UPS: We've Been Hacked

paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

Is this for real?

[GeekWithAKnife]

I made sure my password is at least 8 digits, alpha-numeric with at least one unique character!

Re:Is this for real?

[Hillgiant]

"at least 8 digits, alpha-numeric with at least one unique character!"

A surprisingly common password.

Re: Is this for real?

I highly doubt that any password on the web is ONLY 2 characters. At home sure. Mine is 16 and 16 unique characters will take at least 40yrs to crack even brute force!

LOLCam

[bluefoxlucid]

Congratulations, you're on LOLCamera!

Everyone gets hacked these days. eBay gets hacked every week!

Re:LOLCam

[gweihir]

Only institutions that do not care get hacked. While absolute security is not to be had, it can be made expensive enough that hackers give up. These days, however, hacking a major company is often within th reach of amateurs with enough patience. Until these companies become liable for any and all stolen credit card and address information (say, $100 for each address and $500 for each credit card set to the owner without the need to prove anything, and unlimited for damage the owner can proof), nothing will change.

Re:LOLCam

[ZiakII]

I disagree it's usually organizations who don't care who find never find out they've been hacked. In they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.

Re:LOLCam

[ZiakII]

Ugh I should not try posting on mobile, the above was supposed to say. I disagree it's usually organizations who don't care who never find out they've been hacked. If they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.

Re:LOLCam

[gweihir]

The thing is, all companies need some people that give the appearance of caring, or they would be criminally negligent. But you typically find that these folks can only do after-the-fact analysis, have no input on security decisions that could prevent this and are understaffed and do not have the rights they need. I have personally seen one instance where the "IT Risk Officer" reporting directly to the director was a very junior person without the self-assurance to escalate anything or even ask questions and without any support or team that would have been needed to do the job right. (Still, that position was filled, so from a legal PoV everything was fine.)

So no, companies noticing they have been hacked does not indicate they did anything right. More often than not they will get notified by external, sources they cannot ignore.

Re:LOLCam

[Rich0]

The fundamental issue is that credit cards are based on the premise that you can authenticate somebody using a shared secret that you share with everybody you do business with.

I can post my ssh public key in this post if I wish, and about the only thing anybody could do with it is give me access to their systems. There is no reason that credit cards can't be made secure in this day and age. Nobody wants to bother, so we deal with messes like this.

If all UPS had were credentials that authorized only UPS to make charges to specific accounts (not even knowing what the account number is) below a certain spending limit, then stealing them would have little benefit to anybody (only UPS could use them), and they could easily be revoked by the banks or UPS itself without much trouble (so that even somebody who had the ability to charge somebody, deposit the money into a UPS-controlled account, and then move the money into their own account wouldn't be able to do so).

Re: LOLCam

Moreover, don't forget about dumb VPs who won't allow IT do simple things like disabling autorun...

Until it costs a business real money... They won't care.

Re:LOLCam

[Tablizer]

Make stiff penalties for breaches and make breach insurance required. Then the insurance companies will heavily encourage protective measures from those they insure because their profits are on the line.

Insurance companies would care more than regular companies because they deal in bulk. If there are lot of breaches, then they have a lot of payouts and lose money. A regular company views breaches as all or nothing incidents, which tempts them to gamble.

Re:LOLCam

[gweihir]

May work, may also fail. Back when nuclear power was in its infancy, some countries tried to mandate insurance. Guess what, nobody was willing to even make an offer. While that would have told any sane person right there that nuclear power was not a good idea, the governments in question just dropped the requirement.

Re:LOLCam

[gweihir]

Sure, the credit card system is broken. But that only means you have to be extra careful with the data. These companies come close to actually throw them at the attackers.

Re:LOLCam

[HornWumpus]

Apply the same reasoning to living in New Orleans and you are a racist.

Well I am Glad

[MyLongNickName]

Well, I am glad they waited until the issue was resolved before letting their customers know they were at risk. I would have hated for UPS's bottom line to be hurt by letting us know as soon as they realized there was a breach. After all, the company bottom line is more important than my security.

