Saturday, August 23, 2008

Cost Plus Customers Compromised in Data Security Incident

Cost Plus World Market is another retailer, where customers were unknowingly giving criminals access to their bank accounts when they made a purchase.

On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.

Since then three additional stores have been identified as being compromised.

The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common, they had been used at Cost Plus.

I picked up this story in an article on published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.

Both the article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.

Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.

Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.

In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.

Since then my speculation is that the hacking methods being used have become more sophisticated and PCI data protection standards -- designed to protect merchants from data compromises -- might no longer be 100 percent effective.

Data compromises cost the victim affected, the retailer and the financial institutions issuing the payment cards.

I tend to write on behalf of the victim and I wanted to point to an excellent article by Tom Fragala, where he analyzes the protections offered when using credit and debit cards. General consensus is that it is a lot safer to use a credit card from a consumer point-of-view. Note I'm saying this from a security point-of-view because too much credit card debt isn't always a good thing, but that's a whole other subject.

Tom is a fellow blogger, and the CEO of a privacy friendly identity theft protection service (Truston) that just won another in what is becoming a long string of awards. They also offer a 45 day (completely) free trial to use their services.

As long as there is a lot of money to be stolen from payment cards, criminals are going to be motivated to defeat security fixes.

The recent news that one of these retail hacking rings were caught and put behind bars probably will go a lot farther in preventing data compromises than security fixes, which seem to be counter-fixed, fairly frequently.

The eleven Cost Plus Stores known to have been compromised were San Diego (372 Fourth Avenue, San Diego, CA 92101); Oceanside (2140 Vista Way, Oceanside, CA 92054); La Jolla (8657 Villa La Jolla Drive Suite 117, La Jolla, CA 92037); Mission Viejo (28341 Marquerite Parkway, Mission Viejo, CA 92692); San Dimas (638 West Arrow Highway, San Dimas, CA 91773); Valencia (25676 North The Old Road, Valencia, CA 91381); Palm Desert (44-439 Town Center Way, Palm Desert, CA 92260); Oxnard (221 Esplanade Drive, Oxnard, CA 93030); Westlake Village (Thousand Oaks) (160 Promenade Way, Westlake Village, CA 91362); Tucson East (5975 E. Broadway, Tucson, AZ 85711); and Tucson (4821 North Stone Avenue Tucson, AZ 85704).

Cost Plus also has a FAQ page for people, who think they may have been compromised.

No comments: