliance in the US is what’s driving this current hotbed of fraud – crooks are ‘cashing out’ while they can. Then the focus will shift to card-not-present fraud as it has in chip-compliant countries.

    • Chip Cards are not safe as long as fraudsters can use the copied data at magstripe POS….

      • if stolen EMV data is being used fraudulently by being encoded on magatrioes then that poor implementation on the part of tge isduer. such a scenario is very easy to detect when the stolen data is used by the fraudsters. there is no reason why any issuer couldn’t recognize this scenario and decline the fraud attempts.

    • signaldistress

      So few merchants (not always through their own fault) do not use the EMV technology on their POS systems. Especially the food and hospitality industry

      • I have seen many many fast food places in the US that tape over the “chip card slot” with paper and sometimes say on it, “NO CHIP”.

        I don’t know about many hotels in the US. All of the ones I have seen appear to have a stripe reader in the computer terminal, like a retail store might have, or a separate standalone credit card machine, again using the stripe reader.

        Getting rid of the mag stripe on cards will be like solving the problem of which came first, the chicken or the egg.

        I make an effort to patronize retail establishments that use the chip reader. I even had to demand a chip-enabled card from my favorite credit card issuer, a very major issuer by the way. Yes, I said DEMAND because they still haven’t issued cards with chips on some of their “brands”.

  3. Wow you are like the colonel Sanders of carding sites!
    Nice read, too bad you can’t sue them like trump would.

  4. IRS iTUNE cards (KRABS)

    “Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. ”

    Yes this is true but their is a time limit and once over that limit then the card issuer won’t reverse the charges due to fraud.

    • Debit Cards & ATM cards have a various time limit requirements to report fraud, after 60 days from the date a statement was sent to you and you haven’t reported the loss/theft, you are in deep trouble.

      Credit card liability is limited to $50 max, period.

      Not my opinion, it’s all here:

      https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards

      Why even use a debit card? Use an old-fashioned ATM card and/or a credit. I use both. But you have to be very insistent with your bank to obtain a pure ATM card. Many of the CS reps don’t know the difference between an ATM card and a debit card. I had this discussion with a BOA CS rep for about 10 mins and it wasn’t rectified until I insisted on escalating to his supervisor. After 5 mins on hold, he came back educated and an ATM arrived in the mail a few days later (with EMV chip).

      BTW, an ATM has “ATM Card” printed on it, likewise for a debit card. Also a debit card has either a VISA or MC logo. An ATM card does not.

      • All an ATM card will do is get you cash. We for instance don’t even offer these anymore. Most people use their Visa cards for convenience and earning rewards. I get what you are saying but since you aren’t liable I don’t think many people really care anymore.

        I think what really needs to be addressed is “friendly fraud” meaning customers lying about what is really fraud. It has gotten out of hand completely.

        • I’m with you on the ‘friendly fraud.’ We’ve built excellent controls for carder fraud and the majority of our remaining disputes are ‘friendly.’

        • Disputed Charges

          I don’t know much about “friendly fraud”, but I guess it does happen with people that have some immoralities.

          One of the biggest pains I have with CC issuers is when I have to educate the CS reps at my CC issuers to read my past credit card usage to see where I use my cards in order to justify my claims of fraud.

          Interesting outcome when CC issuers do make that effort is they find out that the charges are usually a total fraud and not “friendly fraud” or whatever. I have seen this time and again.

          Any CC issuer that does not keep years and years of customer purchase records and payment histories should be run out of business. Purchase and payment behaviors can be a real indicator of what is or is not fraud on a customer’s account and should be used to deny a purchase when the CC issuer thinks the purchase is “out of profile”. In the past (7+ years ago) I had CC purchases denied as “out of profile” until I called to clear the purchase, but it doesn’t happen anymore.

          Then there are the CC issuers that do not teach their CS reps how to properly investigate fraud claims. The CC issuers that maintain actual fraud investigation groups do a slightly better job, but even then when I have spoken with them they still miss the basic details of “customer purchase and payment behavior” and how that behavior profiles a customer’s habits.

          Granted, what I just described IS a form of profiling, but sometimes that’s the only useful tool to identify fraudulent actions.

          Another big pain I have with CC issuers: they make no positive efforts to keep their customer contact data updated. They always depend on the customer to update them, and customer do forget to do that. I think a yearly reminder in the customer’s bill saying something like, “Fill this out and return to continue using our CC for another year.” would be a useful “stick”. Sadly it would likely require a law to implement it. Yes, people would scream about it because they treat their CC like an entitlement (like spoiled kids!!), but they fail get the real truth that it’s really a valuable privilege.

