Archive for the ‘Card Processors’ Category

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah

March 23, 2010

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah: “This is news regardless of where you live. Why? The use of skimming devices by identity criminals is not limited to Utah. ABC 4 television news reported: ‘Utah police investigators said crooks have installed electronic ‘skimming’ devices at 180 gas stations from Salt Lake to Provo in an attempt to…

(Via I’ve Been Mugged.)


Heartland To Pay American Express $3.6 Million For Breach

December 22, 2009

Heartland To Pay American Express $3.6 Million For Breach: “Last week, PC World reported: ‘Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.’ Heartland processes…

(Via I’ve Been Mugged.)

How not to respond to a targeted malware attack

October 22, 2009

How not to respond to a targeted malware attack: “

FAKE Paychoice Logo For the last week, I’ve been working on this Paychoice data breach, and I’m getting a little concerned about how Payroll Associates, Inc. is handling it: they’re giving terrible advice to their licensees (and by proxy, the customers/employees of their licensees).

The attack was a realistic email to customers of their Online Employer portal inviting them to download a required update, which was of course badware. It is a password-stealing Trojan, and it phones home the stolen booty to a mother ship located in (at least) Sweden, and reportedly another in Poland. I believe there were several variants.

The badware itself (‘plugin_setup.exe’) was hosted on servers at Yahoo!, but I was able to get them taken down on Thursday and Friday: I’m not sure why PAI or their security experts (reportedly SecureWorks) weren’t able to do this themselves. The Yahoo! Security guys rock.

Opening the fraudulent emails after the Yahoo!-hosted sites were down means you couldn’t download the badware — you’re safe — but if you did install one of those updates, you are infected and phoning home passwords used in all of your online transactions.

Microsoft Security Essentials logo I have been on multiple customer systems this week to clear up infections, and in every case, Symantec/Norton missed it, but the new Microsoft Security Essentials found and cleaned it. MSE had the definitions more than a week ago. Not bad for free, eh?

I’ve been told that PAI engaged Symantec (in an unknown capacity) to help them with the malware, but I find it hard to imagine how this could happen and still take a week to get their signatures updated, or why somebody (PAI or their security experts) didn’t submit this malware to the other A/V vendors immediately. How come some random guy who does it on the third day of the attack was the first that many of these A/V vendors had seen it?

In any case, I believe the advice is to run an antivirus scan and to remove the infection if found. ‘If you’re clean, you’re fine’.

This is dangerous advice because it’s just not true, for two reasons.

First, just this morning was on a customer’s system with the latest Norton definitions, and it didn’t pick up the infection: only installing Microsoft Security Essentials found it and removed it.

But second, getting clean is not enough: from late last week until this morning, the trojan was phoning home passwords used in online transactions, and we have evidence that this is actively being exploited (he had accessed his eBay account from that system, and that account was compromised). The password-stealing is not limited to just OnlineEmployer: it’s going for everything, and will continue to do so as long as the botnet C&C (command and control) mothership is up.

If you have been infected, you must change every password used online before the infection was removed. Period. If OnlineEmployer (or your payroll company) gave you new credentials earlier in the week, assume the bad guy has them: get a new password.

Curiously, one of the ‘malwares’ was actually notepad.exe — harmless — and I suspect the bad guy used it for testing but forgot to put it back. If multiple independent up-to-date A/V scans report nothing, you probably are safe, though I do recommend running more than one to help keep you safe.

Repeat this process for any other online service: eBay, Paypal, Facebook, MySpace, your bank, DSLReports, whatever. If you used a password, change it.

Furthermore, for financial sites, research the login history to see if anybody came from an IP address you don’t recognize. If the service doesn’t give you a way to do this via the online tool, contact the provider and insist that they research this for all access since last Wednesday.

If the login history shows only access from your own sites, you’re probably OK, but you still have to change your password (the bad guy knows it!). But if it shows access from other places, you have to assume that the bad guy rooted around your system and took all the information he could find. For a payroll portal, this would be an identity theft orgy, and evidence of an individual account compromise probably triggers legally-required notifications in many jurisdictions.

Any advice that doesn’t include the above precautions is simply ignoring the problem and hoping it will go away, and is irresponsible.

Furthermore, as of 2PM PDT Friday, the mothership in Sweden was still up, accepting connections from infected systems. I don’t know what steps PAI or its experts have taken to get these taken down, but it’s not obvious that any have. I’m still working this via other avenues to get this addressed.

