Slashdot Mirror
Staples: Breach May Have Affected 1.16 Million Customers' Cards
mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.
I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.
I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.
When I shop at Staples, I use Apple Pay.
That was easy.
Get free satoshi (Bitcoin) and Dogecoins
I think it's about time we implemented some sort of single use credit card system.
When our name is on the back of your car, we're behind you all the way!
Now that we're through talking about Innocence of Muslims and the arrest of its producer, can we talk about what happened to Sony?
"point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes"
"I can only think the reason it hasn't been fixed is because fraud makes the banks money"
No, the reason is that the CTO/CFO/CIO/Cxo don't go to jail for criminal negligence.
Enlighten me Slashdotters...
Are these companies storing Credit Card data in plain readable text? I ask because there seems to be no end to these breaches.
Why not try this as a solution?
Store these numbers and all pertinent information like Unix/Linux stores passwords. I am meant to understand that even if one stole the "hashed" details they would be of no use. What am I missing?
I would love to know exactly how it happened so I may learn from their mistakes. I can only assume they had incredibly poor security measures in place or they were breached by some ninja who's skills were beyond comprehension. Some of the TJMaxx details were released which revealed they had poor wifi security at the store, holding onto data they shouldn't have, and no proper encryption of data, so the criminals basically cracked them from a laptop in the parking lot. If all the latest hacks are similar to the TJMaxx crack, I feel safe. Paranoia is your friend.
That was easy
lucm, indeed.
It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.
If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.
Why can't I load up, say, a Mastercard app on my phone, login, tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
Because that would be immensely tedious and annoying. Look at how the TSA has made the process of taking an airplane a fucking pain in the ass... Intrusive security is not an acceptable solution.
The problem is not the credit card transaction. The problem is how companies store information they don't need out of convenience and laziness.
lucm, indeed.
It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.
The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.
lucm, indeed.
Then no one can claim that hacked anything. We can all say, "Bullcrap! You downloaded that off PostYourCC.com!"
Besides, they can't use all of them.
Sorry about the mess.
Someone hacks a pharmacy chain. Credit card and medical info? Jackpot.
Here is the list of stores
http://staples.newshq.business...
I have to return some videotapes...
this isn't a password you can hash and compare hashes. You have to use the number, so it kind of has to be in number form somewhere... Even if it was encrypted and the key was on a different machine... it will get read and decrypted next time its needed. Then you can steal it there.
Now for a lot of cases you don't need to store credit card numbers at all, you can just replay a transaction, but thats not always possible.
Staples accepts NFC payments, so if I buy something there, I'm using ApplePay, which is a single-use token and more secure than anything else out there, as far as I can tell.
I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.
Well, you would be very wrong. Fraud costs both the retailers and the banks money. The real problem is that issuing new chip cards would cost the banks more than the fraud. Not only are the cards about a dollar more expensive each, and they still have to be re-issued about every three years, but the systems that inject encrypted keys into them, and store the keys on their databases, are very expensive. Banks are notoriously cheap when it comes to spending money that won't make them money.
The other reason EMV hasn't rolled out across the U.S. is that millions of retailers have about 12 million old credit card terminals spread across the country, and most are owned by cheap store owners who don't like being told they have to spend money to replace them. Most retailers have been dragging their feet, not wanting to make an expensive change. But the new members of the breach-of-the-month club are mad about the insecure systems they've been forced to use, and are now championing the rapid switch to EMV instead of fighting it. The smaller retailers are also impacted now, and are no longer resisting.
The irony is that EMV readers for the small retailers are far, far cheaper than the old terminals, and the rates for using new companies like Square, Intuit, and PayPal are much lower than the typical old bank rates for the old credit card readers.
John
That was a useful system. There are two simple ways to get approximately the same amount of security, in exchange for the same or less amount of hassle.
> tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
> I go to Target or Staples or wherever, spend $25, the number is never valid again and I have nothing to worry about.
For $25-$50, that's called cash. No need to pay the credit card company $1 on a $25 transaction, and you are paying them, indirectly. No need to create hackable and trackable records of every little purchase you make daily, either.
The other thing you can do is get a card with a $200 limit, or a debit card and tell them not to allow overdrafts. Set up an automatic payment to the card for $100 twice per month or whatever. That way the bad guy can't hit you for more than $200, or whatever amount you put on the debit card. You can have the bank will email you if your available balance gets low and add another $100 or whatever you're comfortable with. Crapital One makes this very simple and quick, but they are evil so I'd rather use a debit card that has the same options for automating things.
I've worked in the field of IT security, so I too will be looking forward to learning details. The story of the TJX incident was quite interesting- not just the technical details, but also the conversations between the perpetrators, the fact they knew they were getting greedy and should have gotten out of Dodge, etc.
