Slashdot Mirror
Staples: Breach May Have Affected 1.16 Million Customers' Cards
mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.
I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.
I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.
When I shop at Staples, I use Apple Pay.
That was easy.
Get free satoshi (Bitcoin) and Dogecoins
Maybe try paper mache?
I think it's about time we implemented some sort of single use credit card system.
When our name is on the back of your car, we're behind you all the way!
Now that we're through talking about Innocence of Muslims and the arrest of its producer, can we talk about what happened to Sony?
hooray for title typos
customers' names, payment card numbers, expiration dates and card verification codes
Why are we still operating this way, where your credit card has one number, and you have to give that number to anyone you want to buy from, and if any one of those places "loses" your number it's game over? This is the worst fucking system possible.
I used to have a card from American Express where if I wanted to make an online purchase, I could go in and generate a new number with a few options: one-time use only; multiple-use with a set maximum amount; monthly recurring at a set price. So I could sign up for Netflix and give them a credit card number that's only ever allowed to be charged $8.99 a month. Or if I wanted to buy a bunch of Christmas gifts from Amazon, I could generate a new number with a hardcoded limit of my total purchase amount. Then I don't have to worry about Netflix or Amazon getting hacked and some dingus in Outer Elbonia racking up $3000 worth of charges.
That was like 5 years ago. I don't have that card anymore (annual fee was annoying) but the technology exists to do this for online purchases. Why can't we do this for in-person purchases? The UK has chip-and-PIN technology and I hear that's going to be mandatory in the US soon but it still isn't enough. Why can't I load up, say, a Mastercard app on my phone, login, tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50? I go to Target or Staples or wherever, spend $25, the number is never valid again and I have nothing to worry about.
The technology exists to make all of this a non-problem. I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.
"point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes"
I think a fine in the neighborhood of $20,000 USD per victim sounds reasonable.
those who have been hacked, and those who don't know it yet.
It's a process. It's easy to do, if you spend the time and money doing it.
But if you consider security a cost, and an optional one at that, it's an easy call for these guys. They're externalizing their expenditures for security training, monitoring and passing the savings on to the shareholders. Hoping that they don't get hit. If they do, the people who got bonuses for cutting costs won't be the one skewered, it'll be the poor sysadmin that had no say in the matter.
Enlighten me Slashdotters...
Are these companies storing Credit Card data in plain readable text? I ask because there seems to be no end to these breaches.
Why not try this as a solution?
Store these numbers and all pertinent information like Unix/Linux stores passwords. I am meant to understand that even if one stole the "hashed" details they would be of no use. What am I missing?
I would love to know exactly how it happened so I may learn from their mistakes. I can only assume they had incredibly poor security measures in place or they were breached by some ninja who's skills were beyond comprehension. Some of the TJMaxx details were released which revealed they had poor wifi security at the store, holding onto data they shouldn't have, and no proper encryption of data, so the criminals basically cracked them from a laptop in the parking lot. If all the latest hacks are similar to the TJMaxx crack, I feel safe. Paranoia is your friend.
That is called tokenization and is fully supported by Visa... but since to managers, security has no ROI, it isn't done.
Would Staples and other stores allow bitcoin to be used as a form of payment, this kind of theft would be virtually thing of the past. At least for those paying with BTC. No more credit card numbers or other personal details stored or needed at the servers that eventually get hacked.
It's everywhere you wanna be hacked.
That was easy
lucm, indeed.
It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.
If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.
CC data is stored by merchants to implement some kind of membership functionality, whereby returning users don't have to re-enter their CC data out of convenience. I can't imagine why a retail POS would store CC data. Hashing would render the data unusable for the merchant as well so that wouldn't serve a purpose.
I think it's more likely the data was intercepted in-transit before encryption.
It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.
The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.
lucm, indeed.
Then no one can claim that hacked anything. We can all say, "Bullcrap! You downloaded that off PostYourCC.com!"
Besides, they can't use all of them.
Sorry about the mess.
Someone hacks a pharmacy chain. Credit card and medical info? Jackpot.
Here is the list of stores
http://staples.newshq.business...
I have to return some videotapes...
this isn't a password you can hash and compare hashes. You have to use the number, so it kind of has to be in number form somewhere... Even if it was encrypted and the key was on a different machine... it will get read and decrypted next time its needed. Then you can steal it there.
Now for a lot of cases you don't need to store credit card numbers at all, you can just replay a transaction, but thats not always possible.
I spent a great deal of time working at Staples HQ here in Framingham, Massachusetts these past two years.
