Stories
Slash Boxes
Comments

SoylentNews is people

UPS Says 51 Stores Infected with Credit Card Stealing Malware

posted by n1 on Thursday August 21 2014, @05:22PM   Printer-friendly
from the data-breaches,-faster-than-the-speed-of-business dept.

AnonTechie writes:

Ars Technica reports:

Dozens of UPS stores across 24 states, including California, Georgia, New York, and Nebraska, have been hit by malware designed to suck up credit card details. The UPS Store, Inc., is a subsidiary of UPS, but each store is independently owned and operated as a licensed franchisee.

In an announcement posted Wednesday to its website, UPS said that 51 locations, or around one percent of its 4,470 franchised stores across the country, were found to have been penetrated by a “broad-based malware intrusion.” The company recorded approximately 105,000 transactions at those locations, but does not know the precise number of cardholders affected.

UPS did not say precisely how such data was taken, but given the recent breaches at hundreds of supermarkets nationwide, point-of-sale hacks at Target, and other major retailers, such systems would be a likely attack vector. Earlier this month, a Wisconsin-based security firm also reported that 1.2 billion usernames and passwords had been captured by a Russian criminal group.

 
This discussion has been archived. No new comments can be posted.
UPS Says 51 Stores Infected with Credit Card Stealing Malware | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by emg on Thursday August 21 2014, @07:56PM

    by emg (3464) on Thursday August 21 2014, @07:56PM (#84066)

    "The only way I see around this is if the card contained a computer that would verify that it was valid for that card#, and didn't reveal the hash that it used to determine this"

    As I understand it, when you enter the PIN, the chip verifies that it's correct, and produces some kind of authentication code to tell the bank that it verified the PIN. So knowing the PIN doesn't help, if you don't also have the card.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by HiThere on Friday August 22 2014, @06:59PM

    by HiThere (866) on Friday August 22 2014, @06:59PM (#84441) Journal

    Could be. How does the verification get transmitted to the central site? Or does it? Is this mainly a way to allow off-line verification of credit card purchases?

    I've never used the system so I don't understand it. I was under the impression that the card responded to the reader with the card's PIN code, and a computer attached to the reader verified it as valid, possibly after interrogating a central site. If this is, instead, more like the PIN used with debit cards then there is a different set of problems.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.