      • This is why I insist on an ATM-only card from my credit union. The CSR gals just couldn’t get why I didn’t want something with a VISA/MC linked to my checking account. “It’s totally secure, and if there is fraud, we reimburse you.” Yeah, maybe, if I catch it within 60 days. Actually, my credit union is really good and probably would do it within the year, but nothing legally requires them to do so.

        Some new or newly enforced (as of late last summer) banking regs and/or their own internal policies wouldn’t let me have an ATM-only card linked to my checking account – it had to be a debit card with a VISA/MC logo on it. So, I just had them open a savings-only account, and I can transfer funds into it from my checking account from their smartphone app or PC. I do not have a debit card for my main savings/checking, so no fraud can take place there (or if it does occur, it will stick out like a soar thumb), just ebills being sent off, direct deposit in from employers, and transfer to the savings-only account for ATM withdraws. Even if someone gets my ATM card and pin, there are no funds, and it is not a checking account and has zero over-draft protection (so it’s basically worthless beyond $100 or so).

    • depends on the issuers. some will still reverse the charges even if the max amount of time has passed. we have accepted claims with fraud as old as 2 years.

    • signaldistress

      The last bank i worked for (which was large) would allow people to claim fraud, sometimes more than a year later.

  5. In Australia, all banks use chips on their credit and debit cards. Are these still vulnerable to POS attacks?

    • Most chip and pin implementations in Australia use PINpads which are configured to only send masked card data to the cash register, and they only print masked or even the last four digits on the paper receipt.
      Mind you, that is a bank or PINpad supplier setting, and can be poorly configured. However, all clients I assess have PINpad correctly functioning, essentially intrinsically safe with encrypted data going from PINpad to bank / payment gateway under strong encryption. The merchant has no knowledge of the encryption keys.
      Mind you, the hackers then move to the tier 3 and 4 e-commerce sites…
      John Thomas QSA CISA

      • The card data has to be sent somewhere for payment processing. That’s the opportunity for malware to strike. I very much doubt all banks in Australia utilize a specific encryption implementation, so its likely that every PINpad manufacturer has their own implementation of security. Which means opportunity for malware to steal data. That the digits printed on your receipt is masked doesn’t mean much.

    • As long as cards have mag stripes – and there’s somewhere mag stripes are still accepted – they are vulnerable. Even EMV-compliant ATMs swallow the whole card, so normal skimmers can still harvest mag stripes. POS terminals are less of an issue, but I’d never say the risk is zero. I see occasional fraud attempts using counterfeit Australian cards, mainly in Indonesia, India, and the US (whether the cardholder has been to these places or not).

      • The risks are caused by the postponed switch to chip cards – the proper mitigation is that obtaining the magstripe data from your EMV card should be useless to the attacker, as magstripe transactions in chip-capable terminals can be automatically declined if configured so – and within the region it works that way, but currently the cards can still be fraudulently used (as you say) in USA and parts of Asia.

        Once USA finally switches in practice, magstripe data (and PIN) leaks shouldn’t cause trouble for customers of risk-averse issuers, as they can simply configure a full decline to all magstripe transactions (whitelisting whatever parts of Asia/Africa remain iff a customer notifies the issuer that they’re travelling there), cloning of chips AFAIK remains impractical, and card-not-present transactions are secured by 3-D secure systems so stolen card numbers or magstripe data isn’t sufficient for these as well.

        We shouldn’t aim to eliminate leaks of CC data, as that’s not possible – we should aim for a world where publishing all kinds of not-totally-confidential data (photos of your credit card, ID, social security numbers, W-2 records – everything that is expected to be shared/shown to some third parties) etc only removes your privacy but doesn’t enable an obvious opportunity for fraudster’s financial gain. We need to fix the faulty processes that consider possession of this information as sufficient for anything.

  6. Luckily, I haven’t had my credit card compromised yet. As a rule I never use a card where the card reader is not bolted down — from my retail days, one scheme was crooks swapping pinpads with hacked ones that recorded all data — very easy to do if you left it laying on the counter unattended. But as a consequence restaurants are out too, and they seem to be a target for schemes such as this one.

  7. The comment in this blog post about NOT using debit cards bears repeating because many still are not aware. If crooks get your debit card you may not be able to make a fraud claim and they may drain your bank account. Check with your bank to confirm their rules, but in general you do NOT have the same kind of protection that you do with a credit card.

    Lastly, consider using cash again. Not only does it protect you from fraud 100%, it also helps support the businesses you use. The business that receives cash makes a little more profit that would go to the credit card companies.

    • You do have protection with a debit card (at least a Visa or MC) but the problem is your bank account can set empty for days or even weeks why the bank tries to sort everything out.

    • because no one has ever had cash stolen. good luck getting your cash back from the police.

  8. CC business remains exciting these days. Especially as long as the major leak(s) in hotel business have not been identified and erased…..

  9. There is one thing that I really do not understand. We see really huge data breaches but attacked merchants STILL use POS terminals processing mg. stripe only and are prospective target for another breach. These high risk merchants should migrate to chip terminals immediately to protect clients with chip cards – at least. Many banks issue chip cards but they still suffer for fraud because chip data are not used to process a transaction. It only fair, that all frauds are paied by non-chip merchants/acquirers.

    • liability for the actual fraud transactions is dependent on who has the stronger technology between the issuer and merchant.

      if the issuer is using EMV but the merchant is not then the merchant is liable for all fraud transactions that occur at their terminal. with the exception of some very high profile cases merchants where the breach occurred (not where the fraud spend happened) are not liable for any of the fraud the occured as a result of their breach. this is mostly due to the near impossible task of proving that the fraud was a direct result of the breach and not some other breach or event.

      • The liability shift targets not the point of leaked data, but the point where the leaked data is exploited, i.e. the merchants that allow crooks to get money or goods using stolen magstripe data.

        When you remove or limit the usefulness of magstripe data, you remove the financial motivation to hack these merchants.

    • also a merchant using EMV does not make them any less suceptible to a breach. the point of EMV is that when you are breached the data is much harder, and in a perfect world impossible, to monetize. what’s happening now is that hackers are going after the low hanging fruit, which is databases containing data from non EMV transactions.

  10. My understanding is that Apple Pay and Android Pay are the safest because they only transmit a one time use encrypted number and the merchant never sees the real credit card number. Can someone confirm?

    • Yes, i am pretty sure most if not all mobile wallets use the same tokenization scheme where the actual card number is never shared with the merchant. Problem is not every merchant accepts tap payments and when they do there are limits. In Canada for example most tap terminals will not work for transactions over $100.

    • Yes and no.
      Everytime you load the wallet with a new card, a tokenised card number is generated and used for subsequent transactions. This is the card number used for the contactless EMV.
      The tokenised card number is used until changed by the phone app requesting a new one, typically when the active card in the wallet is changed

    • On average they’re more secure.
      But! If your Android device is compromised, all bets are off.
      I have no idea how Apple manages restoring to devices. But it’s possible that their are risks of cloning the underlying credentials.

      Certainly, when Apple Pay was first released, banks didn’t always properly validate sign-ups, so fraudsters could activate an account with minimal information and then start charging using Apple Pay…

  11. Visa debit cards have zero liability for fraud. The bank has 5 business days to credit the account back once the fraud is reported. In most cases the card is shut down by the banks fraud center and the customer is notified so they are well within 60 day timeline.

    • Ha! NOW I know why all the local banks switched to MasterCard!

      Seems like any time the question is “Why?” the answer is “Money.”

    • 5 business days with a zeroed out bank account and bills scheduled to go out sure is a mess. I have one week a month where this would cause total chaos and a lot of work to clean up. I’d rather have my checking account just used to receive employment funds and pay bills (including CC bills). Not that it is impossible for direct debit fraud to occur, but very rare, especially if only your employers has your routing number, and everything else is getting an e-check cut by the bank (w/o your routing number).

  12. Card Reissuer *sigh*

    Brian’s comment about assuming your card is already breached rings true. These processing platforms like 24×7 need to be held accountable by their customers – the merchants. Where is their industry association in this ongoing train wreck? Perhaps a nice fat class-action to wake folks up?

    Arguably it’s the merchant’s reputation that is harmed (though the customer is so inured, he/she doesn’t much care anymore). No one knows who the platform providers are or cares.

    • Who’s reputation has been harmed? Target? CiCi’s? Wendy’s? Home Depot? Trump Towers?

      I’m not seeing anyone losing anything (except consumer piece-of-mind). What I’m seeing is an overwhelming hatred towards hackers. Even Ashley Madison is still fashionable. These companies are still there and are still making money. It’s about taking down hackers. The rest is business as usual. Do even think that credit card companies are being harmed? We are all living on credit! Well maybe not all but certainly a growing percentage?

      People get angry at the hackers, not the companies that allowed the hacking.

  13. I long for the days when payment standards ubiquitously adopt the protocols present in products like Apple Pay – tokenization, biometrics, geolocation, consumer-friendly multi factor authentication, etc. ISV/VAR’s seem like a huge weak link in the payments industry, with little regulatory oversight.

    BTW – do we know who processes for 24-7 Hospitality Technologies? Would be interesting to know who the acquirer is behind the scenes.

  14. I still argue the other way. A debit card, not tied to anything but the dollar you put on it. Every now and the, I want something online, I load a store bought debit card, and buy it. Much safer then using a credit card. Leave a dollar to keep the card open, and whalla. Checks and credit cards can be compromised. After all, no one checks on the clearing g agencies. And they use the same computers that have been shown to be compromised as the businesses.

  15. Hi Brian, really interesting analysis of how POS systems can get infected by malware and affect customers. Did you know that Trend micro has spotted something similar, a malware called MajikPOS that is targeting payment systems in the US and Canada http://tinyurl.com/kg4sk5z?

  16. Upgrade to EMV terminals and accept tap/contactless payments. that’s the easiest, least resource intensive steps a small business can take.

  17. I love a juicy story in the morning.

  18. I find that I need to keep reminding myself that POS in this context of dismissive vendor management means “point of sale” and not the other, less-charitable meaning…

  19. I wonder if Brian’s compromised cards command a higher price on the carder sites. Or, maybe they just auction them to the highest bidder.

  20. Does this type of hacking have any kind of effect on the restaurants? For instance, would they see a chargeback or have to get a high risk merchant account?
    Or, because it is the POS from an issuing bank, does the fault fall on them only?

    • These things do actually have an affect. It’s all being massively miss-interpreted though.

      There are brick and mortar chains all across the country closing down countless stores and locations. This makes a serious national employment problem so much worse. Companies like Macy’s and Gander Mountain. They all claim it “online sales” driving customers away. It’s actually the other way around. Not only are people getting tired of dealing with all the political insanity from these companies, shopping there is increasing being seen as unsafe. This drives customers away. This drives online sales. These companies run with policies, ethics, standards, and practices that are at odds with established American norms. They are shooting themselves in the foot and don’t even see it. With an increasing number of people (millennials in particular) gravitating to doing everything in existence over a cellphone, large segments of the population gloss over it. Couple that with a failing education system and the fact that so few people have any desire to actually understand the how’s&why’s of this technology and the end result is apathy stuck in a quagmire if ignorance. Steve Jobs giving the iPhone to the world changed everything. The government took it and turned it into something very bad. The population got stars in their eyes over its shiny, cool, bling.

      The plain and simple truth is that this is a very different world now and everyone NEEDS to wake up to that realization. It’s time to take some personal responsibility and understand something about what they have.

  21. Hey Brian you ripped me off on a few cards! How do I contact you for support for your dumps site?

  22. Really knowledgeable post..After reading this ,now i understand about google points..
    Thanks for sharing this with us!!!!!!!!.

  23. I love to read krebs blog. Its nice humor

  24. Brian,
    Is there any way that you or any of your readers know of for a hospitality business owner to proactively check their POS systems for the presence of malware? Are some of the systems based on some Windows or Linux flavor for which some anti-malware software might be available?

  25. As a small biz, I receive no less than 3 calls per month of someone trying to offer me a better deal on credit card charges. All physical swipe machines. This is a great phishing-like scam where crooked providers could offer cheaper rates with purposely infected devices all for the bigger pay off.

  26. Guys in usa you will get Rfied chip under your skin not on card.
    dont forget card fraud only existing coz ultimate goal is chip.under skin…in canada and usa. In uk have bit different things. But usa and canada prepare yourself for chips.
    in eastern europe will be war coz people here not accept.

  27. Barry Henderson

    The problem primarily lies with the credit card companies and the PCI security council. So much emphasis (here in the USA)was put on EMV (Chip and PIN) as opposed to P2Pe (Point to Point encryption) in the PIN PADs (Card readers). The priority should have been to encrypt the data at the point of entry, so even if POS Registers (which are basically PCs) were infected with Malware, the consumer’s credit card data would be protected. But the credit card companies cared more about them (and fraudulent cards) more so than consumers and the retail merchants. If you are a retail merchant with integrated PIN PADs (Card Readers), you better have a P2Pe solution, or at least be prioritizing that over EMV.

  28. Krebs — I expected you to draw some useful connection between the Google “This site may be hacked” advisories and the incidents of malware infestation, but your article leaves me thinking there is no significant connection and it is just coincidence. Did I miss something?

  29. Brian,
    The way you date your stories. For the life of me, I don’t know why you wont just use March 21, 2017. Or at least 3/21/17. Or ANYTHING else but what you’re using right now. I’ve been coming to the site for years and it makes me something something!

  30. Why even use a debit card? Use an old-fashioned ATM card and/or a credit, Some new or newly enforced (as of late last summer) banking regs and/or their own internal policies wouldn’t let me have an ATM-only card linked to my checking account – it had to be a debit card with a VISA/MC logo on it. So, I just had them open a savings-only account, and I can transfer funds into it from my checking account from their smartphone app or PC. I do not have a debit card for my main savings/checking, so no fraud can take place there. Even if someone gets my ATM card and pin, there are no funds, and it is not a checking account and has zero over-draft protection (so it’s basically worthless beyond $100 or so)