[SecurityRatty] tag: debit

Fun Security Reading - 3

Thu, 15 May 2008 10:11:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts with links and commentary, I will now combine them into my new blog series "Fun Reading on Security" or "FRoS." Here is an issue #3, dated May 15, 2008.

First, watch Dave Aitel beats the dead horse of academic security "research." Quote: "people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory." (other examples)
I work for a vendor, but I am not "vendor scum." What is the difference? If you write a paper about a fake trend or about a non-existent phenomenon (that your marketing department created) with the sole intention of selling your product while masquerading your piece as "objective content", you will probably be called "vendor scum." Example: do you know why insiders are dangerous? Because of telnet and modems (no shit!) :-)
Rich Mogul drop-kicks GRC. Then kicks it in the balls. Then steps on it. Fun read, for sure.
Did somebody just utter "ROI"? Yeah - and that means katana blades sharpened, flamethrowers charged, pet trolls enraged :-) Yes, the beast is back - with a vengeance. Bruce Schneier hits it with +5 Flaming Blade, it doesn't die, it bites back ... again. If you love/hate ROI, read these. And Mike R comment here. Can we just replace the "R"-word with "economic measure of security" or "security efficiency?"
Does anybody with at most half a brain believes that "almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident" (source here and more commentary here)? Well, same people who believe FBI/CSI surveys, I guess :-) UFO? Spoon bending? Santa Claus anyone?
NEWSFLASH!!!! Employees needs to be monitored!!! Wow!!! Reeeeally? Well, it is news to some people. Mike R makes good fun of them here.
Harebrained paper about PCI and using cards (credit and debit), which serves as a perfect illustration of how some people perceive risk. Repeat after me: you are not liable for mis-use of your credit card, your bank is. Debit card? Very different story!
So, risk, yes. A really good piece about risk is here. Then again, it is RiskAnalys.is? :-) More on risks of compliance stuff (also good) is here.
Richard clearly, succinctly, brilliantly explains the "security chasm" here by commenting on Greg's article (featured in my previous FRoS): "The first camp spends more time talking about "enabling business" and "elevating the infosec conversation" while the second camp deals with the mess caused by the first world's ignorance of security problems."
Security reading? Nah, fun security listening (that is, unless you are sick of hearing about RSA 2008 again), where we discuss - yes, you guessed right! - past RSA 2008 show.

Enjoy!

Two students access confidential Dominican University files

Wed, 14 May 2008 18:40:18 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

Restaurant chain served up payment card data to hackers

Tue, 13 May 2008 09:00:00 +0000

Dave & Buster's disclosed that credit and debit card numbers were stolen last year from systems at 11 of its restaurants — allegedly by three hackers who have been indicted by a federal grand jury.

Is it time to abandon credit card payments and go back to cash?

Mon, 12 May 2008 20:00:00 +0000

About two years ago, I had a conversation with a family member about his Stone Age practice of using cash and checks for almost every purchase. He admitted to owning just one credit card and no ATM or debit card, and he didn’t even know about online banking.

Confidential information sent to PinPay.net and SoftCard.biz is exposed

Thu, 08 May 2008 09:26:03 +0000

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
ACAP Security Inc.

Contractor/Consultant/Branch:
PinPay
SoftCard

Victims:
Merchants, Agents and customers

Number Affected:
Unknown

Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):

Passport
Voting ID card
PAN card
Driving License card
Government issued ID card
Social Security Card
Military ID card
Consular ID card
Postal ID card
Government Employee ID Card
Credit Card
Debit Card

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store." The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure. Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago. I've been a little busy lately, but was finally able to check it out. Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.

The flash home page forwards visitors to a static index (indexaa.html) page. The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."

See where the page says, "Register for your FREE card HERE!!"? This is a link to the sign-up page that Tom was referring to.

No "https" in the URL. Tom was right on that. The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").

The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card

SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information! First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard". Second, no encryption?! Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security. According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network. ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content". Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption.

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular. This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic. In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server). My information doesn't travel directly from my computer to the server. There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.

As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz. The final few hops are not reported due to filtering. So where could my traffic be captured? At the very least:

Between my computer and my router (or firewall)
Between my firewall and the ISP hand-off
Between all the traversed devices within my ISP's network
Between all the traversed devices through the internet
Between all the traversed devices within the destination ISP's network
Between all the traversed devices within the destination organization's network and the server itself.

