31
May 17

Credit Card Breach at Kmart Stores. Again.

For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. kmart

Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in common: They were all used at Kmart locations.

Asked to respond to rumors about a card breach, Kmart’s parent company Sears Holdings said some of its payment systems were infected with malicious software:

“We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”

“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”

Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Sears spokesman Chris Brathwaite said the company is not commenting on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.

“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation,” Sears Holdings said in its statement. “We are actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.”

In October 2014, Sears announced a very similar breach in which the company also stressed that the data stolen did not include customer names, email addresses or other personal information. 

Both breaches involved malware designed to steal credit and debit card data from hacked point-of-sale (POS) devices. The malware copies account data stored on the card’s magnetic stripe. Armed with that information, thieves can effectively clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers.

At least two financial industry sources told KrebsOnSecurity that the breach does not appear to be affecting all Kmart stores. Those same sources said that if the breach had hit all Kmart locations, they would expect to be seeing much bigger alerts from the credit card companies about accounts that are potentially compromised.

All Kmart stores in the United States now have credit card terminals capable of processing transactions from more secure chip-based cards. The chip essentially makes the cards far more difficult and expensive to counterfeit. But not all banks have issued customers chip-enabled cards yet, and thus this latest breach at Kmart likely impacts mainly Kmart customers who shopped at the store using non-chip enabled cards.

Visa said in March 2017 there were more than 421 million Visa chip cards in the country, representing 58 percent of Visa cards. According to Visa, counterfeit fraud has been declining month over month — down 58 percent at chip-enabled merchants in December 2016 when compared to the previous year.

Sears also has released a FAQ (PDF) that includes a bit more information about this breach disclosure.

Tags: , ,

66 comments

  1. Grey Peterson

    Man, I’m glad I use a chipped card as often as possible.

    • You sure Kmart isn’t recording your mag strip data as well? Some chip-n-pin POS devices do both.

      • They can’t record your mag stripe data if you don’t swipe the mag stripe.

        • What identifier would be different in the chip vs. Magstrip? Just one. A totalizer. Otherwise the card company would have duplicate files for one card. That would waste their space. That cost them money.

          • @Jim

            You should resist commenting when you clearly know nothing about a topic. Mag identifies with cardholder data that can be replayed or written to another mag card, whereas Chip identifies with a one-time-use disposable token generated on the fly after an encryption handshake with the issuer that can never be replayed or reused based on the chip’s unique encryption key which is not exposed to the payment terminal. Yes this is duplicate identification. No the cost of storing a few extra bytes of identification is not cost prohibitive, and positively saves money by the fraud it prevents.

    • Angela Parker

      I use chip card and was just notified my card was compromised from using it at Kmart.

    • My credit card has a chip and got deactivated because of the Kmart situation. I thought that the chip was supposed to stop your card from getting frauded but apparently not.

  2. Malicious malware?
    Is there a benevolent sort? I figured it was all malicious :oP

    • Some Malware has been known to try and seal security holes. Especially with regards to Mirai vulnerable devices. Mind you, this still can include bricking the vulnerable device, but it still is trying to do something good.

      • Robert.Walter

        If it does good things, it’s not malware.

        If there is no term, I propose:

        “Beneware” from Benevolent + Ware

    • icantstandrew

      “Malicious Software.” is the quote you’re referring to and that means “Malware.” Read carefully.

  3. IRS iTunes Card

    Kmart are they even relevant anymore?

    One word for Kmart/ Sears Holdings ” Bankruptcy”

  4. Since introducing the chip cards, counterfeit fraud has been declining. Wow what a surprise, considering the other half of the world has had chip cards for many years, i’m still astounded the US hasn’t caught up and still using signatures.

    • Lost/stolen fraud isn’t great enough for issuers to justify PIN–at least for now. I think there’s also still a hope that people will skip straight to mobile wallets, which would provide a lot of the same benefits that PIN does.

      That’s not to say there aren’t other reasons to at least have PIN as an option, however. (Compatibility with unattended terminals overseas, for example).

      • @Matt
        Dodd-Frank law and Durbin Amendment significantly delayed adoption of EMV in the USA by creating requirements which lawmakers hoped would benefit retailers at the expense of banks. They didn’t understand how EMV worked though and the USA had to create its own separate EMV system to cope with the requirements. Your chip card has two EMV protocols on it – USA, and everywhere else. We had to implement EMV twice in a sense. Add to that the fact that Europe subsidized the move – the taxpayers paid for it.

