17
Jun 17

Credit Card Breach at Buckle Stores

The Buckle Inc., a clothier that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer.

buckle

On Friday morning, KrebsOnSecurity contacted The Buckle after receiving multiple tips from sources in the financial industry about a pattern of fraud on customer credit and debit cards which suggested a breach of point-of-sale systems at Buckle stores across the country.

Later Friday evening, The Buckle Inc. released a statement saying that point-of-sale malware was indeed found installed on cash registers at Buckle retail stores, and that the company believes the malware was stealing customer credit card data between Oct. 28, 2016 and April 14, 2017. The Buckle said purchases made on its online store were not affected.

As with the recent POS-malware based breach at Kmart, The Buckle said all of its stores are equipped with EMV-capable card terminals, meaning the point-of-sale machines can accommodate newer, more secure chip-based credit and debit cards. The malware copies account data stored on the card’s magnetic stripe. Armed with that information, thieves can clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers.

The trouble is that not all banks have issued chip-enabled cards, which are far more expensive and difficult for thieves to counterfeit. Customers who shopped at compromised Buckle stores using a chip-based card would not be in danger of having their cards cloned and used elsewhere, but the stolen card data could still be used for e-commerce fraud.

Visa said in March 2017 there were more than 421 million Visa chip cards in the country, representing 58 percent of Visa cards. According to Visa, counterfeit fraud has been declining month over month — down 58 percent at chip-enabled merchants in December 2016 when compared to the previous year.

The United States is the last of the G20 nations to make the shift to chip-based cards. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Virtually every other country that has made the jump to chip-based cards saw fraud trends shifting from card-present to card-not-present (online, phone) fraud as it became more difficult for thieves to counterfeit physical credit cards. Data collected by consumer credit bureau Experian suggests that e-commerce fraud increased 33 percent last year over 2015.

Tags: , , , , ,

59 comments

  1. IRS iTunes Card

    Good article

  2. How did the malware get installed?

    • Possible Scenarios of Malware installation on POS…..Lets try to rank them on most likely probability. You can think along the same lines on how Stuxnet got installed on the Iranian nuclear facility computers a while back.

      1. Malicious Actor used a USB thumb drive with auto-run malware and attached it the POS windows station when no one was watching. This Actor is not only limited to customers but can include 3rd party contractors and even rogue/unwitting employees either temp or perm. Malicious software propagated through internal network with relative ease due to lax controls.

      1a. Unknown actor charging their infected malware device used the POS workstation as a power station.

      2. “Authorized” personnel was either “surfing the net” or opening personal emails on the POS windows terminal that brought the malware to the internal network.

      3. Internal Corporate Lan/WAN computer was compromised which is connected to the POS network. Malware worked itself from the inside core network out to the store networks…..ie like a real worm in an apple.

      Any other possibilities?

      Art

      • Numbers 1. and 2. are extremely unlikely. These POS consoles rarely have USB interfaces (even if they do, the GUI doesn’t permit a user to interact with the USB device). Additionally, given the minimal GUI in place in most of these POS devices, it is unlikely there is even a functioning web browser or email client.

        Having worked in retail, I can attest this is typically the case across most shops (Buckle included, go buy some of their overpriced jeans and see for yourself!).

        • @Bob

          “the GUI doesn’t permit a user to interact with the USB device”

          You might want to google “BadUSB”.

        • I hate to break this to you bob but most POS terminals are running windows XP or other normal OS, but they are just running an application that makes up 99% of the interaction on the device. You don’t even need to interact with a USB drive for it to autorun on a system and infect with malware. The original commenter did however forget to mention the possibility of a network intrusion. Without more information on the malware in particular it is hard to tell. But the methods mentioned above would be specifically targeting a POS computer.

      • Perhaps they used the “force”?

        • Ok probability Rank so far.. we should start thinking along these lines…if someone gave us a $1Mil to plant malware at your local retail/restaurant/convenience store POS device, what would you do?