Anyone in the communication path can use a simple protocol analyzer like Wireshark and capture the sensitive information:

txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=billymadison@honky.com&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit

This is a very simplistic demonstration about why it is important to encrypt sensitive information. If the communication had been encrypted, none of the data would have been visible without access to the private key.

We could go deeper into the server application and SQL, but I think that this is enough.

A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”

Past Breaches:
Unknown

Card skimming at Lunardi's Supermarket

Tue, 06 May 2008 08:25:33 +0000

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
Lunardi's

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"bank card numbers and personal identification codes"*

*bank cards include credit cards and debit cards

Breach Description:
"About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam. And that number is expected to grow, Los Gatos police Capt. Dave Gravel said."

Reference URL:
KPIX TV Channel 5
The Mercury News
The Mercury News (update)

Report Credit:
KPIX TV Channel 5

Response:
From the online sources cited above:

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said today.
[Evan] The number "two dozen" was used in the original report on April 29th.

About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam.
[Evan] By the time of the May 2nd story, the number of reported cases grew to about 150.

And that number is expected to grow, Los Gatos police Capt. Dave Gravel said.

Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty.

Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles,'' McCarty said.

"What we have here is more than one person - they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
[Evan] Completely switch out the card reader? I have never been to the store so I don't know the layout, but how does a person switch out a card reader during business hours without anyone noticing? It seems very risky to make the switch during business hours. I suppose that a thief could pose as a repair or other support person that wouldn't look suspect. Was the switch done while the store was closed? If so, this seems to imply an insider. Just thoughts, I am sure that the investigators have already thought through these questions.

The thieves then transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.
[Evan] Search Google for "Credit Card Encoder" and take your pick of various credit/debit card magnetic stripe readers/writers. Extreme Media has information on "Credit Card Hacking, ATM Hacking, Debit Card Hacking and more. From Identity Fraud to Off Shore Banking we have you covered." I have never used or read any of their wares, so I don't know how reliable it is. The point I am trying to make is that committing fraud with compromised credit/debit card information is easy and there are plenty of people willing to help the bad guys.

police are still trying to determine how much money was stolen.

Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police.
[Evan] If I were a customer of Lunardi's, I would contact my bank and close my credit/debit card account and open a new one (with new numbers).

Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used.

In a statement, the owners said the chain "in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness."

George Silvestri, an attorney for Lunardi's, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi's employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

The thefts at Lunardi's in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.
[Evan] I missed this specific breach, but I did report an ARCO "skimming" related breach in December, 2007. The December breach occurred at the El Monte station.

Commentary:
Card skimming is nothing new, but the methods have been refined and the technology has gotten better. The devices used by the criminals used to be pretty easy to identify, but now some of the devices are so small and well made that it can be difficult to notice, even to a trained eye.

A video or two might be helpful to readers (good information, but nothing earth shattering)

An NBC 10 News report:

From the UK, "The Real Hustle - ATM Scam"

Past Breaches:
Unknown

Security upgrades may not buy Hannaford full data protection

Sun, 27 Apr 2008 20:00:00 +0000

Hannaford Bros.said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the the recent theft of up to 4.2 million credit and debit card numbers from its...

Online intruder makes off with SwimwearBoutique.com customer data

Sat, 26 Apr 2008 20:22:24 +0000

Technorati Tag: Security Breach

Date Reported:
4/16/08

Organization:
Swimwear Boutique ("SWB")

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, email address, SWB account password, and credit card information

Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.

Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.

We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.

These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?

We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.

We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.

SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.

We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.

Notification letters will be sent out on April 23, 2008.

Affected customers also can contact us for more information at 1-866-SWIMWEAR.

In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.

We are committed to helping our customers affected by these criminal acts.

We deeply regret that a valued customer like you may have been affected by the criminals.

Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.

A tip for online consumers:
Check out PayPal's Virtual Debit Card. "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.

Past Breaches:
None

Hundreds of WiseBuys customers are victims of credit card fraud

Sat, 26 Apr 2008 17:01:56 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
WiseBuys Stores, Inc.

Contractor/Consultant/Branch:
WiseBuys of Canton

WiseBuys Plaza, 5533 US Highway 11, Canton, NY 13617, 315.379.0456

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"credit and debit card numbers"

Breach Description:
"Hundreds of credit and debit card numbers were stolen in December at the Canton Wisebuys store, according to Canton Village Police."

Reference URL:
Watertown Daily News
WWTI Channel 50 News
TWEAN News Channel of Syracuse

Report Credit:
WWTI Channel 50 News

Response:
From the online sources cited above:

CANTON — Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20

Since then, stolen credit card numbers have been used to create fake cards in New York City.

The fraudulent cards were used to pay for taxi rides, to buy food at a Wendy's Restaurant and to make purchases at New York City drug stores and other locations.

"We had the New York City police call us about one of our cards that was picked up in a sting," said Scott A. Wilson, president and chief executive officer of SeaComm Federal Credit Union, which has a branch in Canton.

Complaints about the thefts began to come in early in March as victims received their monthly bank and credit card statements

"At this point we are not sure how the numbers were obtained. It may be an employee or it may be somebody who hacked into their system," Ms. McDougal said.

Hannaford Bros., which operates supermarkets in the Northeast including stores in Watertown and Massena, reported the theft of up to 4.2 million credit and debit card numbers from 300 of its stores in March.
[Evan] I think Watertown, NY is ~60 miles from Canton, and Massena is ~30 miles away.

It is unknown if there is any similarity between the Hannaford thefts and the WiseBuys thefts.
[Evan] I certainly don't know enough to speculate (but I will later ).

"We have people working on it," said Norman V. Garrelts, chief executive officer of Hacketts, which took over operation of WiseBuys after a November merger.

"We had no inkling it was going on. The police notified us," he said. "How anybody could have hacked into the system, I am not a big enough geek to know. It happened over a day or two."
[Evan] I think there are many organizations that have "no inkling". CEOs like Mr. Garrelts don't need to be "a big enough geek" to know how the companies they run are managing information security. CEOs are the ones that are ultimately responsible. Information security should be governed in such a way that it has visibility with the CEO. Information security is an organizational issue, NOT an IT (or geek) issue.

"We have rechecked all of our safeguards and everything seems to be in order," Mr. Garrelts said. "It should not have been able to happen."
[Evan] This incident is proof of the contrary. I agree that it should not have been able to happen, but it DID happen. The question is what is the "it"?

The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen

Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

District Attorney Nicole M. Duvé, who learned of the thefts Thursday, said she takes the thefts seriously.

"This is starting to eat up a lot of law enforcement time and a lot of our time. I intend to take a very dim view of anybody caught doing it," she said.
[Evan] I wonder what the ultimate cost of incidents like this really is. Law enforcement time, employee time, bank and credit issuer time, victim time, actual fraud dollar amounts, prosecutorial time, etc. etc. It all ends up, and somebody has to pay for it all, right?

Debit and credit card issuers believed to have been affected by the thefts to date include Community Bank N.A., SeaComm Federal Credit Union, Key Bank, Discover Card, Capital One and NBT Bank, Ms. McDougal said.

"As far as I know, all of the banks have been cooperating with their customers and all have been reimbursed by their banks or credit card companies," she said.

"We have a zero loss policy," said Mr. Wilson, of SeaComm Federal in Massena. Under the policy, the credit union absorbs any losses caused by fraud.

In all, 42 credit union members were among those whose numbers were stolen. All were issued new numbers and cards.

Commentary:
I don't get a good feeling about this one. Too many unanswered questions. Nobody seems to know very much. There has been no official public response by WiseBuys.

NOT FACT, only speculation:
I like to speculate, so what the heck I'll throw something out there. I'm going to say that full magnetic stripe data was captured during data transmission and that this is not an inside job. I am also going to say that this was not related to the Hannaford breach. I didn't exactly go out on a limb with my speculation, but I did speculate nonetheless.

Past Breaches:
Unknown

Hackers Open New Front in Card Data Thefts

Mon, 14 Apr 2008 02:19:15 +0000

Recent thefts of credit and debit card data while it's in transit between systems are raising questions about whether the PCI security standards are fully equipping companies to fend off cybercrooks.