        @tmiw
        Lost/stolen fraud is absolutely great enough to justify, but many retailers, including some large ones like Lowes, still haven’t gotten their EMV sorted out as of today in June 2017, and cannot yet accept EMV with a PIN.

        Add the shock and ignorant distrust of the chip, and in some cases the signature is also a way to ease large swathes of customers into the idea that EMV is actually good. The number of people who cannot or for whatever reason will not use a PIN (usually some absurd idea about security that they invent on the spot) would astound you. Gotta keep them using their cards to keep that interchange fee revenue coming, but their habits are slowly changing.

        PIN only is going to take a little longer.

    • US retailers still haven’t figured it out.

      The gas station near me recently switched to chip based authentication.

      Before the chip, it was just slide and go for transactions less than $50.00. Had to sign the slip for charges >50.

      With the chip, they require signatures for every transaction.

  5. Customer exposure may be greater than people think, even if they used chip-enabled cards. A lot of online stores don’t ask for CVV2 or verify billing addresses with AVS (Amazon is a big example of such a store); if Kmart didn’t enable P2PE when they started supporting EMV, the criminals responsible probably still got enough information to spend other people’s money.

    Anyway, this just goes to show that we need to improve security on the card not present side as well, which unfortunately doesn’t seem to have been given nearly enough attention by the relevant parties.

  6. Bria;n, Whilst I enjoy your informative stories, do you think you can make it clear at the beginning what geographical location the store is related to /affected by? Your Kmart story is just for the US or does it affect Australia or other regions?
    Quote ” They were all used at Kmart locations.” and
    Quote ” All Kmart stores in the United States now have credit card terminals ”

    cheers and thanks

    • Just the US. Kmart in Australia just has a licence agreement to use the name and logo so they are different companies and would have different infrastructure. If they were affected it would be noted by the Kmart Australia.

  7. These large hacks seem to be getting worse. Thankfully it appears no personally identifiable information was breached.

    You can see if your online accounts have been compromised in other data breaches at https://www.HEROIC.com

    • Joseph Pierini

      The web site you’re recommending is a commercial version of a free resource: https://haveibeenpwned.com/

      • After havibeenpwnd I changed a few passwords which had slipped through my dragnet (older ones before I started following Krebs).

      • JEFFREY D SIMMON

        Hmmm…why does the URL for haveIbeenpwned.com, show as LOCKICON “Have I been pwned (Troy Hunt) [AU] https://haveibeenpwned.com“? Is Troy part of the legit website? The URL for Krebs site shows as LOCKICON “Secure https;//krebsonsecurity.com…”

        • Matthew Parkes

          I don’t understand what you mean, a lock icon in a browser refers to the site being served over https using a TLS (Transport Layer Security) certificate which means it’s a secure site.

          What is the problem?

  8. If Kmart processes credit card transactions, they must comply with the The PCI Data Security Standard (https://www.pcisecuritystandards.org/)

    “PCI DSS is the global data security standard adopted by the payment card brands for all entities that
    process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that
    mirror security best practices”

    Requirement # 5 says

    “Protect all systems against malware and regularly update anti-virus software or programs”

    A QSA Qualified Security Assessor (QSA), an independent security organization, must validate the company is adhering to the requirements.

    so the question is..how can a data breach take place if the requirements were fulfilled? Who was the QSA in this case? And what anti-virus software were they using that the malware was undetected? “Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls.”

    • Malware that is undetectable by AV is not that uncommon. AV definitions are published constantly as new malware variants appear or existing malware evolves.

      PCI is a layered approach, more than one control failed here, not just AV scanning.

      The PCI review by your QSA is only a point in time review so while their system might have been compliant at the time of review they can easily fall out of compliance.

      This is why P2PE has become the “gold standard” in this space. You cannot lose something you never handled.

    • Compliance with PCI is “necessary but not sufficient”.

      PCI started taking effect in 2005. Every company processing over 6MM transactions annually has to be PCI certified each year by a QSA.

      Companies are still getting breached in spite of being certified by their QSA. Smart retailers understand that the PCI-DSS is the minimum security standard for securing systems that store, process, and transmit data. Many large retailers are going beyond PCI and implementing sophisticated, defense in depth security strategies.

      Payment card fraud is a $17 billion/year industry. Tens of thousands of criminals make their living in this industry. They adapt, they collaborate, and retailers need to respond accordingly.