          1. Network intrusion Vector either through the wireless AP or by plugging in to a free/open network jack. Each wall panel usually has qty 2 rj45 jack ports.
          [ Install a remotely controlled device on the POS wired lan and hack at will…or . break the wireless encryption key and infiltrate ~kismet, aircrack]

          2. Malware installation by using USB vector by any means possible.[ Beg, borrow, steal]

          3. “Normal” Malware vector through email/ web links from a careless user located on the Corporate/3rd party vendor Lan/WAN eventually bleeding over to the POS Lan.

          4.?????

  3. … Anyone want to comment on just how secure phone payments would be in the above circumstance?????

    • pay by phone does not transmit your actual bank account details, rather it transmits your proxy account of your pay by phone provider.
      source: I’m just some dude.

      • This is correct. iPhones use a secure element and can process in the same way as EMV so the data is passed securely. They also have the added security of passing the token value instead of the true card number. The token number is tied to the device so attempts to steal this number and use for ecommerce or cloned cards won’t work. Androids and MS phones also use tokenization.

  4. “Customers who shopped at compromised Buckle stores using a chip-based card would not be in danger of having their cards cloned and used elsewhere, but the stolen card data could still be used for e-commerce fraud”

    So, using chip-based cards does not prevent fraud? I am confused.

    • George fallon

      That sentence is very ambiguous , it’s hard to determine if in fact the customer using the chip are still vulnerable of the theft of the information on their credit card strip

      • Chip-based cards are designed to cut down on counterfeit fraud. When used with a PIN (most banks in US are using signature instead of PIN), a chip-based debit or credit card is better protected against fraud stemming from lost or stolen cards.

        However, if the thieves steal the card number and the expiration date (as they have in this breach) while they may not be able to clone a physical copy of the card, they sure can plug those details into an ecommerce site and go shopping if the online merchant doesn’t do basic stuff like ask the customer to enter the 3-digit CVV code on the back of the card.

        Does that help clarify things?

        • Yes, very helpful 🙂

          I can’t recall making an online purchase that didn’t need the CVV so I assume that’s not very common?

          • On the whole it’s not very common, but you’d be amazed at how many online retailers don’t take this basic precaution.

            • Matthew Parkes

              Hi Brian/all one of the biggest on line retailers that do not ask for the CVV/CV2 etc is Amazon.

              From what I understand they prefer to pay their acquirer or insurer higher premiums for liability rather than have to deal with all the PCI/Data Protection regulations surrounding cardholder data.

            • I’ve never understood the logic behind having the CVV (semi) permanently printed on the back of the card.

              Doesn’t seem like a great leap of technology from skimming the mag strip to optically scanning the card too.
              If the card is lost or stolen, a lot of damage can be done before I can get it disabled.

              I memorize the CVV, then scratch it off.

              • Scratching it off does nothing…if you swipe the card it is recorded…it doesn’t need to be captured on camera….just your pin.

                • It prevents (my girlfriend) the guy that stole, or found, the card from using it online… on those sites that require it, at least.

        • I’m confused. Did the customers swipe a no chip card at an EMV enabled terminal in a Buckle store? I ask because you mention banks that haven’t issued chip cards as the problem. How else would the malware get the number and expiration?

        • Brian, I still don’t quite get it.

          Do these EMV (chip – on – chip) terminals actually read the mag stripe as well as engage the on-card chip?

          Or does the point-of-sale terminal capture, from the chip, the same data that’s on the stripe? Then because the terminal’s pwned, it sends that data to the cybercrooks?

          Do chip+signature transactions leave the card number in the clear while chip+pin transactions encrypt it?

          • EMV does not protect against the theft of the primary account number (the 16 digit number on the card), or name and expiry date collection. Depending on how the EMV is set up at the retailer, this information may be sent in the clear.

            If a person has a non-chip card, they will swipe it, and if the EMV terminal is infected with POS malware the malware will steal all the data on the magnetic stripe, which is enough to clone a card. If the customer has a chip card but forgets and swipes anyway, his card can be cloned if the POS is infected.

            A great deal depends on how the merchant has implemented their systems.