I was shocked by how many Indian employees they have. At lunchtime in the cafeteria, it is like living in a foreign country. I have no idea how they are legally able to bring over so many H1B employees.
I worked for Sapient, has their HQ in Boston, although they are basically an Indian company now. I was the only American on the team.
Staples basically employs H1B visa holders from India to do _everything_ in the company, technology-wise.
Staples Advantage, their B-to-B arm, is the #2 internet retailer behind Amazon, not too many people realize that. I worked on an important project that had visibility to the executive team and the CTO, who is a former Sapient employee, also originally from India.
There are about four major Indian outsourcing firms firmly ensconced at Staples HQ, HCL, Infosys, Tata, Sapient, and the other one of the "Big 4" Indian outsource companies.
The code that is produced at this company by all of these journeyman Indian programmers is exceptionally poor and I am not surprised they had a security breach.
As bad as the programming is, the lack of specifications and documentation of any kind, functional or technical was really shocking to me.
Sapient robs Staples blind, flying in L1 Visa "Managers" from India, paying them Indian wages and charging Staples for U.S.-based workers. Not only are these guys misclassified as L-1 "Managers" in a very fraudulent way (they don't manage their own schedule, let alone others), they are also, many of them, able to communicate in American standard English on a level equivalent to a bright American middle school-er or High School student.
There is no understanding of encryption technology or PCI standards; Files are passed around with business and consumer PCI information and data in plaintext and outside the corporate firewall and network on Box and other file sharing services. Staples IT struck me as a bunch of riverboat gamblers; I am particularly not impressed positively with the CTO; She is very "Hands off", and I never considered her to be a good pick for an eCommerce CTO. I expect more PCI breaches in the future; The Staples POS group is obviously in over their heads and needs to stop outsourcing their core competencies in in-store technology to Indian IT outsourcing companies.
Staples is not going to be able to execute on their "Vision" to compete with Amazon as a general purveyor of myriad consumer goods; They have one datacenter out in Western Massachusetts, which, although impressive to tour, is not even close to where they would need to be in terms of IT infrastructure to compete with Amazon.
Staples deserves the bad press; They earned it.
That was a useful system. There are two simple ways to get approximately the same amount of security, in exchange for the same or less amount of hassle.
> tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
> I go to Target or Staples or wherever, spend $25, the number is never valid again and I have nothing to worry about.
For $25-$50, that's called cash. No need to pay the credit card company $1 on a $25 transaction, and you are paying them, indirectly. No need to create hackable and trackable records of every little purchase you make daily, either.
The other thing you can do is get a card with a $200 limit, or a debit card and tell them not to allow overdrafts. Set up an automatic payment to the card for $100 twice per month or whatever. That way the bad guy can't hit you for more than $200, or whatever amount you put on the debit card. You can have the bank will email you if your available balance gets low and add another $100 or whatever you're comfortable with. Crapital One makes this very simple and quick, but they are evil so I'd rather use a debit card that has the same options for automating things.
I've worked in the field of IT security, so I too will be looking forward to learning details. The story of the TJX incident was quite interesting- not just the technical details, but also the conversations between the perpetrators, the fact they knew they were getting greedy and should have gotten out of Dodge, etc.
I'm not so sure it needs to be either really crappy security or a great cracker. Generally, breaking things is easier than making things, so an average bad guy can defeat average security. I've never encountered security I couldn't bypass, either in IT or physical security. (I'm trained in locksmithing). I'm not the world's greatest cracker, but I only need ONE way in. The defender has to secure EVERY possible weakness. That's a huge advantage.
It's like a football game where one side wins the game if they score just once.
Hey, is anybody noticing a trend that Windows combined with outsourcing == cracked systems.
When will managers learn to think?
I prefer the "u" in honour as it seems to be missing these days.
The problem is, that they are no different than any of the others that have been cracked. Every last one of them is running windows and have outsourced to India. Now, 30 years ago, when considering security clearences, payrolls were looked at. Why? Because if somebody was on clearence and had too low of a salary, they could be bought.
Well, the Indian coders are paid less than $10K / year back in India. All it takes is somebody from china, Russia, North Korea, Venezuela, Iran, etc to offer just ONE of them 100k (or 10 years worth of their salaries) to release a bug in the production systems. Of course, it is happening.
This is how and why these companies are getting cracked. What is really needed is for customers and banks to SUE these companies, and NOW. And not just the company, but the CIO and CEO for putting their data at this much risk. Once CEO/CIOs are looking being held personally responsible for their actions, well, things will change.
Issue solved.
I prefer the "u" in honour as it seems to be missing these days.
That happened at Target. And yes, they got CCs, but they also got medical info.
