Reply With Quote
mine got hacked recently...fortunately Chase caught it pretty soon...a bunch of random charges all right under $50. They were very cool about immediately reversing out all the fraudulent charges.
While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.
The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services companyMetafore.
But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.
The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.
...
Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it.
A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.
That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.
The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.
"I was surprised," he said. "There were thousands of cards in memory."
http://www.itworld.com/security/4341...day_2014-09-02
telnet? serious sydadmins have had it turned off for years.
ssh? why facing internet and w/o a VPN?
ing amazing incompetence. corps and finance sector bleeds customers to death with fees, ty products, tier customer service, and vulnerable IT systems because they value profits over EVERYTHING. Refusing to implement 40-year-old smart cards. Getting hacked is an acceptable operating cost.
mine got hacked recently...fortunately Chase caught it pretty soon...a bunch of random charges all right under $50. They were very cool about immediately reversing out all the fraudulent charges.
You would think they would just push up chip and pin requirements to take care of this problem, but I guess not.
Home Depot: Data breach affected around 56 million payment cards
The company said that the hackers’ method of entry has been closed off, the malware eliminated from its network, and that it had rolled out “enhanced encryption of payment data” to all U.S. stores.
“We apologize to our customers for the inconvenience and anxiety this has caused and want to reassure them that they will not be liable for fraudulent charges,” Chief Executive Frank Blake said in a statement.
Of the estimated cost so far of $62 million, which covers such items as credit monitoring, increased call center staffing, and legal and professional services, Home Depot said it believes that $27 million of the amount will be paid for by insurers.
But the company said it has not yet estimated the impact of “probable losses” related to the possible need to reimburse banks for fraud and card replacement, as well as covering costs of lawsuits and government investigations.
“Those costs may have a material adverse effect on The Home Depot’s financial results in the fourth quarter and/or future periods,”
http://www.rawstory.com/rs/2014/09/h...e+Raw+Story%29
Home Depot data breach triggers fraudulent transactions around the U.S.
Data breach at home improvement retailer Home Depot Inc has led to fraudulent transactions across the United States, draining cash from customer bank accounts, the Wall Street Journal said.
Criminals are using stolen card information to buy prepaid cards, electronics and even groceries, the Journal said, citing people familiar with the matter.
Financial ins utions also are stepping up efforts to block the transactions by rejecting them if they appear unusual
http://www.rawstory.com/rs/2014/09/home-depot-data-breach-triggers-fraudulent-transactions-around-the-u-s/?utm_source=feedburner&utm_medium=feed&utm_campaig n=Feed%3A+TheRawStory+%28The+Raw+Story%29
started off good but I quickly lost interest
Some analysts expect fraud to increase this year as thieves will step up their efforts to capture more credit card details before the Europay, MasterCard and Visa (EMV) standard conversion goes into full throttle. The next time U.S. cardholders receive a new card it will probably be equipped with an EMV chip, and most likely be contactless. The U.S. is finally making the transition to secure cards based on the European EMV standard, mostly because the liability shift imposed by the three big credit card brands — Visa, MasterCard and American Express. The European Union, where EMV became standard ten years ago, has the lowest level of credit card fraud in the world, while the U.S. accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume.
http://yro.slashdot.org/story/15/02/...tm_medium=feed
Tokenization is also coming online. I read a few days ago, Visa is moving to have most merchants tokenized within the next couple of years.
Truth be told, there's simply more reporting now. I remember massive amounts of stolen credit cards dumps all the way back to the early 90's (or even calling cards back in the day, when those used to be valuable).
Skimming and social engineering have been around for way too long, and in the social engineering case, there's little you can really do.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