            • Brian- a suggestion: reading the comments on all your CC-fraud stories makes me think that not too many people understand how the new chip technology helps protecting them. Many others confuse various terms. Maybe it’s worth doing some premier on chip technology, or at minimum reference a good article. Yes, I know, it only takes an internet search to find out everything one needs to know, but I think that the average reader would appreciate the effort, especially coming from a reliable source such as yourself.

            • “If the customer has a chip card but forgets and swipes anyway, his card can be cloned if the POS is infected. ”

              Chip readers are becoming more prevalent in my area (Southern CA).

              Every time I swiped on a chip enabled reader, something on the other side of the counter prompted the clerk to ask if my card was chipped, and ask me to insert it.
              As much as I’d like to believe the clerk is being proactive, I’m thinking there’s something built into the system that requires the chip to be read, if present.

              Then again, I’ve encountered chip enabled readers that weren’t reading chips successfully and I’ve slid my card to complete the transaction.

              First I’ve heard of Buckle stores.

              • There is coding on the mag stripe in the card that tells the terminal whether or not the card is chip enabled. If the chip terminal is setup correctly and reads a chip code on a card swipe it will prompt the customer to insert the chip. That said, there are still a lot of setup issues in the US for EMV terminals so you may still be able to swipe a chip card at a chip terminal in some cases.

              • Yes. The EMV card is encoded with a primary preference (dip versus swipe), which is how the liability shift for fraud can work. If you try to swipe an EMV card at a terminal that is EMV enabled, the message to dip the card is presented – it has to read the preference.

            • Interesting article and comments. Just recently I used one of my chip credit cards at a grocery store and no matter how many times I tried using it I got an on screen prompt of chip malfunction. So I had to use it as a slide card but no pin was requested.

              Hmmm, could the bad guys infect (obviously) a terminal to create the chip malfunction msg forcing one to slide their card instead and thereby enabling cloning of the card?

              Last time I tried using my chipped bank card as a credit card at Lowe’s, the reader required/demanded a pin also. Problem is, if this becomes the norm (PITA) like many other folks, I’ll just write the pin on the back of my many cards. Or perhaps a slip of paper with pins stored in my wallet, at least I can code the pins (add or subtract one number to get the correct pin).

              If I used them all everyday I’d remember the pins but some cards get used only once or a handfull of times a yr to keep them active. So, pin? What’s my pin? Oh yea, written on the back of the card. Yea, I know, not good policy.

              • A few notes:
                1. The bit encoding the chip preference on the magstripe can easily be toggled by thieves when they clone the magstripe of a chip card.
                2. Yes, a terminal can certainly be hacked to report an error using chip to force a fallback to swipe. (Someone can also produce or generate a chip that reports a failures to force fallback)
                3. The payment processing system is designed such that a processor / bank will know which vendor/Terminal performed a transaction and also any claim of chip failure the terminal is making. If a given terminal is expected to be performing chip based transactions and isn’t then it will probably be noticed when someone does Common Point Of Purchase analysis trying to identify the source of a compromise.

                I’m not saying any of this is a panacea, just that some of this is mitigated by Big Data.

    • Chip on the card makes it very difficult for fraudsters to create counterfeit cards and for malware to higjack the data, but it can be be highjacked and used for CNP fraud (card not present fraud). So it’s a deterrent, but definitely not a silver bullet.

  5. i wonder if dumps jobs still profitable enough? I never tried…but i heared its run still good in us and ca. Im not sure if its better then bank transfers and drops jobs. But i think its pretty stable income job.

  6. So glad that I’m using chip and pin cards. Just scary how they managed to get into the tills, is it possible the software could be pre installation and be from someone at the manufacturer

    • Generally the attacks are added via what is essentially a maintenance window (e.g. tricking an employee at a merchant to allow a hacker to perform maintenance via remote management software). While it isn’t impossible for terminals to be compromised in the manufacturing stage, such a thing would be noticed when Common Point Of Purchase analysis is performed (partially, they’d notice a lack of a common point, but they’d see a common manufacturer, and eventually notice a common range in manufacturing dates).

      • I was taking a class in hardware security. It was taught in China. Since most microcircuits are made internationally, it’s very difficult to make sure the chip “designer/foundry” has not installed a hardware back door into the hardware. The processors are multistate logic systems with a lot of “extraneous/unused states” that can be exploited by the actual hardware design/manufacture.

        The primary concern of the 3 professors who taught this class was Intellectual Property protection, not protection against backdoors (although that was mentioned a couple of times).

  7. “Buckle believes that certain payment cards used in its stores between October 28, 2016 and April 14, 2017”.

    So why did they wait till June 16 to announce? Also, Buckle may already have completed their forensic investigation to conclude that the breach was between Oct 2017 and April 2017 – which could possible give more information on how to prevent something similar in future.

    Here’s an interesting quote:
    “There are two types of companies in the world: those that know they’ve been hacked, and those that don’t. Misha Glenny”

    • It takes time to conduct an investigation and determine the extent of a breach. The first priority is to stop the breach, then do damage control. Two months to conduct an investigation when they did not have monitoring tools in place is quite fast.

      • Agreed. I’d still be curious to know what sort of malware caused this and how to prevent. This is the second time in just a few weeks (after Kmart) that we’re seeing this. I deal with PCI compliance myself.

  8. Oh man Oct. 28, 2016 and April 14, 2017, they’ve been stealing data for last 6 months and they couldn’t find out!

  9. I think the Buckle have P2PE deployed. Did the malware operate somehow despite the P2PE, or was there are subset of POSs not yet rolled out for P2PE?

  10. A very good article. As fast as the company responded, it sounds as if they were trying to mitigate sales damage. Very smart to be truthful. It means that that company will not go far or long. Unfortunately. And, the how did it get there? There are so many ways, from phishing to attaching to etc…and among them is encapsulation. The person with multiple accounts cards, “would you try this one first?” And see if it works. Or the found USB in the hallway or at the park bench, you would not believe how effective that is still around a college town. Or around a business building.

  11. I am still amazed when I travel to the US with my chip & pin card that on a chip-enabled machine, some merchants don’t even ask for a signature. What’s worse, is in a restaurant when the server walks away with my card, out of my sight, and returns with a slip to sign.

    I’m told pins weren’t introduced with the chip cards because they thought the change to chip AND pin would be too much for the American public, all at once.

    I can’t imagine that’s true. It likely had more to do with the cost to the banks to introduce both at the same time.

    What’s the real reason pins weren’t introduced at the same time as chips in the US?

    • It was a combination of costs and shifting responsibility from the card companies to the merchants. All the chip and pin lawsuits slowed the entire process down. Once the legal system was involved, you could be sure that it would take years to be resolved. Gas station pumps have been put on hold at this point, so they are prime targets now days. Almost better to go inside and pay instead of using the pump.

    • There are lots of terminals and cards in the US orders of magnitude more than any individual country in Europe.

      Also, many cars owners don’t live close to their card issuers’ physical points of presence (if they even exist). I’m over 300 miles from where my card gets reissued. If I forget my PIN on my card (I had a bank card from a US issuer which I never used), going back to my issuer to get it reset involved quite a bit of travel (in my case crossing an international border). Resetting one PIN may not be terribly expensive, but the cost of resetting millions of PINs? That isn’t cheap, because doing that takes human time (or is early hacked, take your pick).

      The issuers are some of the most experienced and longest standing bean counters in the world. They were Big Data long before that was a word. You can be sure they calculated the costs and decided chip and signature was cheaper for them.

      Most of the protection in chip and pin is from the chip part. Generating unique digital hashes and logging each transaction in a way people consider fairly secure. And with enough protection that cloning the chip isn’t considered feasible in the near them.

      The upside of the PIN OTOH is actually fairly minimal vs the costs involved in supporting users who forget their PINs. Remember, banks in the US have been dealing with customers who forget their debit card PINs for a while. They have the data, it’s probably very disappointing.

  12. Is their POS XP based? Is there data showing how much XP POS is still in use and how much more vulnerable it is than a non-ancient OS?

    • I haven’t seen any lists of approved operating systems for POS platforms. But note: at the end of the day, they’re just things which run software that’s connected to an input device. They may require credentials to run maintenance, but it’s expected to run maintenance, and it’s expected to do updates. And often the people who can do maintenance aren’t technical people.

      Things will improve once the readers are all converted to end to end encryption/tokenization. But sadly that links a reader to a payment processor, which means the merchant would have a higher cost to switch processors, which means the processors can charge more knowing the merchants won’t switch.

      Sadly, that works as a cycle t which doesn’t encourage merchants to deploy such technology. And implementing encryption/tokenization costs the processors money, so they want someone to party for it, and that someone is their customer: the merchant.

      Again, a bad cycle, yielding a bad outcome. The processors charge more for security (tap isn’t enabled on a lot of systems here because the processors charge more for it, and merchants don’t want to pay more).

      If a processor tries to amortize the cost of the new feature over all of its customers, customers not opting for the new feature will see higher bills than if they switch to some other processor not doing the same thing. This processors don’t do this.

      This is more or less what everything is slow: all the incentives are in the wrong places. This legislation/credit card brand rules are the driving force.

      • (the are a number of typos: I’m using swipe. Near the end: what/why … this/thus)

  13. Hey Bryan I have always wondered given all you have found on credit/debit card fraud if you yourself still use plastic at stores, food places, etc.? Thanks for keeping us informed!

  14. How did they even get a ROC from PCI? Why did their POS terminals have internet access and why was their CDE not segmented? Oct. 28, 2016 – April 14, 2017…really? Chip and pin or not, some basic network controls could have prevented this.

    • At the end of the day, network (not technically Internet) access is required for two things:
      1. Payment processing
      2. System updates

      Sure that first one doesn’t require internet access, but common services are cheaper than specialty, and Internet is common, specialty payment links isn’t. This leads people to picking internet.

      That second one is even stronger, again it could be a private network for managing terminals, but that will cost more, and ties the merchant more closely to things, increasing costs from each step. So they generally don’t.

      Plus mom & pop aren’t technical, they know they need someone to perform this maintenance for them…

      • Oh, I understand that all too well, I work for a large retailer here in the US. Buckle has 465 locations though, so there are some assumptions on my part that a company with $974 million in sales and almost $100m in net income that they would / could afford merchant services.

        Mom and Pop’s I get – as they can self-assess and are good to go…but a company with 9k employees and #321 on Forbes for 2017 I would expect a little more controls. You make valid points though – not detracting from that at all.

  15. I continue to find the fixation on EMV disconcerting when we are talking about systemic breaches. Chip (EMV) cards are harder (not impossible) to counterfeit or use in a fraudulent fashion… that’s not what is happening in a data breach. A merchant can accept chip cards, but if they don’t have hardware-based encryption implemented, then the data resulting from the chip card transaction will be stolen in the larger breach alongside all the swipe cards (the caveat is if a PIN were required as part of the chip transaction – still not bulletproof). On the same lines, a merchant could have hardware-based encryption implemented and not accept chip cards… their likelihood of having cardholder data stolen in a breach is very low.

    My point – the media continues to report on breaches and immediately pair this with a judgement about whether a merchant accepted chip cards. This mis-identifies the issue for a public that needs education. Step #1 – merchants need to implement encryption. Step #2 – merchants should accept chip cards to help with the much less rampant fraud problem.

    And lest we forget – the party most to blame – the party who is rarely mentioned with extreme disdain – the criminals who perpetrate these crimes. And the culpable parties who should be mentioned – the banking elements involved in the credit card ecosystem… they are minimally helpful to merchants trying to implement this very, very expensive, intrusive and complex technology.

    • If you use hardware encryption then you should as well use a secure/encrypting magstripe reader. The weak side of hardware encryption and magstripe only is the use of cloned cards. This will not be detected. Neither hardware encryption nor EMV card reader is really that expensive. It has been possible to convert to this with almost no problems all over the world, except in the USA.

  16. scamFRAUDalert

    Hey Brian,

    Great work as usual.!!!!!!!!! I envy in depth reporting……..

  17. What about the “SHELLTEA + POSLURP MALWARE” retail PoS attack root9b.com just published about yesterday?

  18. Working, since 2002 with chip terminals in Europe, I will try to clarify some of the issues.

    The current generation EMV cards are very difficult to copy if all security features are implemented/used. I do not know how many of these features that are mandatory in the USA. The response from the card is dynamic. Only the Issuer and the cards itself knows how it will respond. It is almost impossible to generate a ‘fake’ correct answer from a current generation EMV card.
    An EMV card contains the PAN and/or Track2 Equivalent Data. Track2 Equivalent Data is NOT identical to the magstripe and cannot be used as a magstripe. The bank is easily able to detect that this is a fraudent transaction.

    If you have the magstripe, then you have the PAN. It is thus easy to get PAN. An EMV card does as well contain an expiry date.
    There is a check value, CVC/CVV, on the rear of the card. There is as well as CVV/CVC in the magstripe but this differs from the real CVC/CVV. There is a third set of check data in the Track 2 Equivalent data with yet another value. Conclusion you can get the PAN and the Expiry date from the card but you cannot get the ‘real’ CVC/CVV. An online shop that does not check the CVC/CVV prioritise ease of use over security.
    The content of the magstripe on an EMV card, if present, will indicate that this is chip card. This shall force the terminal to request the cardholder to use the chip.
    More that 99% of all transaction here in Denmark are now EMV transactions. This is no problem. There is in real life no time penalty in using the chip card. A PIN POS transaction takes around 6 seconds. This requires that you are able to key in your PIN very fast ;-). The time is is from inserting the card and until the terminal displays remove card. The time was already in 2007 down to around 10 seconds. There is no problem in with EMV cards in fuel dispensers. Your card is only inserted in the terminal in a short time windows to authorise the transaction before you start to pump. This works all over Europe.
    A lot of the fraud could be avoided if the PAN on the front of the card and the PAN in the magstripe and the PAN in the EMV data were all different, but that is another story.
    A new common EMV data element, Payment Account Reference or PAR has been defined. This is a non-sensitive data element. The purpose of this element is to enable a unique reference to the card that isn’t the PAN.
    There will continue to be serious fraud as long as terminals / cash registers are allowed to the process the plain text PAN inside a ‘normal’ operating system like Windows or Linux. Really high quality code has around 1 (resident) bug for every 1000 lines of code and windows now contains more than 5 millions lines of code.
    Limit the access to the plain text PAN to a special secure processor inside the terminal/POS. There is no real need for the PAN or any sensitive data in the cash register. Encrypt the sensitive information outside this area. This will ease the work for the merchant.

    • …good points Chris. And even if the EMV data in the card are what they are, there’s absolutely no reason why a (certified) payment terminal should return any unnecessary card data to the cash register. Essentially the cash register (the target of the attack) needs to know only the payment data printed on the ticket. So no risk for chip (and contactless) cards. While a radical approach to secure the magstripe may be point-to-point encryption – that will put the cash register totally out of the equation.

  19. I was an excellent computer programmer as a teen. My father was a computer programmer. He was tasked with outsourcing to Asia. Additionally where I lived a major computer company was being bought with a hostile merger, many of my friends parents were losing their jobs. (Early 00s)

    My father said don’t go into computers. My friends father’s said don’t go into computers. They said it’s all going offshore. They said it’s cheaper to hire five Indians for 5$/hr than one American at 30. I didn’t.

    I still keep up with programming as a hobby, but not as a job. I know many friends from high school with similar background that made the same choice. They may program plcs or string together python or kludge sql but none of them who were excellent programmers use programming for anything other than non compsci work. I only knew two who ended up going to compsci and they had to move to the west coast for jobs.

    Maybe my experience is unique and shaped by one unique historical circumstance, I guess other commenters could say better than me.

  20. Hi All,

    You are all missing the BIGGEST cause!

    Lack of nutrients in the so called ‘food’ causing many, many fuzzy brains. That and the various poisons used that allow deficient food to grow and ‘look good’.

    Simple put, many / most citizens are unable think clearly.

    Bitchingly yours,
    John

  21. If the merchant had implemented a validated Point to Point encryption solution the POS malware would have been ineffective. P2PE is the future for brick and mortar as well as mobile commerce.