Tag Archives: debit card

Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Breach Brief – Chili’s

Popular restaurant chain Chili’s has issued a statement reporting a data breach of its payments system. According to the statement Chili’s became aware of the breach on May 11th of this year and admitted that some customer’s payment information was compromised. The data breach is believed to impact patrons who ate at the chain between March and April of 2018.  Chili’s is owned by Dallas-based Brinker International, Inc.

The breach is believed to have been carried out by malware inserted into payment systems that gathered payment information including credit and debit card numbers as well as cardholder names. The company has not specified which of its 1,600 locations were affected by the data breach or how many customers are impacted.

Officials of the restaurant chain have contacted both law enforcement and third-party forensic experts as part of the investigation. Chili’s reports it’s trying to provide fraud resolution and credit monitoring services for affected customers and it will share more information as it becomes available. The company will notify customers affected by the breach and plan to offer free identity theft protection services through ID Expert’s MyIDCare. The company is advising customers to be vigilant for possible fraudulent charges on their credit or debit cards and for indications  of identity theft.

Brinker International also owns Italian eatery Maggiano’s which is unaffected by the breach.

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has  has over 2,100 outlets nationwide. 

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired. 

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers. 

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured.  The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores. 

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach.  Data of  880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.  

Orbitz plans to notify all customers who’s information may have been compromised and  is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free. 

 

Breach Brief – Chipotle Hit By Nationwide Data Breach

Chipotle restaurants have been hit by a major nationwide data breach of hits payments systems. The restaurant chain was infected with malware that stole customer payment data from March 24th-April 18th. According to the company hackers have stolen customer payment data from nearly all of its 2,250 restaurants. The stolen data includes account numbers and internal verification codes that could be used to drain customers debit card accounts or clone their credit cards. Chipotle didn’t reveal the details of the attack or affected locations until Friday, May 26th.

The number of restaurants  locations attacked includes many major U.S. cities. Chipotle spokesman Chris Arnold said that “most, but not all restaurants may have been involved.”

Chipotle’s Blog reported,  “During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures.”

Chipotle, working with an unnamed cyber security firm, reported it had completed it’s investigation. Law enforcement and payment card networks were also involved in the investigation.   Although the company did not give exact numbers it did say that “many” customer’s payment information was compromised.

According to Chipotle’s security alert the point-of-sale (POS) malware attack went on for three weeks. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”

For customers of Chipotle the company has set up a tool to search if their local restaurant was hit by the malware. Check the Chipotle security alert.

Customers of Chipotle are warned to closely monitor their credit card and debit accounts for unusual activity.

 

Breach Brief – Verifone

Verifonethe largest maker of payment terminals, reported it is investigating a data breach of its systems. The company provides terminals and services to merchants that allow consumers to swipe credit and debit card. The terminals can be found at a variety of businesses, including retailers, taxis, and gas stations. Verifone claims the hack was contained to its corporate networks.

An urgent email was sent to all company employees and contractors on January 23rd. The email warned them to change their company passwords within 24 hours. Employees were also notified that installing software of any kind on company computers and laptops was no longer permitted. Verifone has not said what or how much data was possibly compromised or when the breach occured.

Verifone was notified by credit card providers Visa and Mastercard a few days prior to Verifone’s employee alert. 

According to Verifone about two dozen point-of-sale payment systems at gas stations were targeted. However the situation could be more serious. Experts say that such small intrusions into payment systems are a precursor to larger attacks. Cyber criminals may have learned enough about Verifone to attack the payment systems at a later date. Sometimes months or years later. This leaves many consumers open to being victimized. 

The company operates in 150 countries and employs 5,000 people. 

Breach Brief – U.S. Navy, Madison Square Garden

us-navy-logoThe United States Navy announced on Wednesday that hackers have gained access to sensitive personal information of more that 130,000 current and former sailors. The information lost includes names and social security numbers.

