Tag Archives: hackers

Fraudsters Don’t Take a Vacation During the Holidays

Leave a reply

Fraudsters know that some of the greatest opportunities to commit theft occur during the hustle and bustle of the holiday season. Consumers do not only have to worry about double-swiped credit cards at checkout and phone or email scams. Criminals study consumer buying habits and use those habits against them during the holidays.

Here are the top three worst habits:

Poor Attention

Shoppers are more likely to forget important safety and security habits when rushing around during the holidays. Always hold on to anything that might contain identifying information about you or property, including shopping bags, phones, wallets and purses. Additionally, pay close attention when you park your car and pump gas. Many criminals look for unlocked cars this time of year.

Cheap Attitudes

Some shoppers are so obsessed with the cheapest deals that they ignore common sense and known security risks when shopping online. They click links in emails and pick the cheapest deals even when the sources of these supposed deals are unfamiliar merchants. Fraudsters then steal their identities or banking information through phishing sites or perform payment scams where they take orders, forward the orders to known merchants and then keep the payments for themselves.

Technology Dependence

Now more than ever before, shoppers are depending on portable devices, the internet and apps to help them find great deals. Criminals use this dependence to their advantage by hacking portable devices in public places where shoppers use free WiFi to get updates about real-time deals and coupons. They also create fake shopping and merchant apps that collect personal information. To block thieves, never use portable devices through unsecured public networks, change passwords after every shopping trip and only install apps from verified merchant websites.

You do not need to become a victim. To stop fraudsters from ruining your fun over the holidays, always attempt to keep yourself aware of your environment and your actions and curb any impulsive and bad shopping and technology habits.

Banks Are Hoarding Bitcoin to Protect Against Hackers

Leave a reply

On October 21, 2016 there was a DDoS attack that efficiently shut down several internet services for an extended period of time. Some of the websites include Github, Twitter, Spotify, The New York Times, Pinterest, Netflix, and many, many others. As a precaution in case of further attacks, banks are now stockpiling Bitcoin to pay off hackers if an attack is underway. Bitcoin are the preferred currency of online criminals due to their anonymity and difficulty to trace.

The reason the hackers were able to take down so many different websites at once is because they attacked a DNS hosting company, Dyn. Many popular and high-traffic websites use Dyn, and this made the attack much stronger than launching it on each website individually.

Banks have taken notice of the recent attacks, and now some are looking at several different options of how to minimize losses that may incur from said attacks. While no policy has been confirmed as of now, it appears that many banking companies believe that a bribe in the form of the online currency may cost them less money than suffering an attack.

It is currently unknown which particular businesses are taking this route, and it may remain that way for the foreseeable future. Only time will tell if this pay off method will be a worthwhile option. There is some worry that this kind of negotiation will cause more criminal groups to increase threats and attacks in hopes of making easy money, but hopefully that is not the case. Depending on what happens in the future, other companies, not just banks, may look into bartering with Bitcoin as well.

Data Breach at Wendy’s Expands to Over 1000 Locations

Leave a reply

Data security issues at Wendy’s have now been super-sized.

Following whispers of a data breach in January, Wendy’s finally confirmed payment security issues in May, when spokesmen admitted fewer than 300 stores had been affected by malware. Now, the company admits the real number of compromised restaurants is over 1,000.

Thieves installed malware on POS card terminals to capture card numbers, cardholder names, verifications values, expiration dates, service codes and other critical data. Wendy’s stated that CVV codes were not at risk. The malware has been called “highly sophisticated in nature and extremely difficult to detect.”

The initial claim of fewer than 300 affected stores was cast into doubt by reports from card issuers that fraudulent charge volume indicated a far larger distribution throughout the chain’s 5,800 U.S. locations. Wendy’s states that the attack came in two separate waves, making it difficult to determine the total size of the data breach when it was first detected. Investigators first determined the scope as only 300 locations, only to be hit by a second, mutated strain of the malware soon thereafter.

The attack appears to have been the result of compromised security credentials used for remote access by third-party POS service companies. These companies are often hired by franchisees to manage POS systems in their restaurants, and most access them remotely. Of the 5,800 Wendy’s restaurants in the U.S., only about 630 are owned and operated by Wendy’s itself, with the remainder in the hands of local franchise owners. None of the company-owned stores have been implicated in the data breach.

In response to their discovery of the larger scale of the breach, Wendy’s has compiled a searchable database of affected locations. This database is accessible to customers on the company website.

The affected locations had not yet moved to the use of EMV chip cards. Gavin Waugh, vice president and treasurer at The Wendy’s Company, believes that the attack might not have been prevented by use of EMV. Wendy’s declined to provide a timetable for the completion of the rollout of EMV to their network of restaurants.

Gartner Group analyst Avivah Litan states that although many locations have received and installed EMV-capable terminals, not all have activated them. She acknowledged that there is a backlog of requests at the companies who certify EMV readiness for merchants ready to move to the new standard.

Hackers Rush to Cash In Before Chip Cards

Hackers Rush to Cash In Before Chip Cards Take Over

Leave a reply

While plans are being initiated that will reduce credit card fraud, it appears the problem is going to get worse before it gets better. Credit card issuers are rushing to send new EMV enabled cards to their customers. These cards, also known as chip cards, contain technology that makes credit card theft much more difficult. Knowing this, hackers and fraudsters are in a rush to steal as much credit card information as they can before their job gets harder.

According to CNBC, as much as $10 billion dollars in fraudulent credit card charges are anticipated between 2016 and 2020 as retailers and card issuers finish adopting EMV cards and technology. As of May 2016, only 20% of credit cards and 10% of debit cards were chip enabled, leaving lots of people still at risk for a security breach. The bad guys know this and are scrambling to take advantage of security weaknesses in cards with magnetic strips.

On the other side of the table, retailers and banks are rushing to get chip cards into the hands of consumers. PYMNTS.com reports that, on average, 23,000 merchants per week are installing chip technology in their businesses. Overall, the number of retailers using the chips to read cards has increased by 12.5% since the technology’s introduction. Progress is clearly being made, but not fast enough to protect everyone.

Once all of the credit cards have chips and the bad guys have used up their stolen cards, card not present fraud is expected to decrease. However, a different kind of fraud is expected to take its place. With credit card numbers being harder to steal remotely, experts anticipate that more people will fraudulently apply for credit card accounts. Using a temporary address, these fraudsters will get credit cards mailed to them using an address they will later abandon. With the card in hand, they will still be able to make fraudulent purchases.

Though the criminals aren’t going anywhere, neither are those who fight them. New technologies are being considered and developed even as EMV chips are being instituted. In the meantime, the best way to protect yourself is to watch your accounts carefully and use caution when using your card online.

Hacker

Hackers find new target: Mariott [2023 Update]

Leave a reply

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

Leave a reply

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.