BreachExchange mailing list archives
Reports of credit-card fraud from Schnucks customers continue to grow
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Thu, 28 Mar 2013 10:42:24 -0400
http://www.stltoday.com/business/local/reports-of-credit-card-fraud-from-schnucks-customers-continue-to/article_9e342beb-f0be-5202-88b0-41762e7a07a6.html Reports of credit card fraud linked to Schnucks stores are piling up on investigators’ desks, while increasingly frustrated customers blame the Maryland Heights-based company for failing to get the word out about the security breach. Schnuck Markets Inc. said last week that it had hired an outside forensics company to look into the matter, but until that investigation is complete, police say, they won’t be able to say how or when the breach occurred. Meanwhile, they advise area shoppers to keep an eye on their accounts. “I believe it’s safe to shop at Schnucks,” said Detective Sean Fanning, of the Maryland Heights Police Department fraud unit. “But I would recommend that people pay with cash or check until I hear from Schnucks that, yes, there was a problem, and yes, it’s been fixed.” Fanning said the department has had at least 30 reports from residents of unauthorized credit card charges. The reports came mostly, though not exclusively, from people who had recently shopped at Schnucks. Transactions range from small amounts to the hundreds and thousands of dollars. Many of the charges are from out-of-state and from department and big box stores, such as Wal-Mart Stores Inc. St. Louis County police said Wednesday that the department had received only one fraud report but was aware of cases in Bridgeton, Creve Coeur and St. Peters. St. Louis County’s Wildwood precinct said on its Facebook page that it has taken “numerous reports” from people who believe they were defrauded. The Missouri attorney general’s office has also received several complaints. “We have been in contact with officials from Schnuck Markets and are working with them to determine what steps, if any, should be taken on behalf of consumers,” said Nanci Gonder, a spokeswoman for Attorney General Chris Koster. In response to questions Wednesday, Schnucks issued only a written statement. “Schnucks became aware on March 15 that some customers had noticed unauthorized charges on their card statements for credit cards they used at Schnucks,” the statement said. “Schnucks immediately began to investigate those reports and has engaged outside experts.” The practice of hiring outside help is typical in these cases, authorities said Wednesday. “You have to be able to reconstruct the attack and know exactly how they get in, because there are so many ways to do that,” said Domingo Rivera, vice president of computer forensics and information security for AVM Technology, a Virginia-based firm that performs forensic investigations for breached companies. Rivera said that breaches occur in various places — from the point of sale to outside vendors — but often when a hacker is able to get into a database where information about transactions is stored. “Sometimes you have an insider or an employee who may know where the database is stored, or someone may just stumble onto it online,” he said. “There are so many vectors, but insiders are very common.” He said investigations need to happen quickly so that customers are informed as soon as possible about any possible identify theft. “It should take weeks, not months,” he said, although the process is complicated, often requiring that systems be cloned so investigations can happen without disrupting business. “On the one hand, you’re trying to get back to profit-making,” Rivera said. “On the other, you have to figure out what happened so the attackers don’t get back in right away.” Most of the fraud victims say they were contacted by their banks or credit card companies after the firms saw strange activity on their accounts. Terry Praechter of Barnhart said that she and her husband shop at Schnucks often, and had used a credit card earlier this month at the supermarket. “The following Wednesday, my husband tried to use the card again, and it wouldn’t go through,” she said. The fraud department told her the card had been shut down after questionable transactions including charges in big amounts in Maryland and in states all over the country. “It was $700 here, $500 there … my balance was $10,006,” she said. About $1,500 was their own. “They ran it up that much in two days. “ Gail Gray, of Maryland Heights, said she got a call on March 20, the day after she shopped at a Schnucks near her house. The charges — for about $25 and $4.20 — were never deducted from her account. “They said, ‘We’ll block your debit card,’ so I went down to the credit union, and luckily they had new cards right there,” she said. Eric Willen, of Florissant, said he learned about fraudulent activity on his card from his bank last week. A person at the bank told him they were "having all kinds of problems with this." "Somebody in Connecticut was trying to use my debit card to purchase a gift card in Connecticut," Willen said. "You work hard for a living, and then you go in to pick up a prescription at Schnucks ….and then some scumball is buying a gift card on your card in Connecticut. " Willen said he had shopped at a Bridgeton store. His cousin, who shopped at a Schnucks in St. Charles, had a similar incident. In her case, someone used her card to buy a gift card in Florida. "I certainly hope they get it stopped," said Willen, who is waiting to receive a new card in the mail. Chris McLaughlin, executive vice president of First Bank, said that about two weeks ago the bank began to receive calls from customers reporting fraudulent claims. “There seemed to be a common merchant,” McLaughlin said. The common denominator was customers who had shopped at Schnucks in January and February, he said. “This caused us to tighten up authorization parameters for anyone who had shopped at Schnucks,’’ he said. “This does not mean conclusively that Schnucks was in any way compromised. But the more suspicious a transaction looks, the more we will put up hurdles for authorization to protect out customers and the bank. “The message for everyone is to pay attention to transactions on your account,” McLaughlin said. “Communicate with your bank or credit card issuer, and everything should be fine.” Some Schnucks customers said they were frustrated about the company’s lack of communication and were confused about whether it was safe to use cards. “They’ve made no apologies; they haven’t come forward to say they don’t know what’s going on,” said one customer, who said she was wary of having her name in print, having just been the victim of identify theft. “I called them today to ask if I can use my card, and they said they couldn’t answer that.” The woman said her card was charged $99.99 for a transaction at a Walmart store in Texas. “I’ve had to have the three credit bureaus put alerts on my cards, had to call all my accounts and have them flagged. It’s a pain,” she continued, “and Schnucks hasn’t said anything about it.” Credit card breaches are fairly common. Last year, hackers stole credit card information from customers who shopped at 63 Barnes & Noble stores. The hackers had broken into the keypads in front of registers where customers swipe their credit cards and enter their PINs. As it investigated how the attack occurred, the bookstore chain turned off all 7,000 keypads at its several hundred stores and had customers swipe their cards on the readers connected to the registers instead. The year before, Michaels arts and crafts stores reported a major security breach with its card-reading equipment being tampered with in 20 states. It said the thieves had collected customers’ debit card information and PINs and then made duplicate cards to withdraw cash from victims’ accounts using the stolen PINs. After that attack, Michaels said it would replace those PIN pads with more tamper-proof equipment. Kavita Kumar and Margaret Gillerman of the Post-Dispatch contributed to this report. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Reports of credit-card fraud from Schnucks customers continue to grow Erica Absetz (Mar 28)