I prefer the "u" in honour as it seems to be missing these days.
Look, the problem here is that ALL OF THESE COMPANIES THAT WERE CRACKED have 3 things in common:
1) they run windows.
2) they outsourced to India.
3) the company is not allowed to operate in India.
Basically, Indians are being bought off to leave backdoors on the production system.
I prefer the "u" in honour as it seems to be missing these days.
Look, everybody is ignoring the common things. Instead, they see what the crackers WANT them to see, which is other doorways than what was initially used.
I prefer the "u" in honour as it seems to be missing these days.
The company, along with the CEO and CIO need to be held accountable. Once these ppl realize that they can be held PERSONALLY responsible for their bad actions, then and only then, will we see real issues solved.
I prefer the "u" in honour as it seems to be missing these days.
Can this include some criminal liability? Jail perhaps for a CEO or CIO?
Well, that is a good question. I would like to think that it can. But, I do not know.
However, I DO know that they can be held personally liable.
I prefer the "u" in honour as it seems to be missing these days.
That's not a breach. This is a breach
http://homedepot.com/
If you are going to steal my money you will have do it the old fashioned way. Stores and the government are also unable to data mine my purchasing habits. The banks won't get their 1-3% of the purchase amount, which is really just a stealth tax that causes us to pay higher prices for goods and services.
> Staples said in October that it had learned of a potential data theft
It's not 'theft'. "Theft" deprives the original owner of it's property. Staples still has full use of it's data.
Am I doin' it rite? Can I sit at teh kewl kids table yet?
I don't live in the US but I visited last year. I made a purchase at Target (not Staples, I know) and was shocked when the clerk did two things with my CC: they first ran the card through the in-house POS computer. And then put the card in the hand-held bank issued (I assume) POS device to conduct the sale. I asked her why she ran it through the in-house computer and of course was told that it was "policy" and that's how it works. Don't worry, I didn't have a pointless argument with the sales clerk.
But this is a fact that is not being well reported. These breaches occur and no one tells us where the actual break took place. My speculation is that the in-house computer system is being hacked, not the bank-issued POS device. I assume that the retailer is swiping CCs so that they can track purchases. So the really sad thing about this is that the CC breaches (Target and Home Depot last year, now Staples, etc...) would be avoidable if the CC numbers were not being stored by the retailer. At the very very very least, they could have taken the details from the card and hashed* them to produce a "customer ID" for tracking purposes.
I just use cash now for everything, but you must agree that it's a funny world we live in where online CC purchases feel safer than brick and mortar shopping!!
*non-trivial I know. You want a hashing method that maps similar length strings without generating collisions and that's not so easy in practice. An "off the cuff" suggestion is to simply take the full mag read and then sign it with a private key. The resulting string can be used as the "customer ID". I guess in practice thought the retailer wants your name so they can try to extend their market research somehow.
See, this is why when I'm at the checkout and they ask if I want to be a part of this or that points system, or whether I want my name entered for a draw if I fill out a survey, or whatever other silly marketing-related / statistics-collection operation they are running, I say NO.
They can't be trusted with information. None of these companies. So my security approach is to give them as little as possible. That can still be a disappointingly dangerous amount of information (e.g., a credit-card transaction), but if there is anything else they ask for, no, they're not getting it. I don't care how many incentives they try, because these companies have proven time and again that they're incompetent and untrustworthy.
Tokenization isn't new. There's no reason to store the card number these days, other than software vendors with their heads in the sand.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
*COUGH* there's a solution to this already.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Very curious to learn if their clojure stack was involved, esp. as it relates to the "no frameworks" philosophy, which in practice means "bring your own security".
All it takes is somebody from china, Russia, North Korea, Venezuela, Iran, etc to offer just ONE of them 100k (or 10 years worth of their salaries) to release a bug in the production systems. Of course, it is happening.
Citation needed.
Not that I think that Indians have an especial immunity to bribery (stop snickering, Venkit!).
But because American citizens in positions of trust have been known to betray their nation for considerably less than that.
Remember the goverments Obamacare website fisacao that actually bankrupted MILLIONS of people and destroyed their health insurance? This little problem doesn't even come close.
Windows at a POS gives the employees of an empty store a lot of entertainment options, but it also causes problems when malware gets bundled with the hot new app of the moment. So, it looks like Staples should invest in a new POS system that is better locked-down. If malware is showing up on your task lists, you at least need a format and reinstall to be sure you're safe.
You last sentence proves the whole problem.
The larger the difference in price, combined with the high level of incompetence in coders over in India as well as the fact that none of these companies are allowed to operate in India, leads to situations where they can be bribed easily.