Reports of credit-card fraud from Schnucks customers continue to grow

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.stltoday.com/business/local/reports-of-credit-card-fraud-from-schnucks-customers-continue-to/article_9e342beb-f0be-5202-88b0-41762e7a07a6.html

Reports of credit card fraud linked to Schnucks stores are piling up
on investigators’ desks, while increasingly frustrated customers blame
the Maryland Heights-based company for failing to get the word out
about the security breach.

Schnuck Markets Inc. said last week that it had hired an outside
forensics company to look into the matter, but until that
investigation is complete, police say, they won’t be able to say how
or when the breach occurred. Meanwhile, they advise area shoppers to
keep an eye on their accounts.

“I believe it’s safe to shop at Schnucks,” said Detective Sean
Fanning, of the Maryland Heights Police Department fraud unit. “But I
would recommend that people pay with cash or check until I hear from
Schnucks that, yes, there was a problem, and yes, it’s been fixed.”

Fanning said the department has had at least 30 reports from residents
of unauthorized credit card charges. The reports came mostly, though
not exclusively, from people who had recently shopped at Schnucks.
Transactions range from small amounts to the hundreds and thousands of
dollars. Many of the charges are from out-of-state and from department
and big box stores, such as Wal-Mart Stores Inc.

St. Louis County police said Wednesday that the department had
received only one fraud report but was aware of cases in Bridgeton,
Creve Coeur and St. Peters. St. Louis County’s Wildwood precinct said
on its Facebook page that it has taken “numerous reports” from people
who believe they were defrauded.

The Missouri attorney general’s office has also received several complaints.

“We have been in contact with officials from Schnuck Markets and are
working with them to determine what steps, if any, should be taken on
behalf of consumers,” said Nanci Gonder, a spokeswoman for Attorney
General Chris Koster.

In response to questions Wednesday, Schnucks issued only a written statement.

“Schnucks became aware on March 15 that some customers had noticed
unauthorized charges on their card statements for credit cards they
used at Schnucks,” the statement said. “Schnucks immediately began to
investigate those reports and has engaged outside experts.”

The practice of hiring outside help is typical in these cases,
authorities said Wednesday.

“You have to be able to reconstruct the attack and know exactly how
they get in, because there are so many ways to do that,” said Domingo
Rivera, vice president of computer forensics and information security
for AVM Technology, a Virginia-based firm that performs forensic
investigations for breached companies.

Rivera said that breaches occur in various places — from the point of
sale to outside vendors — but often when a hacker is able to get into
a database where information about transactions is stored. “Sometimes
you have an insider or an employee who may know where the database is
stored, or someone may just stumble onto it online,” he said. “There
are so many vectors, but insiders are very common.”

He said investigations need to happen quickly so that customers are
informed as soon as possible about any possible identify theft. “It
should take weeks, not months,” he said, although the process is
complicated, often requiring that systems be cloned so investigations
can happen without disrupting business.

“On the one hand, you’re trying to get back to profit-making,” Rivera
said. “On the other, you have to figure out what happened so the
attackers don’t get back in right away.”

Most of the fraud victims say they were contacted by their banks or
credit card companies after the firms saw strange activity on their
accounts.

Terry Praechter of Barnhart said that she and her husband shop at
Schnucks often, and had used a credit card earlier this month at the
supermarket.

“The following Wednesday, my husband tried to use the card again, and
it wouldn’t go through,” she said. The fraud department told her the
card had been shut down after questionable transactions including
charges in big amounts in Maryland and in states all over the country.

“It was $700 here, $500 there … my balance was $10,006,” she said.
About $1,500 was their own. “They ran it up that much in two days. “

Gail Gray, of Maryland Heights, said she got a call on March 20, the
day after she shopped at a Schnucks near her house. The charges — for
about $25 and $4.20 — were never deducted from her account.

“They said, ‘We’ll block your debit card,’ so I went down to the
credit union, and luckily they had new cards right there,” she said.

Eric Willen, of Florissant, said he learned about fraudulent activity
on his card from his bank last week. A person at the bank told him
they were "having all kinds of problems with this."

"Somebody in Connecticut was trying to use my debit card to purchase a
gift card in Connecticut," Willen said. "You work hard for a living,
and then you go in to pick up a prescription at Schnucks ….and then
some scumball is buying a gift card on your card in Connecticut. "

Willen said he had shopped at a Bridgeton store. His cousin, who
shopped at a Schnucks in St. Charles, had a similar incident. In her
case, someone used her card to buy a gift card in Florida.

"I certainly hope they get it stopped," said Willen, who is waiting to
receive a new card in the mail.

Chris McLaughlin, executive vice president of First Bank, said that
about two weeks ago the bank began to receive calls from customers
reporting fraudulent claims.

“There seemed to be a common merchant,” McLaughlin said. The common
denominator was customers who had shopped at Schnucks in January and
February, he said.

“This caused us to tighten up authorization parameters for anyone who
had shopped at Schnucks,’’ he said. “This does not mean conclusively
that Schnucks was in any way compromised. But the more suspicious a
transaction looks, the more we will put up hurdles for authorization
to protect out customers and the bank.

“The message for everyone is to pay attention to transactions on your
account,” McLaughlin said. “Communicate with your bank or credit card
issuer, and everything should be fine.”

Some Schnucks customers said they were frustrated about the company’s
lack of communication and were confused about whether it was safe to
use cards.

“They’ve made no apologies; they haven’t come forward to say they
don’t know what’s going on,” said one customer, who said she was wary
of having her name in print, having just been the victim of identify
theft. “I called them today to ask if I can use my card, and they said
they couldn’t answer that.”

The woman said her card was charged $99.99 for a transaction at a
Walmart store in Texas.

“I’ve had to have the three credit bureaus put alerts on my cards, had
to call all my accounts and have them flagged. It’s a pain,” she
continued, “and Schnucks hasn’t said anything about it.”

Credit card breaches are fairly common.

Last year, hackers stole credit card information from customers who
shopped at 63 Barnes & Noble stores. The hackers had broken into the
keypads in front of registers where customers swipe their credit cards
and enter their PINs. As it investigated how the attack occurred, the
bookstore chain turned off all 7,000 keypads at its several hundred
stores and had customers swipe their cards on the readers connected to
the registers instead.

The year before, Michaels arts and crafts stores reported a major
security breach with its card-reading equipment being tampered with in
20 states. It said the thieves had collected customers’ debit card
information and PINs and then made duplicate cards to withdraw cash
from victims’ accounts using the stolen PINs. After that attack,
Michaels said it would replace those PIN pads with more tamper-proof
equipment.

Kavita Kumar and Margaret Gillerman of the Post-Dispatch contributed
to this report.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.