User Name: Password:
Credit Card
Credit Card

Card Data Breaches

Target Fights to End Bank Suits a Year After Data Breach

November, 2014

Bloomberg reports a Target Corp. lawyer told a judge that the company had no legal obligation to banks that claim to have lost tens of millions of dollars after a hack last year on the retailer’s payment processing systems. Target didn’t have a legal duty to the banks because card payments are processed through third-party intermediaries, Douglas Meal, the retailer’s lawyer, told U.S. District Judge Paul Magnuson in St. Paul, Minnesota. Target isn’t liable to the lenders, he said today in urging the judge to dismiss the case. The banks “are claiming that Target had a duty to protect them from that criminal activity,” Meal said. “The only way that would be true is if there is a special relationship between the parties,” and there is none. In the lawsuit, the banks say they and other credit card issuers lost tens of millions of dollars from having to issue new cards, monitor accounts for fraud and reimburse victimized customers. The banks seek to hold Minneapolis-based Target liable for negligent system security. The lenders, suing on behalf of a proposed group that includes every card-issuing financial institution whose customers made purchases last year, say the company wants to duck blame for failing to safeguard data.

New Variant of Backoff Malware Tougher to Detect

November, 2014

ThreatPost reports a new and more fine-tuned version of the Backoff point of sale malware known as ROM has been spotted in the wild, according to researchers. While the latest iteration is similar to the preceding version, ROM has tweaks that help the malware better evade detection and hinder the analysis process, according to Fortinet. ROM, whose technical detection term is W32/Backoff.B!tr.spy, doesn’t use a version number in the malware body. Also, unlike previous Backoff versions, ROM doesn’t disguise itself as a Java component, but instead, a media player under the name mplaterc.exe. After copying itself to the infected machine it calls on an API, WinExec. The API replaces names with hashed values in order to thwart analysis process. Hong Kei Chan, a junior antivirus analyst with the firm said that like Backoff, ROM can extract Track 1 and Track 2 data from PoS terminals, and that it has a sophisticated approach when it comes to parsing that information.

Travel Site Breach Impacts 1.4 Million

November, 2014

Bank Info Security reports travel-booking website Viator is notifying approximately 1.4 million customers about a data breach that could potentially affect payment card data, along with other personal information, used to make bookings through the company’s websites and mobile offerings. In August, Viator officially became part of the TripAdvisor family of companies after an acquisition originally announced in July. Viator has determined that approximately 880,000 of its customers may have had their payment card information – including encrypted credit or debit card number, card expiration date, name, billing address and e-mail address – compromised. In addition, those customers may have had their account information, such as encrypted password and Viator “nickname,” exposed.

Home Depot Breach Cost CUs Nearly Double Those from Target

November, 2014

The data security breach at Home Depot stores in September cost credit unions nearly $60 million to reissue cards, deal with fraud and cover other costs, according to the results of a new survey of credit unions, recently released by the Credit Union National Association. The CUNA survey, which asked credit unions to report the effects of the Home Depot breach, found that 7.2 million credit union debit and credit cards were affected. The survey shows that the cost per card reissued by credit unions was $8.02, which included costs for reissuing, as well as fraud and other costs such as additional staffing, member notification, account monitoring and others.

Banks: Credit Card Breach at Staples Stores

October, 2014

Krebs on Security reports multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Backoff PoS Malware Boomed in Q3

October, 2014

Information Week’s Dark Reading notes that, try as they might, retailers don’t seem to be able to get the Backoff malware to actually back off. According to a new report from the security firm Damballa, detections of the notorious point-of-sale (PoS) malware jumped 57% from August to September. During the month of September alone, Backoff infections increased 27%. This year, the Secret Service estimated that as many as 1,000 US businesses may be infected by the malware. That list of impacted businesses features some big names, including United Parcel Service (UPS) and Dairy Queen. According to Damballa, the increase demonstrates that the malware is bypassing network prevention controls, and it underscores the importance of ensuring that PoS traffic is visible. In many cases, the PoS systems are free-standing from the corporate network, according Damballa CTO Brian Foster. He notes they connect to local networks, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.

Alleged Russian Hacker Faces 40 Charges

October, 2014

Bank Info Security reports alleged Russian hacker Roman Valerevich Seleznev, arrested earlier this year, is facing 11 additional charges tied to the theft of credit card information for later sale on “carding” websites. As set forth in the indictment, the government expects to prove at trial that Seleznev was a leader in the marketplace for stolen credit card numbers, and even created a website offering a tutorial on how to use stolen credit card numbers to commit crime, according to acting U.S. Attorney Annette Hayes. The indictment alleges that Seleznev, also known by the online handle “Track2,” was involved in the theft and sale of more than 2 million credit card numbers. He is scheduled for trial on Nov. 3 and will be arraigned on the new charges sometime next week.

Russian Hackers Made $2.5B Over the Last 12 Months

October, 2014

Dark Reading reports the Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB. Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that’s 10 times more profitable than your average plaintext credit card number. Also, while financial fraud is still a big earner — accounting for $426 million — it’s being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million. All of this is evidence of the growing sophistication of the Russian cybercrime industry.

TD Bank Agrees to Breach Settlement

October, 2014

Data Breach Today reports TD Bank has agreed to a multi-state settlement in the wake of a 2012 data breach involving the loss of two backup tapes that may have exposed personally identifiable information about 260,000 of the bank’s 8 million U.S. customers. The settlement, announced Oct. 15 by New York Attorney General Eric T. Schneiderman, requires TD Bank to pay an $850,000 fine and reform its practices to help prevent breaches. An official close to the investigation tells Information Security Media Group that the fine is tied to the bank’s security habits and untimely notification of the breach. Nine attorneys general worked for a year and a half to investigate the breach and the bank’s policies and procedures, Schneiderman says, involving locations in Connecticut, Florida, Maine, Maryland, New Jersey, North Carolina, Pennsylvania, Vermont and New York.

Kmart Says Payment Cards Breached

October, 2014

Bank Info Security reports retailer Kmart has confirmed a breach that started in early September involving a “new form” of malware that infected the company’s payment card systems. Impacted information includes debit and credit card numbers. Based on the forensic investigation to date, no personal information, debit card PINs, e-mail addresses or Social Security numbers were obtained by the hackers. Kmart also says there’s no evidence that its kmart.com customers were impacted by the breach. Kmart did not immediately disclose how many cards were impacted in the breach. The malware used in the attack was undetectable by current anti-virus systems, the company says. Members and customers who shopped with a credit or debit card in Kmart stores during the month of September through Oct. 9 will be offered free credit monitoring protection, the company says. Kmart is working closely with federal law enforcement authorities, its banking partners, and security experts in its ongoing investigation. In response to a writer’s query, a Kmart spokesperson told ISMG it is not disclosing any details, at this time, about the quantity of payment cards that may have been compromised.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards