Common payment processing protocols found to be full of flaws

Credit card users could have their PINs stolen, and merchants could have their bank accounts pillaged, in a set of attacks demonstrated by researchers Karsten Nohl and Fabian Bräunlein at the Chaos Computing Club security conference.

Much research has been done into the chips found on credit cards and the readers and number pads used with these cards, but Nohl decided to take a different approach, looking instead at the communications protocols used by those card readers. There are two that are significant; the first, ZVT, is used between point of sale systems and the card readers. The second, Poseidon, is used between the card reader and the merchant's bank. Nohl found that both had important flaws.

The ZVT protocol was originally designed for serial port connections, but nowadays is used over Ethernet, both wired and wireless. The protocol has no authentication, meaning that if an attacker can put themselves on the same network, they can act as a man-in-the-middle between the point-of-sale system and the card reader. The attacker can then read the magnetic stripe data from the card, and can also request a PIN.

Read 22 remaining paragraphs | Comments

Judge rules that banks can sue Target for 2013 credit card hack

On Tuesday, a District Court judge in Minnesota ruled [PDF] that a group of banks can proceed to sue Target for negligence in the December 2013 breach that resulted in the theft of 40 million consumer credit card numbers as well as personal information on 70 million customers. The banks alleged that Target had “failed to heed warning signs” that would have stymied the banks' losses.

The breach occurred between mid-November and mid-December in 2013, after hackers placed malware on Target POS systems that made it possible for them to steal credit card numbers as consumers swiped. The vast number of people affected by the breach made Target's hack the most notorious, but subsequent reports revealed that Target was only one of many big-name retail stores that had credit card data stolen—Neiman Marcus, Michaels, and later Home Depot customers were also revealed to be targets.

After the breach, multiple banks and consumers sued Target in Minnesota, where the company is headquartered. The lawsuits from both banks and consumers were grouped together into two consolidated class action complaints. Target filed a motion to dismiss the claims made by the financial institutions, but District Court Judge Paul A. Magnuson ruled that the plaintiffs' claims were valid.

Read 8 remaining paragraphs | Comments

Sony seeks to make a movie about the Target hack reporter

Sony Pictures has purchased the movie rights to the story of the reporter who brought the Target credit card hack to light. The Hollywood Reporter writes that the company bought the rights to the New York Times story "Reporting From the Web’s Underbelly," a profile of security reporter Brian Krebs.

Krebs broke the news of the hack back in December, when approximately 40 million credit card numbers were stolen, reportedly as a result of a malware-carrying phishing e-mail. The Times wrote about Krebs' coverage of the hack in February.

As the Times article says, Krebs is deeply embedded in the cyber security community, with friends including Russian cybercriminals who "leak him documents about their rivals" and enemies who have swatted his house and "sent fecal matter… to his doorstep."

Read 3 remaining paragraphs | Comments

Beware of credit-card hack affecting Chicago taxis, bank tells customers

An Illinois-based bank is urging customers to stop using credit and debit cards to pay for cab rides in Chicago until more details can be learned about a possible breach suspected of compromising the payment processor that local taxi companies use.

The warning, made Friday by First American Bank, comes amid the high-profile hack on the corporate network of Target that led to the compromise of credit card data for 40 million customers. Since then, several other large retailers have reported similar breaches or come under suspicion of being hacked. The reports are creating an environment of mistrust among payment card issuers, retailers, and consumers. In Friday's advisory First American Bank officials put it this way:

As you’re hearing more and more in the news about the theft of debit and credit card data, we at First American Bank wanted to let you know that we are doing everything we can to ensure our customers are protected and will go to great lengths to do so.

We are advising you not to use your First American Bank debit cards (or any other cards) in local taxis. We have become aware of a data breach that occurs when a card is used in Chicago taxis, including American United, Checker, Yellow, and Blue Diamond and others that utilize Taxi Affiliation Services and Dispatch Taxi to process card transactions.

We have reported the breach to MasterCard® and have kept them apprised of details as they’ve developed. We have also made repeated attempts to deal directly with Bank of America Merchant Services and Bank of America, the payment processors for the taxis, to discontinue payment processing for the companies suffering this compromise until its source is discovered and remediated. These companies have not shared information about their actions and appear to not have stopped the breach.

Since identifying the scheme, we have continuously monitored activity on our customers’ cards. Until the situation is rectified, we will continue to close and reissue cards that have been exposed. This interruption of card services has inconvenienced our customers while they wait for a new card. This can be particularly problematic for customers who are traveling. We believe strongly that the sanctity of our customer’s ability to access their funds without such risk of interruption is a bedrock principle in customer service, and we do so only in cases of extreme risk.

We have submitted a complaint to the City of Chicago Department of Business Affairs and Consumer Protection to get its help to stop the fraud, and have shared the information we have with the appropriate authorities. We ask that you not use your card in taxis until we can advise you that this criminal activity has been stopped.

As always, please monitor your account for any suspicious activity and report it right away to (847) 952-3700. Make sure we have your most current e-mail and phone numbers on file so that we can contact you immediately in the event of another breach. Thank you for choosing First American Bank. We appreciate your business.

According to an article published Monday by KrebsOnSecurity, bank officials issued the statement 18 days after learning of a pattern of fraud on cards previously used in Chicago taxis.

Read 2 remaining paragraphs | Comments