    • “Ohhh… it was an advanced for of malware… we can’t be expected to have prevented it”

      I don’t buy it, other requirements could have prevented the incident.

      PCI-DSS 3.2.1 Do not store the full contents of any track after authorization?

      Perhaps the terminals were not encrypting the card data?

    • The core of the issue: Security projects are a net cost with no return for the manager/exec suggesting it. Which means no promotion for doing this project. This is the CORE of all your retail problems. I’ve been in retail IT for 30 years, I’ve designed complete solutions that would have easily caught and fixed any CC breach that Krebs has reported in the last 5 years. But they will never be fully implemented even if you used Opensource/cheap solutions. See there is no sexy promotion for this kind of thinking.

      Most are happier pushing off the responsibility to a security chief that takes the full brunt of the fall later. And if the CIO and CEO gets fired, then its promotion time for those that remain.

      The core of the issue is the LACK of rewards for doing the correct job. Blaming it on AV products is hilarious to anyone with more than half a brain on this subject. Its smoke screen number 300 for C suite trickle down beneficiaries. Another lie that most consumers are too ignorant to understand.

      The bigger lie: Using credit/debit is better than cash, use cash, no problem. Paying a usage fee per transaction is a huge scam, just like usury and the rest of our monetary system. Sorry just a bit off subject, but people are just not learning fast enough.

  9. Spread the word…

    CASH is King! No fraud, no tracking.

  10. Unfortunately, Chip & PIN alone cannot and does not secure against credit card fraud. The majority of the EEA and UK utilize Chip & PIN, but credit card fraud is still prominent.

    Payment card fraud is being actively worked on by the payment card industry, last month MasterCard revealed a credit card with an embedded fingerprint sensor in an aim to reduce fraud levels and increase consumers confidence in card security measures.

    Will mobile payment wallets be anymore secure? Unlikely given how easy it is to introduce banking trojans and malware into the app stores. Just this week it was reported that over 35 million Android users were infected with malware installed from the legitimate Google Play app store.

  11. Mary Ann Cruise

    I think KMART will be around for along time. Better prices and clothing.

    • I live in one of the 10 largest cities in the U.S. and there is not a single KMART in town.

  12. @Brian, thanks for the read. Sad to see an already dying chain have to go through this once more.. Also, not sure if you were making a pun or if you noticed, but in your first paragraph: “ome of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations.” I believe you meant to put “common” instead of “comment”. Not trying to pick the bad out from the good, just making you aware. Have a great day and thanks for all you do!

  13. “There is also no evidence that kmart.com or Sears customers were impacted.” WRONG!

    Sad to say I was a victim. Both my husbands and my card were comprised at kmart pharmacy within the last month.

    • Travis Nichols

      Jacey,
      They specifically reference kmart.COM.
      Did you use your card online or in the Physical Pharmacy location?
      -T.

      • Used in person. That was the only location that my hubby ever used his HSA card was that that Kmart Pharmacy while picking up perscriptions.

        • And therein lies the problem. Your husband used (likely) a magnetic stripe HSA/FSA card.

          I will never use an HSA/FSA card, not because of the security risks, but because they do not earn rewards like a credit card does. And if a credit card account is breached it’s a bank credit line that’s affected, not your personal checking or savings account.

          At least your HSA card is tied to a HSA savings fund which is not your personal bank account. But this is still your personal funds and I’m sorry you’ve got to sort through the mess.

    • If anyone has shopped at Kmart or Sears within the last 3 weeks and used there bank card, I would call your bank immediately. I just received a new bank card in the mail and I had just received a new chip card a few months ago with I called my bank to find out what was going on and she said that my previous bank card ( the one that I have been using all along ) was compromised, due to a data breach at the point of sale at k-mart on May 31, 2017. So I have been using a compromised card for 3 weeks now and had no frkn idea because I would not have known about it if i had not called my bank today because I got a new card in the mail!! So my bank deactivated my old card today, since I received the new one, and I cannot use it as a debit because my pin number did not come in yet!! Really!! UGH!! Here is the link to what happened. Yes, I had to search for it, because my own credit union could not give me a heads up weeks ago!

  14. They later said “Everyone who shopped at a Kmart in the last 90 days may have been compromised. Per government rules, both customers have been notified and offered credit monitoring.”
    Zing!

  15. Another breach that would have been prevented with basic firewall rules.

    Payment systems should always be on restricted networks with explicit FW rules. Even if a terminal came to them infected brand new in the box, it should never be able to access the internet.
    Every breach like this is from negligence.

    • It’s likely that one or more steps weren’t being followed. But with some locations closing, it’s unlikely that the IT Security department is getting resources to do everything that should be done. Just enough to squeak by PCI compliance.

    • Strict firewall rules alone are not enough. The POS terminals in the first big Target breach had no direct access to the Internet. They were also segregated from the general internal network. The bad guys were able to infect by hopping the network point to point. CC numbers were ex-filtrated via a server that the POS terminals could access.

  16. I would be very interested to know how many of the compromised cards were *chip* cards that had been *swiped*. I see it several times each week, so it must be extremely common.

    While it is true that even EMV is not perfect, swiping an EMV card is blatantly risky behavior.

    • The Chipotle breach is far more than a local story. I’m surprised that Brian has not covered it.

  17. Wow, this really sucks for the 17 people who still shop at KMart!

  18. Another 18 credit card numbers down the drain…

  19. Sears and Kmart: Dead stores walking….

  20. Seems to be at another merchant processing PINless Debit through the regional networks to save a little on interchange compared to Visa. There is a trend here!!!!!

  21. Tired of breaches already

    Attention Kmart shoppers! We have a Red Light special right now at our registers, buy one and a bad guy gets one free (using your card!). Quantities (the bad guy can purchase) are unlimited!

    After Kohl’s sent me a birthday coupon on the month of my birthday, somehow ascertained from my using a CC at one of their stores (nosy SOB’s), I stopped shopping at Kohl’s. At most such stores I no longer use CC’s or debit cards, only cash. Question. Did the CC company give out the info or did Kohl’s do research on me to find the the b’date? Creepy, no matter how they did it.

    • You will get mailings even if you use cash. I’ve heard customers not using their credit card still get mailings when they check on products they are considering to buy.
      Marketing companies buy customer list in order to drive the sales to the store.

      Just to give another case: when I move back from another state, I got a marketing material from the local community college something I never checked on in the first place.

  22. My credit card was compromised and the last place I had used it was online order from Kmart. Its no wonder the company is losing business. When call I got the Philippines and when I asked for someone in the USA they transferred me to the Spanish representative. My card is compromised and they want me to talk to philippine who we can’t trust or the Spanish that is God knows where. K-mart/sears sure isn’t giving out much information. Why do we have to talk to foreigners? I will never ever purchase anything from k-mart or sears again. I hope they fall into the pits of hell.

  23. Me gustaría q hubiera una tienda kmart a qui en Dallas tx. Perq me gusta mucho la ropa para niñas.

    • helpful translation

      I wish there was a Kmart store here in Dallas TX. Perq I really like the clothes for girls

  24. More and more I am finding Apple Pay merchants. Repeat business is with Schnucks Grocery (1-2 visits each week) – their bad security before Apple Pay forced me to replace my debit card; Kmart – once burned, no longer shop there; Walgreens (2-3 visits each month), Paneras (2-4 visits a week) but their kiosks don’t accept Apple Pay while counter units do – I always buy at the counter, Shoe repair – a little store a mile from home!

  25. So when do we file a class action lawsuit against the NSA and the US Government. Leaving all of the hoarded vulnerabilities on an unprotected server is inexcusable, as is not protecting the population against them to begin with. Who exactly is our government working for, surly not we the people. At least the past election proved we are mad as hell and not going to take it anymore. If you are in favor of the Paris agreement you pony up the first Billion dollars John Kerry, your wife can afford it. Doesn’t sound as if the machines themselves have been compromised. I haven’t made a purchase on line in years, and get the cold shoulder at retail locations when ever I mention card security. I don’t like carrying around too much cash as the authorities have taken it upon themselves to take what they want and call it drug money. Good thing the economy seems to be taking off, it won’t take much more do destroy confidence in our system of finance.

  26. This is what happens when you pay people barely enough to survive. They are too scattered to notice a sly criminal put something on their card readers, or worse – they act in cahoots with them for a badly needed cash payment.

    The good news for consumers: brick and mortar retail is dying a quick death, so more people will have to go online. There are security concerns there too, but the average site owner is more vigilant about security than your average K-Mart cashier.

  27. Someone s hacking into my phone for this kmart app

  28. Many merchants are transitioning to Android Pay/Apple Pay will find repeat business from customers who use it.

  29. I can’t believe a country like the US still uses magstrips and signatures. Chip & PIN have been compulsory for all retailers in the UK for almost 10 years now. I haven’t seen a magstrip swiped since I was a kid.