Scam of the day – January 3, 2015 – Chick-fil-A is latest company to suffer a data breach

The pattern which most data breaches of major companies follow and which I described in a column in USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ has apparently happened again, this time involving Chick-fil-A, the popular fast food franchise.  As usual the pattern is that banks that constantly monitor fraudulent use of credit cards and debit cards discovered the breach, which still has not been confirmed yet by Chick-fil-A although you can expect them to do so soon.  The apparent data breach appears to have occurred in franchise locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.  Chick-fil-A released the following, statement, which also follows the pattern I described in my USA Today column: “Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants.  We take our obligation to protect customer information seriously and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all facts.”  The data breach appears to have occurred between December 2, 2013 and September 30, 2014.

TIPS

We can expect still more of these type of data breaches to occur up until October of 2015 when stores will be required by new regulations to fully implement the use of safer (but not totally safe) smart chip credit cards.  Since October of 2013, a particular type of malware called Backoff has been used against more than 1,000 companies.  Despite FBI warnings about this type of malware which infects point-of-sale card processing devices, many companies still have not protected themselves as best they could.  It should be noted, that some retailers, such as WallMart, have already switched to the card processors for smart cards, although that will only protect you if you have one of the new smart chip cards.  You may wish to ask your credit card issuer to send you a new card with the smart chip to be ahead of the curve.

If you were a customer of Chick-fil-A during the time period described above you should carefully review your credit and debit card charges for that period (which we should all be doing regularly, in any event).  This is also a good time to remind you to put that debit card away and only use your credit card for retail purchases due to the stronger laws protecting you in the event of fraudulent use of your credit card than those that apply to fraudulent use of your debit card.  Limit your debit card use to use as an ATM card only.

Scam of the day – October 12, 2014 – Dairy Queen latest data breach victim

Dairy Queen announced a few days ago that it had become the latest company to become a victim of a major data breach at 395 of its stores by way of the infamous “Backoff” malware downloaded on to the computer systems of the affected stores by first hacking into a third-party vendor of Dairy Queen that had access to the Dairy Queen computers.  Although the data breach was only recently discovered, the actual breach occurred in August and September.  The information stolen as a result of this data breach included the names of customers, their credit card and debit card numbers as well as the expiration dates of their cards.  This is the same malware and same method of implanting the malware that was first used on a large scale in the Target data breach and repeated in numerous other data breaches since then.  In fact, I wrote a column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Dairy Queen.  Here is a link to that column: http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

Scam of the day – August 29, 2014 – J.P. Morgan and other banks hacked

The FBI is investigating an apparent hacking of banking giant J.P. Morgan and as many as four other banks by what initially appears to be sophisticated hackers from Eastern Europe.  Some are theorizing that the hacking was sponsored by the Russian government in retaliation for sanctions brought against Russia in the wake of its actions in relation to Ukraine.  Much sensitive data was compromised and stolen as a result of the hacking.  The initial investigation appears to be focusing on the exploitation of computer programs used by a J.P. Morgan employee to work from a remote location.  This type of exploitation of remote desktop software such as Microsoft’s Remote Desktop, Apple’s Remote Desktop, Chrome’s Remote Desktop, Splashtop, Pulseway and LogMein that enable the convenience of logging into a company’s computers from an off site location has proven to be a major security flaw that has been continually exploited in company after company for quite a while going back to Target’s hacking last year to the recent UPS hacking.  I have warned people about this flaw for sometime and the FBI has warned American businesses to watch for this.

TIPS

Banks are a frequent target of cyberattacks and American banks have generally done a good job in recent years in protecting data, however, as this latest hacking shows, more needs to be done, particularly in regard to the particular type of malware used in this attack which may be or be similar to the “Backoff” malware I have been warning about.  As for we as consumers, there is little we can do other than to carefully monitor all of our accounts, only use credit cards rather than debit cards for retail purchases and limit the amount of personal information you provide to any company or governmental agency with which you do business.  This will not be the last major hacking exploiting this flaw to occur.

