BreachExchange mailing list archives
Sears Announces Kmart Malware Attack - Says EMV 'Chip' Payment System Prevented Large Scale Fraud
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 1 Jun 2017 22:57:57 -0500
http://www.zerohedge.com/news/2017-06-01/sears-announces-kmart-malware-attack-says-emv-chip-payment-system-prevented-large-sc Five days after Chipotle, Inc. announced a massive malware attack <http://ibankcoin.com/zeropointnow/2017/05/27/chipotle-hacked-in-massive-breach-customer-payment-data-stolen-from-thousands-of-restaurants-cmg/> resulted in widespread theft of customer payment data, Kmart parent company Sears ($ SHLD <https://finance.yahoo.com/quote/SHLD?p=SHLD>) revealed that several Kmart locations had been similarly infested with malware. While the beleagured company <http://www.zerohedge.com/news/2017-03-23/sears-enters-death-spiral-vendors-halt-shipments-insurers-bail> disclosed that "certain credit card numbers" were compromised, it appears the majority of customers were unaffected <https://ibankcoin.com/zeropointnow/files/2017/06/nomonitoring.png> - which the company says is thanks to their decision upgrade all Kmart locations to EMV "smart chip <https://ibankcoin.com/zeropointnow/files/2017/06/emv_chip.png>" credit and debit card Point-of-sale (POS) machines. This is in stark contrast to a 2014 malware attack <https://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/> on Kmart's older magnetic swipe Point of Sale system which resulted in the theft of customer data - allowing thieves to create counterfeit cards, according to Sears spokesman Chris Brathwaite. Kmart has issued a FAQ <http://download.sears.com/perf/pdf/01_PRIVILEGED%20AND%20CONFIDENTIAL%20FAQ_FINAL.pdf> regarding the hack. While Kmart looks to have dodged a bullet, Chipotle is still using magnetic POS machines Chipotle ($CMG <https://finance.yahoo.com/quote/CMG/?p=CMG>) declined to upgrade to the newer EMV chip reading equipment in 2015 – citing inefficiencies and concerns over delays in the authentication process in a fast paced food service environment. The breach could mean big trouble for shares of Chipotle, which have only partially recovered from an E.coli outbreak in late 2015. According to Reuters <https://www.reuters.com/article/us-chipotle-cyber-idUSKBN18M2BY>, security analysts say the company will likely face a fine based on the size of the breach and number of records compromised. Who knows, maybe the GMO-refusing <http://www.thehealthyhomeeconomist.com/monsanto-wont-take-gmo-free-chipotle-news-sitting-down/> burrito merchants carry separate cyberliability insurance? <https://www.bloomberg.com/news/articles/2014-08-28/cyberliability-insurance-for-when-your-business-gets-hacked> In 2015 the credit card industry shifted liability to those who haven't upgraded to EMV systems Per Gizmodo <http://gizmodo.com/the-gizmodo-guide-to-the-new-emv-chip-credit-card-payme-1734011799> ... If stores accept EVM payments, the credit card companies still accept liability for counterfeit fraud. That’s true even if the store accepts EMV payments, but also accepts magnetic stripe payments, and one of those magnetic stripe payments turns out to be fraudulent. The technical wording from Visa is, “The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today." While EMV payment systems don't prevent over-the-phone credit card fraud, MasterCard said overall fraud had dropped 54% year-over-year in January of 2016 <http://www.pymnts.com/news/emv/2016/mastercard-fraud-costs-emv-impact/>. That's significant. As the banking industry shifts towards convenient and safe digital payment systems and a cashless society <http://www.zerohedge.com/news/2016-11-16/war-cash-intensifies-citibank-stop-accepting-cash-some-branches>, enjoy the smell of paper <https://ibankcoin.com/zeropointnow/files/2017/06/abb6b6b85ee1c2d28a00b41403f86a8d.jpg> fiat currency while it's still around. Then go hang out with your gold and silver collection.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Sears Announces Kmart Malware Attack - Says EMV 'Chip' Payment System Prevented Large Scale Fraud Destry Winant (Jun 02)