According to Navy officials the information was contained on the laptop computer belonging to Hewlett Packard Enterprise Services a Navy contractor. The firm first notified the Navy on October 27.

Chief of Naval Personnel Vice Admiral Robert Burke issued a statement saying; “The Navy takes this incident extremely seriously. This is a matter of trust for our sailors.” He then went on to add that the investigation is still in its “early stages.”

The Navy is reacting by following all required procedures to notify and protect sailors affected by the breach.  Officials stated that additional information on the breach would be provided to affected sailors as it becomes available. Sailors will also receive credit monitoring service options in the future. The Navy insisted;  “There is no evidence to suggest misuse of the information that was compromised.”

This is the second major loss of Navy data involving Hewlett-Packard. According to the Navy Times HP reported to the Navy in 2013 that Iranian hackers compromised the unclassified Navy and Marine Corps Intranet.  Navy Times reported the personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and Navy Occupational Specialty requests.

msgThe iconic Madison Square Garden Company reported malware in its payments systems has been capturing payment-card data for more than a year.

On Tuesday MSG warned customers the breach had exposed customer data found on magnetic strips of credit cards. Data collected included card numbers, cardholder names, expiration dates, and internal verification codes.

Madison Square Garden properties affected include the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater. MSG has not announced how many cards are compromised but millions of people visit the properties annually.

Online Holiday Shopping 2016 – Security Basics

canstockphoto31830688Twice a year scammers crawl from underneath rocks and other nasty places to celebrate special holidays. First, tax season, then the holiday season. African-Americans using the Internet for holiday shopping need to be on guard against cyber crime.  Being aware of the scams and hazards can make a big difference in your holiday celebrations. 

The African-American Cyber Report is offering black people another season of valuable safety information to protect your holiday season so lets get started.

 

Card Skimming

Card skimmer courtesy of BBB.org

Card skimmer courtesy of BBB.org

Card skimming is actually pretty simple. Your credit or debit card information is copied when you swipe your card at a retailer or ATM. Cyber thieves install almost invisible devices or special software on retail card readers. This allows them to duplicate your card and steal your PIN. Its as simple as that. So how do you protect yourself?

First of all if something does not look or feel right stay way. For example is the face of the card reader loose or does it look kind of sloppy? Exposed glue or loose fitting parts? Do the buttons require more effort than normal to press? Does your card have to be swiped several times to work properly. Here’s a trick; pull or tug at the face of the reader. It may come off in your hand. Do the same at ATM’s. Check those buttons. Try to move them or lift the key pad. Check the card insert. Pull on that. Check to see if there is something in the slot or protruding from it. You have got to be alert! If you find any of these things notify the retailer and your bank if you have used it.

If possible use your credit card and not your debit card. It is extremely hard to get your money back from a bank debit card. But a credit card transaction can be cancelled and you will normally not be charged. Skimmers can be found anywhere even at Walmart.

RFID Card Protection

paypassThis is less likely but does happen. Your credit and debit card are sometimes equipped with a feature allowing you to charge things with a quick tap of the card on the pay terminal. You may have one of the cards with brands like PayPassExpressPay, or PayWave.

These cards have RFID (radio frequency identification) chips. With the right equipment criminals can scan your card and steal your card’s data. Protect your card by using a RFID blocking sleeve, or an RFID wallet available online at retailers like Amazon.

But as we said before this is not likely. An RFID reader has poor range so the scammer would have to be standing awfully close to read your card. Keep that in mind when you are fighting that crowd on Black Friday. 

 

EMV or Chip Cards Safety

chipcardYou should by now have the credit card with the EMV chip embedded in it. If not contact your bank or card provider and ask for it. That chip is used to encrypt the transaction data when you charge something. 