I'm not so sure it needs to be either really crappy security or a great cracker. Generally, breaking things is easier than making things, so an average bad guy can defeat average security. I've never encountered security I couldn't bypass, either in IT or physical security. (I'm trained in locksmithing). I'm not the world's greatest cracker, but I only need ONE way in. The defender has to secure EVERY possible weakness. That's a huge advantage.
It's like a football game where one side wins the game if they score just once.
Hey, is anybody noticing a trend that Windows combined with outsourcing == cracked systems.
When will managers learn to think?
I prefer the "u" in honour as it seems to be missing these days.
The problem is, that they are no different than any of the others that have been cracked. Every last one of them is running windows and have outsourced to India. Now, 30 years ago, when considering security clearences, payrolls were looked at. Why? Because if somebody was on clearence and had too low of a salary, they could be bought.
Well, the Indian coders are paid less than $10K / year back in India. All it takes is somebody from china, Russia, North Korea, Venezuela, Iran, etc to offer just ONE of them 100k (or 10 years worth of their salaries) to release a bug in the production systems. Of course, it is happening.
This is how and why these companies are getting cracked. What is really needed is for customers and banks to SUE these companies, and NOW. And not just the company, but the CIO and CEO for putting their data at this much risk. Once CEO/CIOs are looking being held personally responsible for their actions, well, things will change.
Issue solved.
I prefer the "u" in honour as it seems to be missing these days.
That happened at Target. And yes, they got CCs, but they also got medical info.
I prefer the "u" in honour as it seems to be missing these days.
Look, the problem here is that ALL OF THESE COMPANIES THAT WERE CRACKED have 3 things in common:
1) they run windows.
2) they outsourced to India.
3) the company is not allowed to operate in India.
Basically, Indians are being bought off to leave backdoors on the production system.
I prefer the "u" in honour as it seems to be missing these days.
Look, everybody is ignoring the common things. Instead, they see what the crackers WANT them to see, which is other doorways than what was initially used.
I prefer the "u" in honour as it seems to be missing these days.
The company, along with the CEO and CIO need to be held accountable. Once these ppl realize that they can be held PERSONALLY responsible for their bad actions, then and only then, will we see real issues solved.
I prefer the "u" in honour as it seems to be missing these days.
Can this include some criminal liability? Jail perhaps for a CEO or CIO?
Yes, they CAN go if people would SUE.
I make a habit to never put my CC in stores that run windows or that outsource to India, or any nation where the coders are paid a pitance of western coders. As such, I have not had my CC's stolen.
People need to put together mass lawsuits against companies and their CEO/CIO personally. Once that starts happening, then and only then, will things change.
Even here, it would be nice to see a lawyer step up and state that they are willing to do a class action against these companies.
I prefer the "u" in honour as it seems to be missing these days.
Well, that is a good question. I would like to think that it can. But, I do not know.
However, I DO know that they can be held personally liable.
I prefer the "u" in honour as it seems to be missing these days.
I don't live in the US but I visited last year. I made a purchase at Target (not Staples, I know) and was shocked when the clerk did two things with my CC: they first ran the card through the in-house POS computer. And then put the card in the hand-held bank issued (I assume) POS device to conduct the sale. I asked her why she ran it through the in-house computer and of course was told that it was "policy" and that's how it works. Don't worry, I didn't have a pointless argument with the sales clerk.
But this is a fact that is not being well reported. These breaches occur and no one tells us where the actual break took place. My speculation is that the in-house computer system is being hacked, not the bank-issued POS device. I assume that the retailer is swiping CCs so that they can track purchases. So the really sad thing about this is that the CC breaches (Target and Home Depot last year, now Staples, etc...) would be avoidable if the CC numbers were not being stored by the retailer. At the very very very least, they could have taken the details from the card and hashed* them to produce a "customer ID" for tracking purposes.
I just use cash now for everything, but you must agree that it's a funny world we live in where online CC purchases feel safer than brick and mortar shopping!!
*non-trivial I know. You want a hashing method that maps similar length strings without generating collisions and that's not so easy in practice. An "off the cuff" suggestion is to simply take the full mag read and then sign it with a private key. The resulting string can be used as the "customer ID". I guess in practice thought the retailer wants your name so they can try to extend their market research somehow.
PCI violations are much worse than that, if they actually fine you.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Tokenization isn't new. There's no reason to store the card number these days, other than software vendors with their heads in the sand.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
*COUGH* there's a solution to this already.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Windows at a POS gives the employees of an empty store a lot of entertainment options, but it also causes problems when malware gets bundled with the hot new app of the moment. So, it looks like Staples should invest in a new POS system that is better locked-down. If malware is showing up on your task lists, you at least need a format and reinstall to be sure you're safe.
Remember you still have to use a Staples Rewards card to avoid being overcharged with cash.
The deal there is *your* lapse of security does not affect *my* finances. Millions are getting compromised because of a single entitiy here.