User Name: Password:
Credit Card
Credit Card

Card Data Breaches

A Breach at FireKeepers Vegas Continues Casino Attacks

June, 2015

Infosecurity Magazine notes hackers are really gambling on casinos these days. The latest in a spate of casino hits is Las Vegas’ Firekeepers Casino Hotel. Firekeepers is in the process of investigating a possible data security incident involving its point of sale systems that may have impacted its payment processing system for the casino, hotel, restaurants and shops. Any information submitted through the website was not part of the breach, it said in a statement. Given the high value customers casinos serve, stolen credit and debit cards from this sector are prized by attackers. According to Mark Bower, global director of product management for HP Security Voltage, high spend limits and top-tier cards with a proven rapid ‘stolen data-to-cash’ cycle make casinos a prime target for attacks.

Discount Chain Fred’s Inc. Probes Card Breach

June, 2015

KrebsOnSecurity reports Fred’s Inc., a discount general merchandise and pharmacy chain that operates 650 stores in more than a dozen states, disclosed that it is investigating a potential credit card breach. KrebsOnSecurity contacted Fred’s after hearing from multiple financial institutions about a pattern of fraud on customer cards indicating that Fred’s was the latest victim of card-stealing malware secretly installed on point-of-sale systems at checkout lanes. Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.

FBI Warns of New POS Malware

June, 2015

The Credit Union Times reports amidst the uproar over the massive government worker data breach, smaller intrusions continue to take place, such as a recent cyber attack against a restaurant chain’s credit card system that prompted the FBI to issue a warning. The announcement warned that criminal hackers are using new malicious software named after the TV character Punky Brewster, but spelled “Punkey,” to steal personal financial data. Investigators have high confidence that Punkey recently infiltrated the network of an unidentified restaurant chain. The new Punkey malware, uncovered by Chicago security firm Trustwave, scans and “scrapes” un-coded, plaintext credit card information in the RAM of payment-processing devices such as card readers and POS terminals. The malware inserts itself into computers, performs system scans, encrypts hacked information, and then connects to remote servers used to store and retrieve stolen credit card data. Cybercriminals then post appropriated data for sale online.

Will MasterCard, Target Renegotiate?

May, 2015

Bank Info Security reports MasterCard’s $19 million breach-expense settlement with Target on behalf of its card issuers has been derailed after an insufficient number of banking institutions chose to accept the terms of the deal. One payments security expert says MasterCard will likely renegotiate its settlement to avoid lengthy litigation. Meanwhile, an attorney representing banks and credit unions involved in a class-action lawsuit against Target, which seeks to recoup breach-related expenses, says the suit will push forward. John Buzzard, who heads FICO’s Card Alert Service, says MasterCard is likely to offer a new settlement that better meets the expectations of issuers. Charles Zimmerman, co-lead counsel for the banking institution plaintiffs in the class-action suit against Target, says banks and credit unions agreed the settlement was unfair. They decided they would rather push forward with their class-action suit, rather than agree to a settlement that provides inadequate reimbursement for their substantial breach-related expenses.

Las Vegas’ Hard Rock Casino Hit by Carders

May, 2015

Help Net Security reports Las Vegas’ popular Hard Rock Hotel and Casino has been hit by carders, who took off with names, card numbers, expiration dates, and CVV codes (but not PIN numbers or other information) of customers who used their payment cards at several locations within the property. According to a company statement, the criminal attack was limited to credit or debit card transactions between September 3rd, 2014 and April 2nd, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant. The company states they “contained” the attack on April 2, but they don’t say whether they detected the attack themselves or they have been notified of it by banks or payment processors. Law enforcement has been notified about the breach, and a breach notification email has been sent to affected customers (number still unknown).

Visa to Boost Tier Reimbursements for Reissued Cards

May, 2015

The American Bankers Association reports Visa announced on May14, that it will increase the reimbursement levels for all of its card-issuing banks when they reissue cards following a data breach. The move follows aggressive ABA advocacy with Visa to secure higher reimbursements — particularly for community banks, which typically have greater costs than large-volume issuers. Visa will adopt a tiered reimbursement system to replace its current reimbursement level of $2.50 per reissued card. Issuers with less than $500 million in annual Visa purchase volume, which includes most community banks that issue Visa cards, will qualify to receive $6.00 per card. Issuers with $500 million to $10 billion in volume will receive $3.85 per card and the biggest issuers, with more than $10 billion in volume, will receive $2.65 per card. Issuers will also be reimbursed an additional $1.00 for every chip card they reissue. The changes take effect with breaches for which Compromised Account Management System email alerts are sent on or after July 1.

Home Depot Suit Deadline Extended

May, 2015

The Credit Union Times reports a judge in the U.S. District Court for the Northern District of Georgia has pushed the deadline for credit unions to join a class-action suit against Home Depot to May 27, according to CUNA. The change gives credit unions more time to decide if they’ll participate in a lawsuit that is the result of a massive data breach at the retailer in September 2014. The breach occurred when hackers got into the company’s network and deployed malware on the self-checkout systems in order to get card information from shoppers at U.S. and Canadian stores between April 2014 and September 2014, according to Home Depot’s latest 10-K filed with the SEC. More than 50 million email addresses were also taken, according to the company. The breach has cost credit unions nearly $60 million, CUNA said.

Sally Beauty Confirms Second Breach

May, 2015

Data Breach Today reports Sally Beauty Supply now says that it has “sufficient evidence to confirm that an illegal intrusion into our payment card system has indeed occurred.” The news comes 10 days after Sally Beauty announced that it was investigating reports of “unusual” card activity that had been brought to its attention. Now, Sally Beauty recommends that customers who suspect their cards may have been compromised contact their card-issuing banking institutions. In March 2014, Sally Beauty reported that some 25,000 records containing card data had been illegally accessed and possibly removed as a result of an unauthorized intrusion. Some experts now say, however, that it’s unlikely that the 2014 and 2015 breaches are connected, and conclude that it’s more likely that this newest breach is the result of a remote-access attack, like the one that compromised POS vendor Harbortouch Payments in March.

After Target and Home Depot Breaches, Small Lenders Object to Settlements

May, 2015

The Wall Street Journal reports small banks and credit unions are banding together in a bid to recover hundreds of millions of dollars in losses incurred from high-profile data breaches at Target Corp. and Home Depot Inc.  Angry at being squeezed out by bigger banks, the small institutions now are trying to upend a long-standing industry practice in which card networks Visa Inc. and MasterCard Inc. negotiate settlements with breached merchants and then distribute the proceeds to affected financial institutions. The smaller firms say the process favors the big banks, even though the larger institutions can more easily absorb the cost of such incidents, including issuing new cards. The frustration reached a boiling point earlier this month, when the lenders filed a motion objecting to terms of a settlement Target reached with MasterCard that would see the retailer provide $19 million to card issuers to cover breach-related losses.

Credit Card Terminals Have Used Same Password Since 1990s, Claim Researchers

May, 2015

CSO Online notes while retailers battle breaches that have resulted in tens of millions of credit card numbers stolen, word comes from the RSA Conference in San Francisco that a major vendor of payment terminals has been shipping devices for over two decades with the same default password. The vendor wasn’t named by the researchers, David Byrne and Charles Henderson, but they did disclose the password: 166816. A Google search reveals that’s the default password for several models of credit card terminals sold by Verifone, a Silicon Valley-based vendor that says it connects 27 million payment devices and has operations in 150 countries. The researchers said that the password remains in use on 9 out of 10 terminals they see from the vendor, in part because customers mistakenly assume it is unique to them.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards