from the data-breaches,-faster-than-the-speed-of-business dept.
Ars Technica reports:
Dozens of UPS stores across 24 states, including California, Georgia, New York, and Nebraska, have been hit by malware designed to suck up credit card details. The UPS Store, Inc., is a subsidiary of UPS, but each store is independently owned and operated as a licensed franchisee.
In an announcement posted Wednesday to its website, UPS said that 51 locations, or around one percent of its 4,470 franchised stores across the country, were found to have been penetrated by a “broad-based malware intrusion.” The company recorded approximately 105,000 transactions at those locations, but does not know the precise number of cardholders affected.
UPS did not say precisely how such data was taken, but given the recent breaches at hundreds of supermarkets nationwide, point-of-sale hacks at Target, and other major retailers, such systems would be a likely attack vector. Earlier this month, a Wisconsin-based security firm also reported that 1.2 billion usernames and passwords had been captured by a Russian criminal group.
(Score: 1, Informative) by Anonymous Coward on Thursday August 21 2014, @05:29PM
FYI UPS bought Mailboxes Etc and eventually renamed them to be UPS stores. They are franchaised.
I use one for a private mailbox, I'd prefer to use another company because I use a private mailbox to stay under the radar but being in their computer means I'm in UPS's computers and who knows what they do with that info. But in my town there aren't any other private mailbox providers. I pay cash, but because of postal regulations they have my driver's license on file and I think they typed the info into their computer...
(Score: 2) by MrGuy on Thursday August 21 2014, @06:32PM
Cool story, bragh.
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @07:06PM
It is spelled "brah" - it is hawaiian, not irish.
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @07:19PM
Receiving a lot of stuff from Silk Road, eh?
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @07:23PM
That's what J.J. Luna suggests using for ID in his "How To Be Invisible" books but after 2001-09-11, stuff might have changed around and a passport can't be used that way anymore. If that is the case, you'll have to mail stuff 13 ounces or less anonymously through the USPS or else get someone you trust to 'proxymail' it for you and you can do the same in return for them to return the favor.
Seriously, as long as the IRS can track the money flows accurately for income tax purposes why track who mails letters/packages over 13 ounces?
Once some crazy person somewhere in the world perfects a true exploding 'letter bomb' of 1 ounce or less (they just might be working on this right now! o_O; ) then what? This surveillance system will be effectively DDoS'ed as EVERYONE in the USA is required to identify themselves when they mail stuff to someone else!!! o_O; This would render the USPS ABSOLUTELY WORTHLESS! :P
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @07:49PM
Nowadays everybody demands 2 forms of ID, but the second one can be weak, as in no photograph like a vehicle registration.
(Score: 3, Interesting) by bzipitidoo on Thursday August 21 2014, @05:53PM
I think this UPS store problem would never have happened if the US used the newer credit cards with chips and PINs. Banks in the US have been real slow about making the switch.
Could it really be cheaper to continue to suffer losses that a chip and PIN credit card system can prevent? Maybe the US is better at catching fraud? The US does have one of the highest prison populations in the world. Maybe some of those prisoners are the sorts of petty thieves who in other countries would be let back on the streets.
(Score: 2) by HiThere on Thursday August 21 2014, @06:34PM
If I'm understand the problem correctly, your proposed approach wouldn't have solved anything. The problem wasn't forged cards being used, it was that malware got into their system, and they aren't encrypting all transactions at the router (does anyone?). This allows the malware to read the card information either as the cards are presented or from stored records and to transmit it to an external recipient. Your proposed approach doesn't even address this area of weakness. It's also not clear whether this is a new problem or one that been just recently detected. Also why only 51 stores? Those stores must have something in common. Possibly the same technician made the same configuration mistake in all of them.
Without more information the only reasonable decision about what happened is to avoid using a credit card at UPS for awhile. And to read your statements very carefully for the next few months.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by emg on Thursday August 21 2014, @06:55PM
As I understand it, the card number is much harder to abuse in a PIN-based system, because the chip on the card authenticates the transaction. Sure, you can take that card number and try to make online purchases, but then it asks you for the CVV, which you don't have.
In all the cases I remember of people stealing card numbers and PINs, they used that info to create fake cards and used them for cash withdrawals in countries where they still read the magnetic stripe so the chip wasn't being used for authentication.
(Score: 2) by HiThere on Thursday August 21 2014, @07:12PM
Well, if all they store is the credit card number, that would make sense. But they also need to read the pin#, don't they? What's to keep them from storing that, also?
The only way I see around this is if the card contained a computer that would verify that it was valid for that card#, and didn't reveal the hash that it used to determine this. That, however, would be more difficult to make. And you'd still need the centralized connection to verify that the card hadn't been canceled or overdrawn or some such. So it's my expectation (without knowing the system) that the chip is just a computer readable pin that is matched against the card# with some sort of standard algorithm.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by emg on Thursday August 21 2014, @07:56PM
"The only way I see around this is if the card contained a computer that would verify that it was valid for that card#, and didn't reveal the hash that it used to determine this"
As I understand it, when you enter the PIN, the chip verifies that it's correct, and produces some kind of authentication code to tell the bank that it verified the PIN. So knowing the PIN doesn't help, if you don't also have the card.
(Score: 2) by HiThere on Friday August 22 2014, @06:59PM
Could be. How does the verification get transmitted to the central site? Or does it? Is this mainly a way to allow off-line verification of credit card purchases?
