Entries tagged with “data theft”.


Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked.  According to the company, one device in each of 63 different stores  had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach.    Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers.    The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method.  Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.

There are two security issues at play here. The first is the question of physical security.  How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk?  While that certainly adds convenience, it can also introduce risk.  The following video demonstrates just how easy it can be to compromise a PIN pad machine.

As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security.  If you use a mobile device, ensure that it is with you at all times.  If it is not with you, it should be locked in a secured location.  If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered.  In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.

The second issue at play here is the technical aspect of security.  This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly.  To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices.  You can find all of the PCI SSC security documents on the Library section of their website.

Security of transaction data is not an “online only” problem.  Thieves are able to extrapolate physical theft into credit card fraud.  That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).

On this blog, we have discussed, almost ad nauseum, data breaches.  How they happen, how they can be avoided, what to do if your business is impacted.  What we haven’t discussed much is that most merchants, particularly in the SMB segment, are also consumers.  So what rights do consumers have when their data has been compromised?  The Privacy Rights Clearinghouse has been producing a six part video series on important privacy topics.  This week, the organization released Part 4: Data Breaches: Know Your Rights.

The video walks viewers through an incident in which a consumer is notified that his data has been compromised.  It discusses what questions you should ask and what steps you might take to protect yourself.  As an example, we hear that consumers are often advised to get a “credit freeze” in the wake of a compromise.  But what does that mean and is that really the best option for everyone?

As an additional resources, check out the Fact Sheet also offered by the organization. Unfortunately, data breaches are going to continue to be common for the foreseeable future.  Not because organizations aren’t taking appropriate steps to protect the data, but because data thieves are often highly motivated and see hacking as a high-reward/low-risk activity.  That being the case, as consumers, it makes sense that we educate ourselves on how to respond and what rights we have under the various state or federal laws surrounding our financial or personally identifiable information.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.

The cautionary tales abound regarding the protection of payment data – credit and debit cards, and ACH (or banking) information.  Bad guys are seemingly around every corner looking for ways to steal data.  It’d easy to believe that stealing payment information requires a great deal of technical knowledge and a lot of time. One is almost tempted to envision the old Spy vs. Spy cartoons in Mad Magazine. (The picture to the left is The White and Black Spy, from Antonio ProhiasMad Magazine comic strip.) Unfortunately, sometimes the low-tech scams still work the best.

Social engineering is still one of the most effective ways of stealing sensitive data.  According to Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. In other words, worm your way into someone’s confidence and you can convince them give up critical information.  In the context of payments, this may take the form of someone telling you that they are calling to help you with your merchant account and can quickly troubleshoot an issue (that you may or may not be experiencing) if only you’ll provide your merchant ID and password.  The thief now can access your merchant account at will and doesn’t have to resort to any technical wizardry to do so.  They can process stored cards for payments to your merchant account, which would result in angry customers and multiple chargebacks.

Another common scam is the “skimmer.” In this scenario, someone that has access to the card terminal or card swipe device replaces the card reader with a “skimmer” which duplicates the information and can be downloaded or sent to another individual.  The information can then be sold or even used to make counterfeit cards.  Skimming is most commonly seen in restaurant environments, where servers have access to cards and are often able to take those cards out of the line of sight in order to process the payment.  Here is an example of a skimming ring that was fairly successful.

These are just a couple of the methods used by data thieves to misappropriate financial data.  Of course, the most reliable way to ensure that you don’t fall victim to a data thief intent on gathering your customers’ financial data is simply not to store it.

Last week, federal authorities announced the arrest of 19 individual associated with a data and identity theft ring.  This group, associated with an online forum at carders.su, specialized in stealing personally identifiable information and then offering it for resale.  The group, which was based in Las Vegas, also offered counterfeit cards for sale.  The arrests are part of a long-term operation called Operation Open Market, which targeted fraudsters and data thieves that were selling information.  While these 19 arrests are the most recent, the federal authorities report that there have been 50 individuals indicted during the course of the operation, which took place across several states.  The 19 arrested last week were described as employees or associates of the Carder.su identity theft ring.

“The actions of computer hackers and identity thieves not only harm countless innocent Americans, but the threat they pose to our financial system and global commerce cannot be understated,” said James Dinkins, executive associate director of ICE Homeland Security Investigations. “The criminals involved in such schemes may think they can escape detection by hiding behind their computer screens here and overseas, but as this case shows, cyberspace is not a refuge from justice.”

These arrests serve as an important reminder that identity thieves and so-called “carders” are not slowing their work.  While the media may have turned its attention to issues of hacktivism and state-sponsored corporate espionage, the carders continue to infiltrate companies and steal individual credit card details in order to counterfeit and resale the information.  If anything, the increased attention on the more sensational types of attacks have offered cover to carders to continue their “more mundane” crimes with little scrutiny.

The arrests highlight the need for companies to maintain their vigilance with respect to the protection of their customers’ data.  While the threat landscape has changed quite a bit, the threat posed by carders and identity thieves has not abated.   According to the Verizon 2011 Investigative Response (IR) Caseload Review,  personally identifiable information and financial information were the top targets of data thieves, followed by trade secrets and authentication credentials.  Clearly, the need to protect sensitive data of all kinds is still of paramount importance.

How can companies help mitigate their risk of exposure?  One of the most important steps that companies can take is to take inventory of the data currently being stored and make a business decision as to whether the company really needs to maintain that data.  If you don’t need it, don’t store it.  Often, companies continue to store data “just in case.”  Storing this data, though, can increase the liability associated with a compromise of customer information.  Additionally, there are a number of services, including ProPay’s ProtectPay®, that allow companies to process payments without processing, storing, or transmitting sensitive payment data.   Understanding the data that is being stored, and working to minimize the sensitive data kept onsite can help to reduce the consequences of a data breach, not to mention can significantly reduce the burden of complying with the PCI DSS.

Dr. Heather Mark, PhD. SVP Market Strategy