User Name: Password:
Credit Card
Credit Card

Card Data Breaches

What Happens when Personal Information Hits the Dark Web

April, 2015

Dark Reading reports on an experiment that tracked the journey of a cache of phony names, SSNs, credit cards, and other personal information. The bait–a trove of phony “stolen” data including several thousand Social Security numbers, credit cards, names, and email addresses–was swallowed within the first few days of being planted in the Dark Web. And when the 12-day experiment was over, the data had traveled to more than 22 different countries and been viewed nearly 1,100 times. The experiment conducted by security vendor BitGlass was aimed at getting an inside look at just what happens after cyber criminals siphon personal information from retailers and other breached organizations. In the end, it was downloaded by 47 different parties. It was mainly grabbed by users in Nigeria, Russia, and Brazil, with the most activity coming from Nigeria and Russia.

Carder.su Member Sentenced to 12 Years

April, 2015

SC Magazine reports Jermaine Smith, a member of the cybercrime syndicate Carder[dot]su, was sentenced to over 12 years in prison this Thursday, and ordered to pay $50.8 million in restitution. The 34-year-old Smith (a.k.a.”SirCharlie57” and “Fairbusinessman”) pleaded guilty in October 2014 to one count of participating in a racketeer-influenced corrupt organization, according to a Department of Justice release. Smith admitted to causing more than 250 victims to lose between $7 million and $20 million while he was a member of the Carder[dot]su syndicate that sold stolen credit card data, among other illegal activities, authorities said. While awaiting trial in 2013, Smith – one of 55 people targeted in “Operation Open Market,’ a Carder[dot]su crackdown– illegally fled to Jamaica. To date, 26 individuals linked to the fraud ring have been convicted, while the rest either await trial or remain at large, DOJ said.

Fighting U.S. Card Data Fraud Overseas

April, 2015

Bank Info Security reports, to help take down international “carding” rings, the U.S. Justice Department wants to expand current law so it can prosecute those who commit fraud anywhere in the world that involves U.S. payment card data. But legal experts warn such a move could invite legal reprisals from other countries. The Justice Department’s criminal division says in a blog post, that it’s too difficult today for U.S. law enforcement agencies to disrupt all parts of the carding ecosystem. That includes organized crime gangs, which often harvest large amounts of payment card data, as well as those who buy the data to commit online fraud, create and sell fake cards or prepaid cards or employ low-level money mules to commit in-person fraud, using these fake cards at retailers or ATMs. The Justice Department says it’s difficult to pursue the middlemen in this ecosystem who run the carding forums that offer “dumps” of card data for sale. So, the Obama administration is proposing amendments to Title 18, the federal government’s criminal and penal code. The changes would be to a section of Title 18 that covers fraud – and related crimes – in connection with “access devices,” which is legalese that can refer to payment cards.

Why POS Malware Still Works

April, 2015

Data Breach Today reports security experts are warning about a new breed of point-of-sale malware dubbed Poseidon, named after the Greek god. Researchers at Cisco say it’s the latest attack code designed to steal credit card numbers immediately after payment cards get swiped through POS terminals. While the appearance of any new type or variation of attack code triggers alarm in financial services and retail circles, Charles Henderson, vice president of managed security testing at information security firm Trustwave, says there’s a bigger problem than the POS malware du jour. That problem is that too many retailers use POS devices without changing their default passwords or running them via segmented networks, which makes such devices easy to infect with remotely controllable malware.

Health Records Are the New Credit Cards

March, 2015

CSO Online reports, forget credit card numbers. The hot new data for the modern bad guy is the electronic health record, which is not only worth more on the black market, but is easier to get. According to a 2014 BitSight report, the health care industry has been lagging behind when it comes to security effectiveness. The industry has a worse average rating than the retail industry, including a high volume of security incidents and slow response times, according to Stephen Boyer, CTO and co-founder at Cambridge, Mass.-based BitSight Technologies. Meanwhile, Gemalto’s 2014 Breach Level Index showed that the healthcare industry suffered more breaches last year than any other industry, accounting for 25 percent of all breaches globally. Electronic health record information can be used for billing scams that go as high as the value of the health insurance policy, to purchase prescription drugs for resale on the black market, and also for run-of-the-mill identity theft.

Seeking Compromise on Data Breach Notice Bill

March, 2015

Bank Info Security reports a draft bill circulating in Congress to create national requirements for data breach notification could be the vehicle used to win political support for a compromise from lawmakers supporting the divergent interests of the business community and privacy advocates. After reviewing the draft of the Data Security and Breach Notification Act of 2015, Lisa Sotto, a privacy and cybersecurity law partner at Hunton & Williams, noted that it needs work, it needs tinkering, but it might be what a compromise bill looks like. Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt. began circulating the discussion draft of the legislation on March 12. If enacted, the bill would usurp 47 state data breach notification laws with a single federal statute. Some lawmakers have concerns about the weakening of consumer protections overall, as well as the dilution of protections for customers of telecommunications and cable services.

Target to Settle Data Breach Lawsuit for $10 Million

March, 2015

Dark Reading reports individuals who are able to prove they suffered financial losses as a direct result of the data breach at Target in late 2013 will be eligible for up to $10,000 in damages under a proposed settlement of a class-action lawsuit against the retailer. Target will set aside $10 million in an interest-bearing escrow account to fund claims made by individuals under the settlement, court documents filed in the U.S. District Court for the District of Minnesota show. Funds that remain after all claims have been settled will not revert back to Target and will instead be distributed according to the court’s instructions. Under the proposed settlement Target has also agreed not to contest any award of attorney’s fees that do not exceed $6.75 million the court documents show.

Nussle: CUs Still Wait for Over $30M Lost from Target Breach

March, 2015

CUNA News notes despite the recent announcement by Target of a $10 million settlement for a consumer class-action lawsuit related to its 2013 data breach, credit unions are still waiting to be reimbursed for the nearly $30 million of costs they incurred in response to the breach.  The settlement only covers payments to consumers for damages they may have incurred.  It does not cover costs credit unions and other financial institutions incurred as a result of the breach. CUNA President/CEO Jim Nussle weighed in on the Target news: “For 15 months, credit unions and their members have been pushed to the back burner waiting to be reimbursed for over $30 million lost, at no fault of their own, due to Target’s failure to safeguard the data of its customers.  Further, it shouldn’t take a court-approved settlement for Target to provide basic security measures to protect American consumers from data breaches.

Breach at Premera Blue Cross Affects 11 Million

March, 2015

ThreatPost reports hackers wriggled their way into the servers of health insurance provider Premera Blue Cross 10 months ago, and potentially exposed the information of 11 million members, employees and other associates. The provider announced yesterday that customer information, including names, dates of birth, email addresses, addresses, telephone numbers, Social Security numbers, identification numbers, bank account information, and claim information—including medical ailments–may have been leaked by hackers. Prospective customers, including Blue Cross Blue Shield members who sought treatment in either Washington or Alaska, are believed to be affected as well, as are any individuals who may have given the company their email address, bank account number or Social Security number.

Apple Pay: A New Frontier for Scammers

March, 2015

The Guardian reports criminals in the U.S. are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details. Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system. The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to “provision” the victim’s card on the phone to use it to buy goods. A credit or debit card can only be added to Apple Pay when its issuing bank beams over an encrypted version of the card details to store on the phone – which it should only do when certain the real owner is using it.

Article archive by topic

Card Data Breaches

Card Fraud

Identity Theft

Network Security

Skimming

Smart Cards