Posts Tagged: amex


28
Feb 14

Breach Blind Spot Puts Retailers on Defensive

In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year.

Earlier this week, rumors began flying that Sears was breached by the same sort of attack that hit Target. In December, Target disclosed that malware installed on its store cash registers compromised credit and debit card data on 40 some million transactions. This publication reached out on Wednesday to Sears to check the validity of those rumors, and earlier today Bloomberg moved a brief story saying that the U.S. Secret Service was said to be investigating a possible data breach at Sears.

But in a short statement issued today, Sears said the company has found no information indicating a breach at the company.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears said in a written statement. “We have found no information based on our review of our systems to date indicating a breach.”

The Secret Service declined to comment.

Media stories about undisclosed breaches in the retail sector have fueled rampant speculation about the identities of other victim companies. Earlier this week, The Wall Street Journal ran a piece quoting Verizon Enterprise Solutions’s Bryan Sartin saying that the company — which investigates data breaches — was responding to two different currently undisclosed breaches at major retailers.

Interestingly, Sartin gave an interview last week to this publication specifically to discuss a potential blind spot in the approach used by most banks to identify companies that may have had a payment card breach — a weakness that he said almost exclusively manifests itself directly after large breaches like the Target break-in.

Continue reading →


22
Sep 10

I’ll Take 2 MasterCards and a Visa, Please

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

Don’t you just hate it, though, when online stores nickel and dime you to death? I started to get that chintzy vibe when I opened an account at rock3d.cc, one of many sites where one can buy stolen Visa, MasterCard, Discover and Amex card information. The purloined card numbers — no doubt lifted from PCs infected with data-stealing malware like the ZeuS Trojan — fetch $1.50 for U.S. accounts, and $4 (USD) for accounts belonging to U.K. residents.

And for a premium, you can obtain “fullz,” or the card data plus other useful information about cardholders, such as their date of birth, mother’s maiden name, etc.

The trouble is, the minute you seek to narrow your search using the built-in tools, the site starts adding all these extra convenience fees (sound familiar?). For example, if I wanted to buy a card stolen from anyone around the Washington, D.C. area, it would probably be from a resident of McLean, Va., which is more or less a tony place where there are plenty of well-to-do folk. Anyway, the site found me a card (a MasterCard) belonging to a McLean resident alright, but then the service wanted to tack on an extra $.60 just because I isolated my search by city and state — raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.

[EPSB]

Have you seen:

Virus Scanners for Virus Authors…The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.
[/EPSB]