Re:Well I am Glad

[MyLongNickName]

Or new customers may have chosen to use Fed Ex instead of having their information on compromised systems.

Re:Well I am Glad

[Calydor]

Or the breach was one that pulled stuff out little by little to avoid detection, and they were afraid of the hackers opening the flood gates if they went public that the breach had been detected.

Re:Well I am Glad

That's why networks are plugged in rather than soldered, and there are power buttons on machines. When there's too much risk to run it, ya gots to cut it.

What about Canada?

[ArcadeMan]

Don't tell me there's separate servers for UPS Canada and that data is never shared across both servers...

Re:What about Canada?

Honestly, it would not surprise me at all if this were the case. I'm actually working with two large transportation companies similar to UPS on a software integration project, and dealing with different countries involves dealing with different systems/people/etc. I'd have thought that they would have had a global system to manage international transportation, which is of course global by its very nature. Perhaps some elements of their systems are global, but the information we need seems to be in systems that are implemented for a single country in both companies.

Re:What about Canada?

[Hamsterdan]

Nah... CSIS and NSA already take care of this...

And this is a surprise?

[bogaboga]

I am not surprised at all. Windows XP support ended long ago but still extensively used in the US government?

But guess what; we still take ourselves as the epitome of what/how technology should look like.

Re:And this is a surprise?

UPS is not a TLA of the USG.

Re:And this is a surprise?

That's USPS you are thinking of there.

Re:And this is a surprise?

In capitalist USA, private companies are the government.

In other news

Here is a list of the following companies that where not hacked this week:

Thank you for watching the 10 O'clock news and have a great weekend.

Security's Illusory

[rmdingler]

Security theatre is not limited to the wholly distasteful airport search.

That is pretty fast for UPS

Eight months. That is why I stick to USPS. Slow, but safe.

Take your time

[jones_supa]

The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

What? So the malware had half a year to rumble around?

You know it's a fail when

[buhusky]

They say they're now secure. Anybody who knows anything about security knows you're never "secure." You're more secure than you were before, but 100% security is impossible.

UPS Mail Innovations

[tepples]

True, but UPS MI passes parcels to USPS for last mile delivery.

Re:UPS Mail Innovations

And how is that relevant to the discussion? Or did you just decide to say something to try to appear smart? If so, you failed badly.

Total hax!

It's those wiley cyberbogeymen, not us! Honest! Not our fault we left the doors open. CYBERBOGEYMEN!

This is what happens when IT is outsourced

UPS wanted to save money by outsourcing IT. Well this is what happens when you outsource IT. I hope the banks are starting to pay attention. This is a major security concern. when foreign nationals administer the systems with our financial data. Foreign nationals from India, China, Russia, South Korea .. well you get the picture. If daddy needs a new kidney and they can't afford it they will sell accounts to generate revenue.

We are in for a world of hurt.

Why are franchised locations storing CC info?

I've seen some shitty franchise(e) setups that would be pretty vulnerable to malware (think small locations with 1 or 2 computers and no IT staff). However, as far as I know, their integrated PoS applications never see credit card numbers; everything happens on the payment terminal. Who in their right mind would want to (try to) secure 4471 locations well enough to store credit card info and what use case do they have for franchisees needing to store that info?

It looks like a Nigerian prince...

It looks like a Nigerian prince had millions of dollars that needed to be delivered on 4/29. With the coalesced dates and independent locations it's got to be phishing emails with a 1% success rate, right?

Did anybody notice?

From the FAQ:

"What information was exposed?

Customer information may have been exposed as a result of this malware intrusion. The customer information that may have been exposed includes customers’ names, postal addresses, email addresses and payment card information." ...further down...

"Will The UPS Store contact me if my credit card was involved?

No, The UPS Store does not have sufficient customer information to contact potentially affected customers directly."

Re:Did anybody notice?

[HiThere]

So. They don't know what was taken. They don't know who was compromised. All they know is that they were hacked, and various information COULD have been taken.