The objective of card chip was to reduce card fraud. This technology is not perfect. Some retailers have failed to switch to EMV even though the deadline passed in 2015.  Why? Retailers and customers complain that the process is too slow. Chip cards have reduced point-of-sale fraud. But the crooks have worked around it. The latest hazard is fraudulent “card-not-present” transactions online. Criminals can obtain the credit card number, security code, expiration date from criminal websites that sell this information. Personal information like your dog’s name or your mother’s birthday can be found on Facebook. They use this information to hijack your online accounts. That’s what happens when you put too much of your business online.

 

Tech Support Scams


tech-support-scam-popupNew tablets, laptops, smartphones and big screen televisions are big sellers on Black Friday. Tech support scams are common all year round but the efforts by scammers increases during the holidays. 

These scammers are intent on getting you to pay for support or software you don’t need or simply doesn’t exist. This includes extended warranties. They email you with a sales pitch or issue warnings from what appears to be a Microsoft representative. Be aware! Anti-virus companies do not call you to let you know you have a computer virus. Don’t ever agree to let anyone access your computer from a remote location. Don’t download any software online that you are not sure of. If you don’t have the expertise to know then consult a professional.

Computers often come with a ton of useless software or games. This is known as bloatware or crapware. Be careful! These programs can cost you money. They often entice children and adults to buy things without them even realizing it.

 

Phony Bank Calls

During the holiday season you are using your bank and debit cards more often. Beware if someone claiming to be your bank or credit card company calls you. Remember when it comes to your money you should be asking the questions.

Scammers will call victims claiming to be investigating card fraud or suspicious activity. They will ask questions that reveal your personal information like your credit card number or PIN. Don’t answer these questions. Hang up and call your bank from a number you know. Or stop by in person. These scammers are professionals at alarming you and getting you to reveal information used to rip you off.  When it comes to your money only deal with people you know and trust. Never, ever reveal any personal information to a voice over the phone.

 

Email and Phishing Scams

Image courtesy of David Castillo Dominici, freedigitalphotos.net

Image courtesy of David Castillo Dominici, freedigitalphotos.net

Be careful where you click! Be extremely cautious about clicking on or downloading coupons in your email. It may be ransomware. This is a malicious software program that locks up your computer until you pay to get it released. It happens a lot and is one of the hottest computer scams going on right now.

Clicking on the wrong email may release malware on to your computer that steals information, monitors your activity and changes your settings. It may even secretly take control of your computer and email itself to all your contacts. Understand that scammers can duplicate an email from Macy’s, Walmart and any other major retailer. Check the return email address to make sure you know who its from. Check the retailers website for information regarding sales, coupons and possible scams. 

Be careful about holiday contests. When you fill out a contest form you maybe giving out personal information. Same for holiday coupons that ask for your name, email address and other personal information.

This holiday season; Be Alert! Be Aware!

 

 

 

Breach Brief – Wendy’s

Wendy's_logo_2012.svgIt seems that the Wendy’s data breach was worse than thought. The AACR first reported the data breach in January.  Now we are seeing the real damage. Wendy’s has admitted that the data breach was first suspected of affecting only a few hundred of its restaurants. Now the truth comes out and the number is over 1,000.

Wendy’s has released a searchable list of all the restaurants affected by the breach.

Originally Wendy’s believed that only 300 of its 5,700 franchises were breached. Wendy’s notified its customers and the public in February of the breach when it discovered evidence of malware in its POS systems.

Wendy’s has issued the following statement regarding the expanding breach.

“Based on the facts known to Wendy’s at this time, the additional malware targeted the following payment card data: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. Please note that the cardholder verification value that may have been put at risk is not the three or four-digit value that is printed on the back or front of cards, which is sometimes used in online transactions.”

After detecting the presence of the malware Wendy’s claimed to have disabled it. Wendy’s believes that the malware attack first took place in the fall of 2015. Wendy’s also believes that it detected evidence of at least two separate malware attacks on its systems.

Customers of the fast food chain affected by the breach will receive are a year’s worth of “identity consultation” from Kroll Identity Theft Restoration if necessary. According Wendy’s “an experienced licensed investigator will work on your behalf to resolve related issues.