Stories
Slash Boxes
Comments

SoylentNews is people

Skimming Heist That Hit Convenience Chain May Have Compromised 30 Million Cards

posted by Fnord666 on Monday February 03 2020, @05:38PM   Printer-friendly
from the who's-in-your-wallet? dept.

upstart from IRC writes:

Skimming heist that hit convenience chain may have compromised 30 million cards:

The Wawa chain of convenience stores said in December that it had discovered card-skimming malware on point-of-sale machines at just about all of its 850 stores. The infection began rolling out to the store's payment-processing system on March 4 and wasn't discovered until December 10. It took two more days for the malware to be fully contained. The malware collected payment-card numbers, expiration dates, and cardholder names.

On Monday night, dark Web site Joker's Stash began uploading stolen data for what it claimed were 30 million payment cards, researchers from fraud intelligence service Gemini Advisory reported in a blog post. Joker's Stash is one of the biggest dark Web marketplaces for buying stolen payment-card data. The anonymous site has named the lasted haul "BIGBADABOOM-III." While the site didn't identify the Wawa hack as the source of the data, Gemini researchers said they were able to determine that was the case.

If the Joker's Stash claims are true, the Wawa hack would be among the biggest payment-card breaches in history, behind the 2014 breach of Home Depot, which lost personal data for 50 million customers, and the 2013 breach of Target stores, which lost 40 million sets of data. Because the Wawa infection affected point-of-sale machines for as many as 850 locations and wasn't detected for nine months, the malware had plenty of opportunity to collect massive amounts of sensitive data.

[...] Anyone who has used a payment card at a Wawa location from March to December of last year should check billing statements extra closely. Wawa is offering affected customers one year of credit monitoring, but the effectiveness of these services is questionable. A more effective measure is to place a security freeze on credit files. Freezes prevent creditors from accessing credit files at the three national credit reporting bureaus unless the consumer explicitly consents.

Previously:
PoS Malware Skimmed Convenience Stores' Customers' Card Data for 8 Months

Original Submission

 
This discussion has been archived. No new comments can be posted.
Skimming Heist That Hit Convenience Chain May Have Compromised 30 Million Cards | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Monday February 03 2020, @09:51PM (11 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday February 03 2020, @09:51PM (#953309) Homepage
    One thing I was promised, in the early days of chip & pin (in europe), was that the terminals would be physically tamperproof and only run validated software (secure boot, signed images, etc.). A shitty app running on a commodity iPad is quite a leap from there. Where did things change?

    I'd say the blame lies squarely at the feet of the shitty vendor. And by blame, I mean cripling lawsuits and $$$ - simply not fit for the purpose (provably secure handling of transactions).
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by FatPhil on Monday February 03 2020, @09:59PM (10 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday February 03 2020, @09:59PM (#953314) Homepage
    Yikes - I'm afraid to google any more to fiund out what the "something you have" + "something you know" side of the transaction authentication actually is (C&P? NFC?) as I just encountered this page title as the 2nd google hit for my search:
        "Shell, Revel Partner on Cloud-Based POS Platform"
    The mind boggles.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 2) by FatPhil on Monday February 03 2020, @10:23PM (9 children)

      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday February 03 2020, @10:23PM (#953321) Homepage
      """
      Safe and Secure Servers – Revel’s hardware, software, and network are PCI-DSS compliant. Sensitive credit card information is encrypted and never stored. Revel’s Data centers are PCI compliant and SAS 70 Type II certified. All data is encrypted and backed up on a regular basis, and single location businesses operate on their own database.
      """

      PCI-DSS, eh? So who audited/certified them? May as well get 2 boobs out of the market with one stone.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

      • (Score: 1) by khallow on Tuesday February 04 2020, @05:20PM (8 children)

        by khallow (3766) Subscriber Badge on Tuesday February 04 2020, @05:20PM (#953655) Journal

        PCI-DSS, eh? So who audited/certified them?

        Credit card companies need no certification. Big dog eats first.

        • (Score: 2) by FatPhil on Tuesday February 04 2020, @07:54PM (7 children)

          by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday February 04 2020, @07:54PM (#953734) Homepage
          Revel aren't a credit card company, as far as I can tell (their web presence is between obfuscated and obliterated).
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

          • (Score: 1) by khallow on Tuesday February 04 2020, @08:15PM (6 children)

            by khallow (3766) Subscriber Badge on Tuesday February 04 2020, @08:15PM (#953753) Journal
            PCI-DSS [wikipedia.org] is a credit card industry project.

            • (Score: 2) by FatPhil on Tuesday February 04 2020, @08:35PM (5 children)

              by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday February 04 2020, @08:35PM (#953771) Homepage
              No, it's a standard. Revel are claiming compliance - so must have been awarded that by some entity.
              --
              Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

              • (Score: 1) by khallow on Tuesday February 04 2020, @08:46PM (4 children)

                by khallow (3766) Subscriber Badge on Tuesday February 04 2020, @08:46PM (#953779) Journal
                Try looking here [wikipedia.org]:

                The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on 7 September 2006,

                • (Score: 2) by FatPhil on Tuesday February 04 2020, @09:43PM (3 children)

                  by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday February 04 2020, @09:43PM (#953809) Homepage
                  Many many standards and standards bodies are formed from consortia of interested companies. You've added no new bits to the conversation.
                  --
                  Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

                  • (Score: 0, Redundant) by khallow on Wednesday February 05 2020, @04:25PM (2 children)

                    by khallow (3766) Subscriber Badge on Wednesday February 05 2020, @04:25PM (#954263) Journal
                    Point is that you asked who certified PCI-DSS. It was by the credit card companies themselves. One consequence is that such messes as what happened with Wawa will generate liability for Wawa and Revel, not for the credit card companies even though they indirectly approved the scheme.

                    • (Score: 2) by FatPhil on Wednesday February 05 2020, @08:38PM (1 child)

                      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday February 05 2020, @08:38PM (#954398) Homepage
                      > Point is that you asked who certified PCI-DSS.

                      No I did not. Go upthread and reread for comprehension.
                      --
                      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

                      • (Score: 1) by khallow on Thursday February 06 2020, @06:32AM

                        by khallow (3766) Subscriber Badge on Thursday February 06 2020, @06:32AM (#954658) Journal
                        Hmmm, looking back at the original quote:

                        PCI-DSS, eh? So who audited/certified them?

                        I thought you meant who certifies the certifiers? Sorry for misreading that.