Yi! That's not enough information for anyone to make any decision based on anything but level of paranoia. They could at least have said whether it was historic records or only current accounts.

OTOH, I don't think I've ever paid UPS with anything but cash.

Cards cards cards

Everytime a see a stroy like this I wonder what it will take before the world finally moves away from credit/debit-card billing on line.

  In the Netherlands we already have a system (iDEAL) which allows you to transfer money from your bank to an online shop/service safetly (it's basically a protocol and redirect to your bank, meaning nothing *can* be stored on servers of said store). It's *far* from perfect but it's a whole deal safer then storing card-data, and at least someone is taking initiative. Sure, it may be a slight pain to have to use 2-factor-authentication for every small purchases but at least that can be aliviated by using a store-side credit system.

Perhaps we should move to a ipv6 like system, bank numbers as 64 bit integers, the first time you make a purchase somewhere they will generate a special adress, for you for that specific store, from which the money can be taken. Then if someone gets hacked, all numbers in that block can be invalidated and rolled back to a specific date. (This may cause some financial harm to the hacked institute, but that might get them to focus on security a bit more).

Re:Cards cards cards

[YoungHack]

This is true. I just visited the Netherlands and as an American I had this impression exactly. We want to think we're all so hot, "invented the Internet" and all. But the Dutch do technology way better than us. I was very envious of their chip and pin technology.

Re:Cards cards cards

Many people, when they move outside their comfort zone, come to realise that where they live is not as special as they thought.

UPS sucks

[CosaNostra+Pizza+Inc]

I hate UPS. Their nearest pickup/dropoff location to me is 35 miles away. For any special delivery instructions, you have to pay a membership fee + a charge for each package you want delivered per instructions. Fedex pickup/dropoff locations, on the other hand, are ubiquitous and there's one just 1 mile from my house.

Re:UPS sucks

[wiredlogic]

That's because FedEx is teamed up with USPS. Most remote FedEx boxes are serviced by US postal workers on their routes.

Don't panic

[rossdee]

While UPS customers may be worried, those are the people that send stuff by UPS. Just because you receive stuff by UPS doesn't make you vul;nerable.
UPS hasn'r got my ccard info...

UPS hacked

I got a new UPS the other day, but I figur if I just use it to power my system, and not plug in the network cable or USB cable,my PC won't be compromised.
.

What brands are affected anyway? The new one I got was Xfinity, it was pretty cheap $80 for 1400VA

Is this for real?

[Rixel]

HA! I will point out your problem. You went mainstream. Years ago, I realized that all the hacking tools go that route too. So, all my passwords are only 2 characters......and only binary numbers. Hack That!

Did anybody notice?

"May have" been exposed to Malware intrusion?

New Normal

[CimmerianX]

I've now come to realize that it is the norm to cancel and request new credit cards/debit cards every 3 quarter just in case my card number has been compromised by one of these hacks.

Maybe if the whole country did the same, banks would finally switch to a more secure card.

Hope their IT got better

[50000BTU_barbecue]

I worked for them about 20 years ago in customer service. My workstation was a PC running a terminal connected to an AS/400. I had to press ESC to do certain things. If I pressed ESC twice I went to the AS/400's menu where I could send broadcast messages and reset terminals.

They had to send someone from UPS in New Jersey as they refused to believe someone could access their holy system from a simple customer service terminal.

The rest of the stupidity I saw at that company fit with that experience.

Well I am Glad

[Syberghost]

If they told everybody "your info was hacked" while they hadn't cleaned it up yet, a bunch of folks would have logged on and changed their passwords, immediately exposing the NEW ones. You clean up first, then you engage the PR folks.

Wait

why the heck are we still storing credit card information anyway? We've found a way to handle logins and passwords without the need to store my credentials, can't we implement a similar system (e.g. oauth2) for credit cards - where even if you're hacked, all they get is an authorization token that only works for that site and can be instantly cancelled by both the site or the user?

What can BROWN do for you?

[gelfling]

Fuck you in the ass mostly, it seems.