WANTED: There have been reports of another C&C in Poland: if anybody has information about this, I’d sure love to see it.

Make no mistake, Payroll Associates is a victim here, on the business end of a sophisticated criminal act, and I have always had tremendous sympathy for them. They also positively have their hands full researching what happened and to insure that their own infrastructure is safe. Protecting their own stuff protects their customers.

But they are not the only one facing threats, and I really don’t see much evidence of them Doing The Right Thing to proactively and aggressively take care of their customers (as opposed to themselves).

It’s very common for companies new to this kind of security nightmare to treat it as mainly a PR problem, especially since I still believe the bad guys didn’t actually get the really juicy data from Paychoice directly.

But by not aggressively helping their licensees keep their customers safe, they have shifted the burden of legally-mandated privacy-breach disclosures from themselves onto their customers: ‘PAI did not send the badware, we didn’t open it, we didn’t send the passwords to the bad guys: you may have to disclose to your employees/customers, but we don’t’.

My hero Bruce Schneier would probably call this an ‘externality’: a cost imposed on others that is not a concern to me. I predict that if this happens to customers, Paychoice licensees will asking Paychoice to pay for it (I don’t know anything on this front beyond idle chitchat from licensees).

When dealing with this kind of horrible event, you really have to fall all over yourself to keep your customers in the loop — consistent with conducting an investigation — and to make customers feel like they’re being taken care of. The worst thing you want is for your customers to have their imagination go wild — it never goes to a good place.

I’ve called this the warm fuzzy feeling for years, and I haven’t gotten that vibe from many Paychoice licensees in the last week.

I have heard nothing from Payroll Associates, though a lot of their licensees are talking to me, but I’d love nothing more than to find out that they have taken far more steps than I’ve seen, and that I’m just uninformed. We can only hope.

Note: Here, and throughout this incident I am commenting on Paychoice’s security response, which is how they handle an incident. I am making absolutely, positively no comment on their actual security as a whole, because I don’t have the first bit of information, or even a hint, to provide an assessment (and probably never will). Really – I have no idea.

Furthermore, I’ve not seen anything that would make me avoid using Paychoice to run my payrolls except for what I perceive as very poor customer service during a security incident.

Disclaimer: I consult to the payroll industry, including to a Paychoice competitor, but this is an independent, unpaid, uncoordinated effort.

(Via I had a backup. Really..)

UK Bank Card Fraud Reduction Attributed to Chip-and-PIN Cards

October 8, 2009

UK Bank Card Fraud Reduction Attributed to Chip-and-PIN Cards: ”


Bank card fraud in the United Kingdom fell by 23 percent during the first half of this year; but online banking fraud jumped by 55 percent, according to Banking Times. Phishing attacks increased 26 percent.

The drop in card fraud is attributed to the country’s switch to chip-and-PIN cards as well as to other anti-fraud measures implemented by VISA and Mastercard, such as ‘Verified by Visa’ and ‘Mastercard Secure Code’.

The chip-and-PIN security scheme was launched in the UK in 2004 and became mandatory nationwide in early 2006. The system uses a chip embedded in bank cards that verifies the customer’s PIN when he or she enters it on a keypad. The chip holds a secret key that validates the card to the bank. The key is supposed to ensure that fraudsters who know a bank customer’s PIN can’t simply embed the data into any chip-enabled blank card. The system is also supposed to resolve questions about who is liable when funds are withdrawn from accounts, since only someone who possesses both the card and the PIN can theoretically make a withdrawal.

Chip-and-PIN addresses only card-present transactions. But the industry body, Financial Fraud Action UK said that losses on transactions where cards aren’t present (such as on the internet or over the phone) dropped 18 percent.

Photo: Redspotted/flickr

See also:

(Via Wired: Threat Level.)

Exhibit B: The Ongoing Cost Of A Data Breach

October 8, 2009

Exhibit B: The Ongoing Cost Of A Data Breach: “Internet Retailer reported: ‘Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told…

(Via I’ve Been Mugged.)

TJX Hacker: Biggest ID Theft Ever

September 29, 2009

TJX Hacker: Biggest ID Theft Ever: “TJX Hacker pled guilty to 20 federal charges.”

(Via eSecurity Planet News.)