Scam of the day – August 25, 2014 – “Backoff” malware stealing millions of credit card and debit card data

In my Scam of the Day for August 1, 2014 I first warned you about the danger of the malware referred to as “Backoff” as described in a warning issued by the Department of Homeland Security on July 31st.  Backoff is the name of a type of malware that is being used by identity thieves and hackers to infect the point of sale card processors and cash registers of retailers to steal credit card and debit card information which the hackers then sell on black market websites to other identity thieves.  This is the same malware that was used in the infamous Target data breach and more recently in the data breaches at Supervalu stores and UPS.  The malware is very hard to detect and has resulted in the the theft of millions of credit and debit cards over the last year from, according to the Secret Service, more than 1,000 companies, most of which, still do not even know that their security has been breached which is why this story keeps being repeated as new stores finally become aware of their data breaches.   The situation has gotten so dire that the Department of Homeland Security issued a new warning to retailers about Backoff and what companies should be doing.  Here is a link to the Department of Homeland Security’s most recent security alert. https://www.us-cert.gov/ncas/current-activity/2014/08/22/Backoff-Point-Sale-Malware-Campaign

TIPS

There is much that corporate America should be doing to help protect the security of its data which includes credit and debit card information on all of us.  However, there is little we, as individuals, can do to advance this process other than to put pressure on companies to provide better security including two-factor authentication and better passwords.  However, what we all should be doing is refraining from using our debit cards for retail transactions because of the limited consumer protection laws that apply when fraudulent debit card purchases are made as well as the serious inconvenience of remedying the problem if your debit card information is stolen.  We also should be carefully monitoring our credit card usage for fraudulent use in order to identify as early as possible any data breaches affecting the security of our credit cards.  The earlier you recognize that your credit card has been compromised, the easier it is to fix the problem.

Scam of the day – August 1, 2014 – Homeland Security warning about retail hackings

Everyone is aware of the epidemic of hackings of major companies, such as Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally’s Beauty Supply and Goodwill Industries and, as I have repeatedly warned you, these hackings will only increase in frequency in the upcoming months.  Yesterday, the Department of Homeland Security issued  a report that details how these hackings occurred and what needs to be done to reduce them.  A major part of the problem is that more and more companies permit both their employees as well as third party contractors to access the company’s computers over the Internet.  There are many legitimate reasons for doing this, but it tremendously increases the chances of major data breaches as employees and third party contractors who may not be following proper security practices are being hacked and, in essence, providing identity thieves and hackers with access to the computers of the targeted companies.  In addition there are some inherent security flaws in the Microsoft and Apple software used by these employees and third party contractors.   Thus the hackers exploit the weakest links, which they are doing quite effectively.

The Department of Homeland Security identified a malicious software which they have called “Backoff” that, when it makes its way on to the Point of Sale credit and debit card processors, is able to steal credit and debit card information, account numbers, expiration dates of credit card and debit cards and PINs.  Backoff is a very evolved type of malware that, to date, has avoided detection by the anti-malware and anti-virus software used by companies today to protect their computers from data breaches and hackings.

TIPS

Corporate America has a lot of things it should be doing, but it is unlikely that these steps will be done in a sufficiently timely manner to stop data breaches in the upcoming months.  A switch to smartcard technology with computer chips in the credit card would render this type of credit card data unusable to identity thieves, but retailers have been extremely slow to adopt this technology.  Requiring employees and third party vendors to use stronger passwords and to change those passwords regularly would help as would the requirement of two-step verification rather than merely using passwords to provide access.  Another important step for companies to do is to limit access to the credit card and debit card processing systems by people having access to other computer systems within the company.   Credit and debit card processing systems should be isolated.

But what can we do?

The most important thing to do is to recognize that data breaches will be occurring.  Everyone should regularly monitor their credit card usage carefully to recognize security breaches as soon as possible and then to report the breach to your credit card company.  In addition, limit your use of your debit card to use as an ATM card.  Do not use it for retail purchases.  The consumer protection laws available to you if your debit card is hacked are not as strong as the laws that protect fraudulent use of your credit card.  In addition, even if you do become aware and report a breach of your debit card security right away, your access to your account will be delayed while your bank investigates the matter.