When we we ever learn?

No doubt all your dat has been stolen many times and still no security, standards, measures. Just proves my thesis that we are all doomed.

Big Data

[zlives]

well I for one, am glad for big data, the cloud and internet of things. can't wait for whats next... perhaps a bigger cloudier internet

Re:Big Data

[Tablizer]

BigNodeCloudNoSqlSocialJS

Re:Big Data

Is BigNodeCloudNoSQLSocialJS web scale?

I want the scaling.

To expand a bit..

[_hAZE_]

.. For those who didn't click-thru and read:

"An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States." .. so it's not super wide-spread. Only 1% of their locations? I think it would be interesting to pick ANY national retail operation and see if malware could be found on LESS than 1% of their systems.

It also only impacts particular The UPS Store locations:

"Does this impact UPS corporate or other The UPS Store center locations?
No. Each The UPS Store location is individually-owned and runs an independent private network. The malware was isolated to those locations."

Not cool? Definitely.

The super wide-spread impact of the Target breach? No.

Disclaimer: I am a local customer of The UPS Store, but the location I frequent was not impacted.

FTA...

[Archfeld]

each store is a independent computer node and not all are interconnected. That indicates to me that it almost has to be an insider/employee/contractor travelling from store to store implementing the malware ? It seems unlikely that a hacker group could/would have the organization to get around to that many states/stores.

Re:FTA...

[EmperorArthur]

Nah, an infected USB key would do it. So would a phishing attempt that most people ignored. UPS stores are franchise operations, so it's not too hard to imagine something like this slipping through the cracks for a tiny percentage of the stores.

EMV will...oh no it won't

[LessThanObvious]

The sad thing is EMV chipped cards won't even fix this or the target breach. Malware can still get the card info even if you authenticate the card. Someday in a few years when most in person transactions are EMV enabled, the card-present fraud ( fake card used in person ) will drop significantly, but unless the credit card companies allow you to deny all card-not-present and non-EMV transactions it won't fully work. I want one card that I use for EMV only that has no other capability and another that I use only online that I can monitor. On a side note does anyone know why they say that if we actually used Chip & PIN instead of Chip & Signature the CC companies would consider that a cash advance? I find it seriously annoying that we get chips with no PIN and I just don't get it? Why should the authentication mechanism change the transaction type?

Insightful! Govt. & US Post Office might also

[Paul+Fernhout]

Sharing such rarely changing authentication data is at the heart of the issue as you point out. It seems like a trade-off of convenience and security with some background fraud cost. However, the issue is always convenience for who and fraud for who? In this case, banks have succeeded in mostly privatizing gains from transactions costs from credit card transaction fees while socializing the cost of identity theft to the general public (who have to change their accounts, deal with years of worries, try to straighten out fraudulent charges at riskof not being able to get a job or buy a house, etc.). This is an example of capitalism at its finest from one point of view -- privatizing gains while socializing costs and risks. That is when we need government (as the will of the People) to step in and force banks to internalize the cost of identity theft rather than pass it on indirectly. Ultimately, that might have to be done by big fines for breaches or taxes on unsecured transactions. And if banks had to do that, they would probably rapidly deploy something better because it would be cheaper than raising costs to customers and losing business to other banks that did implement better systems.

Perhaps the only worse thing is when businesses in the USA are allowed to use essentially unchangeable info about a person like date of birth or social security number to authenticate them. Other countries seem to handle this better by having an additional private PIN as part of a SSN. Some also include using the post office as part of the authentication process (like to present your ID at the post-office to approve some transaction or initiate some communications link). I'm surprised the US post office (which handles US passports now) does not get involved with authentication in general, as it seems like a surefire money-maker in the digital age, and the US post office already has procedures in place from passports to verify identity.

Re:Insightful! Govt. & US Post Office might al

[Rich0]

It seems like authentication is important to modern society. I think the only real solution is a government-issued ID, capable of challenge-response. Even a PIN for the ID is useless if every company expects you to hand it over to them.