I've never used the system so I don't understand it. I was under the impression that the card responded to the reader with the card's PIN code, and a computer attached to the reader verified it as valid, possibly after interrogating a central site. If this is, instead, more like the PIN used with debit cards then there is a different set of problems.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Informative) by tibman on Thursday August 21 2014, @08:15PM
Typical chipped cards have a small processor of sorts. The authenticator sends a challenge to the card. The on-board processor creates a response and returns it to the validator. The transaction is authorized because the card proved that it is the original. Never did the secret code leave the card. A replay attack can't be used because the credit-card authority is the one generating challenges for each transaction.
You are right though that this does not solve the original problem. The card details were still copied. It would only prevent those details from being used in a fraudulent transaction.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by strattitarius on Thursday August 21 2014, @06:59PM
Could be configuration settings, but there is also a good possibility that 51 locations had an employee open DistrictSalaryReport.xls.exe.
Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
(Score: 2) by edIII on Thursday August 21 2014, @07:58PM
They didn't need to do so in order to achieve a high level of security, and that's worse IMO. All that is required is that the card readers are isolated on their own VLAN. That is more or less easily achievable for just about any IT guy out there. Managed switches capable of VLANs (preferable to a card reader managing it) are cheap compared to giving all affected customers complimentary ID theft protection services.
Once it's on its own network you only need some firewall rules...
VLAN_CREADER >> WAN - IP whitelist filter
VLAN_CREADER >> LAN - Blocked
VLAN_CREADER >> LAN - Exception for integration with inventory and POS systems
That's not impossible at all. In fact, it's fairly banal as far as network administration goes. While not foolproof, all outbound traffic is heavily restricted with all outbound traffic being directed towards credit card/corporate servers. Attackers would be forced to compromise those servers (DNS/CDN hijacking) to redirect traffic to drop servers.
This is what I came up with in 5 minutes. It addresses physical access by eliminating communications with drop servers. They need to come back to retrieve the data. Isolating the systems on their own VLAN and so heavily restricting outbound traffic makes attackers compromising the card readers from the outside fairly hard as well.
You also get the added benefit (since Internet is up and running) to centralize all traffic to corporate servers and let them handle all the billing. So many possibilities and use cases beyond security.
So it's not that we don't know how to really step up the level of security, it's that the people making the decision to fund it tend to not be sophisticated enough to understand it. It's an expense that doesn't really provide any ROI and hard to justify to the higher ups.
The McDonald's class action lawsuit possibility opened up by new case precedence with franchise law looks promising. Hold UPS responsible to the data breaches at the mom-and-pop owned franchises. Let's say any corporation with over 10 million per year in profits is required to meet certain data security standards like DSS-PCI. That law *ALONE* would be pretty earth shaking. A lot of bitching, but the increased costs are negligible for large corporations.
I think that's the other end of the equation, and that's how to isolate and lock down equipment in the field. Technically, it's not impossible to implement what I said at a small scale. Just a little more expensive, which UPS corporate should be subsidizing.
Also, I think it's interesting to note that these breaches happen *where* they happen. It's all on "old guard" type equipment without a real network engineer to be seen, let alone somebody approaching it with a security mindset.
I'm betting the mom-and-pop store that had chosen some goofy setup with their iPad and a swipe reader feels pretty good right now about their decision against the multi-thousand dollar per station corporate setups...
The future of franchising like this is to roll up security, payment systems, CRM, inventory, etc. as just another benefit of being a franchise member. It's clear you can't rely on underfunded and unsophisticated stores for security.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @07:04PM
> I think this UPS store problem would never have happened if the US used the newer credit cards with chips and PINs.
Chip and Pin will stop this kind of fraud, but the crimes will just shift. Instead of stealing a CC# they will steal all the other information in the transaction and use that - for example if they know what you bought at Target they can call you up and impersonate the bank by telling you what you bought after all who else would know the list of your purchases other than the bank? It won't work 100% of the time, but CC# theft doesn't work 100% of the time either. I'm sure there are plenty of other ways to exploit that information too, given enough of them and enough persistence criminals are clever.
(Score: 2) by emg on Thursday August 21 2014, @07:59PM
But then what? What does impersonating the bank gain them?
About the only thing I could see is if they could then convince you to give them the CVV so they could make fraudulent online purchases.
(Score: 0) by Anonymous Coward on Thursday August 21 2014, @08:16PM
Lots of things, just off the top of my head:
(1) Man in the middle for opening new credit accounts and/or changing the address on your current credit card so they can trick the bank into shipping them a replacement card.
(2) Access to other accounts at the same bank so as to drain your savings account.
(Score: 2) by emg on Thursday August 21 2014, @11:16PM
Only if people are retarded enough to tell them their online password, which the bank has no reason to request.
It's true, that does happen: a politician in my parents' town famously gave their PIN to the crooks who stole their bank card and then called them to ask for that PIN. But you do have to be politician-level stupid to do so.
(Score: 0) by Anonymous Coward on Friday August 22 2014, @12:04AM
> Only if people are retarded enough to tell them their online password,
Don't be that guy.
Even the people suspicious enough not to hand out passwords won't necessarily balk at things like answers to "secret questions" that will let the hackers into their email accounts and thus able to request a password reset.
Personal information can be exploited in all kinds of ways your lack of imagination doesn't stop the people looking to get rich.
(Score: 2) by kaszz on Friday August 22 2014, @12:13AM
Is the common factor that Point-of-sales terminals are running Microsoft software which is by definition very easily infected? If so perhaps it's time to change that..
And then it's this reliance on unencrypted and unauthenticated CC numbers instead of pin & chip. Completely crazy.
Finally as others has said. Make it isolated with VLAN. Otoh, the real problem is usually the management! the fish rots from the head down..
(Score: 0) by Anonymous Coward on Saturday August 23 2014, @02:53PM
This man speaketh the thruth!