Scam of the day – September 30, 2017 – Sonic suffers potentially massive data breach

Fast food chain Sonic, which has more than 3,500 locations in 44 states has acknowledged that it had a data breach in its credit card processing systems at an undisclosed number of its restaurants potentially affecting what appears to be at least 5 million credit and debit cards.  As is often the case in massive data breaches, such as this, the hackers are now selling the stolen credit card and debit card numbers along with the zip codes of the card holders on the Dark Web, which is that part of the Internet where criminals buy and sell things.  The website Joker’s Stash is selling five million credit and debit cards for prices of between $25 and $50 per card, depending on various factors including the level of the credit card and whether it is a debit or credit card.  The fact that zip codes are including in the information being sold makes the card more valuable to a criminal who may use the card for fraudulent purposes in the geographical area where the victim lives in order to avoid having the purchase look suspicious, such as in the situation where the card holder lives in New York City and a credit card purchase occurs in Singapore.

Like many credit card and debit card data breaches, this one was made possible due to the fact that Sonic stores affected do not yet use the more secure EMV chip credit card and instead still use the old style magnetic strip credit card.

TIPS

If you have used a credit or debit card at a Sonic restaurant during the last six months, you should carefully review all of your credit and debit card purchases for indications of fraudulent use and if you find such use, report it to your credit card company or, in the case of a debit card, to your bank.

Until businesses that take credit cards switch to the newer EMV chip cards, this story will continue to occur again and again. There is no law requiring companies to switch to the EMV chip cards.  The mandate of retailers to do so is only a trade group regulation.   As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than as an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  Frankly, even if you were not a Sonic customer you should regularly monitor your credit card statements for indications of fraudulent use.

Scam of the day – May 28, 2017 – Chipotle data breach update

Today’s scam of the day is an update of the Scam of the day from April 28th when I first wrote about the data breach at Chipotle Mexican Grill. After  a series of food safety problems in 2015, the Chipotle Mexican Grill restaurant chain had recently regained sales, but that could change with the announcement by the company that it had suffered a data breach affecting most of its 2,550 restaurants between March 24th and April 18th. Following an all too predictable pattern, the data breach came about as a result of malware that stole credit card and debit card information from Chipotle’s card processors.  This in great part is due to the fact that Chipotle has still not updated its credit card processing equipment to handle the more secure chip credit cards as required by industry regulations.

Here is a link to Chipotle’s  updated official announcement about the data breach which, if you ate at a Chipotle’s restaurant during the relevant period, also provides a link to inform you if the particular restaurant you went to is affected by the data breach.  https://www.chipotle.com/security

TIPS

As consumers the best thing you can do is to use your EMV chip card whenever possible.  Unfortunately, Chipotle is just one of many retail establishments that still have not updated their credit card and debit card processing equipment to use EMV chip cards.  For further personal protection, don’t use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. In addition, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Chipotle’s during the affected period, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.

Scam of the day – October 18, 2016 – Update on Home Depot data breach settlement

As I reported to you last year, in March of 2015 a settlement was reached between Home Depot and the plaintiffs in a class action on behalf of the 56 million victims of Home Depot’s massive data breach which occurred between April and September of 2014.  The settlement provides for a 13 million dollar fund to reimburse victims for out of pocket losses incurred  with an additional 6.5 million dollars being set aside for legal fees and other related expenses.  You are eligible to receive payments through the settlement if you used your credit or debit card at a self checkout lane at Home Depot between April 10, 2014 and September 23, 2014 and your card information was stolen.  You also are eligible for a payment if you received notification that your email address was compromised or if you specifically received a settlement notice informing you that you are a member of the class action.  Payments of as much as $10,000 will be made to claimants who suffered out of pocket losses and unreimbursed charges as a result of the data breach.  In addition, affected shoppers can receive payments of $15 per hour for time spent remedying the problems they encountered as a result of the data breach.

Similar to the major data breach at Target which occurred a year earlier, Home Depot’s computers and credit card processing equipment were hacked when a third party party vendor’s computers were hacked thereby enabling the hackers to steal the passwords necessary for the third party vendor’s to access Home Depot’s computers.  As an additional part of the settlement Home Depot committed to make greater efforts at data security.

TIPS

If you were affected by this data breach, you must file a claim and the deadline for filing a claim is October 29th which is rapidly approaching.  Here is the link to go to in order to file a claim.

https://gilardigateway.com/HomeDepotBreachSettlement/Claimant/UnKnownClaimForm

However, even if you were not a victim of this particular data breach, it is important to remember that we are only as safe as the places with which we do business that have the weakest security. Greater use of EMV smart chip credit cards will reduce the effects of data breaches aimed at gaining credit card and debit card information, but many stores still have not shifted over to the new equipment required to process EMV smart chip credit cards.  However, whenever you can, you should use your EMV chip card.

Also, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not as strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.

Scam of the day – November 24, 2015 – Woman pleads guilty to data breach at Michaels

Some of you may remember the 2011 data breach at Michaels, a national chain of craft stores in which 94,000 debit and credit card numbers were stolen along with the PINs for the debit cards.  Recently, Crystal Banuelos, the apparent mastermind of the scam, pleaded guilty to charges of conspiracy to commit bank fraud and aggravated identity theft.  Sentencing is scheduled for February 23, 2016 in the Federal District Court for New Jersey.  Unlike the notorious data breaches at Target and Home Depot, in this case, Banuelos and her co-conspirators physically went into 80 Michaels’ stores around the country posing as service technicians and swapped out legitimate card processing equipment for machines controlled by them that would capture the credit card and debit card information along with the PINs used with the debit cards and transmit that information electronically to Banuelos, who then used that information to create counterfeit debit cards which they used with the stolen PINs to steal $420,000 from their victims’ accounts through ATMs.

TIPS

While PINs are encrypted in a fashion that makes it all but impossible for hackers of legitimate card processing equipment to capture PINs, the use of their own equipment enabled Banuelos and her cohorts to harvest PINs as well as credit and debit card information.  However, the new EMV chip card processing devices will not be as easily manipulated to steal this information in the future.  Again the lesson for consumers is that you are only as safe as the places with which you do business that have the weakest security so it is important to regularly check your bank account and credit card accounts for evidence of any fraudulent use and report that use as soon as possible.  It is also important to refrain from using your debit card for retail purchases because if your information is compromised, your rights under consumer protection laws are not as strong as if your credit card information is compromised

Scam of the day – October 2, 2015 – Update on data breach at Trump hotels

It has just been disclosed by the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York that its hotels had been hit with a Target-like credit card and debit card data breach that appears to have occurred between May 19, 2014 and June 2, 2015.  Although the Trump Hotel Collection is just announcing this now and much of the media is reporting this as a new story, here at Scamicide, we reported to you about this data breach in our Scam of the day on July 5, 2015.  As with so many data breaches, it was discovered not by the company hacked, but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.    The malware used to perform this data breach was installed on computers at Trump hotels front desk terminals as well as as payment card terminals in the hotels’ restaurants and gift shops.  This type of hacking and data breach could have been prevented had the Trump Hotel Collection switched to the modern EMV smart chip credit cards now being required to be used according to credit card regulations that just went to effect yesterday.  Instead the Trump Hotel Collection, as many companies still do, used the old fashioned credit and debit cards with magnetic strips which are so susceptible to hacking.

TIPS

If you used your credit and debit card at one of the affected Trump hotels between May 19, 2014 and June 2, 2015, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.  The Trump Hotel Collection is offering free credit monitoring for people who used their cards at their hotels during the time period indicated above.  For more information about this offer, call them at 877-803-8586.  Here also is a link to the statement of the Trump Hotel Collection about this data breach. https://www.trumphotelcollection.com/cc-security-faq

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.

Scam of the day – February 13, 2014 – PayPal President’s credit card hacked – what it means to you

Earlier this week PayPal President David Marcus disclosed that his credit card was hacked and used for fraudulent purchases.  Although it has not yet been precisely determined where his card was hacked, it is known that the security breach did not occur as a result of one of the many major hackings in the news, such as at Target or Neiman Marcus.  Instead, it is thought that the security breach occurred at the hotel at which he was staying or at stores he shopped at during a recent trip to the United Kingdom by way of a skimmer, which is a small electronic device that is used by many identity thieves who surreptitiously install the device on retail card processors or ATM machines.  When the credit card is processed through the legitimate card processing machine, the skimmer captures and sends the card information to the identity thief.  What makes this particularly interesting is that Marcus’ card was one of the advanced EMV chip cards, which generates a new number every time it is used and, which we were told, would have eliminated the problem experienced at Target because it generates a new number for every transaction electronically processed.  So how could his number have been stolen?  Easy.  When cards are used by identity thieves for online purchases, the chip does not produce a new transaction number so although the thieves could not have used the number for in-store purchases, the EMV chip card does not protect against online use.

TIPS

Whether you have a new EMV chip card or, as most of us do, the old style magnetic strip card, you have to be vigilant about monitoring your credit card statement for fraudulent use.  Don’t wait until the end of the month when you receive your monthly statement to check for fraudulent purchases.  Go online at least a couple of times a month to look for unauthorized use. In addition, whenever you swipe your card through an ATM machine or credit card processing device, examine the device carefully for evidence of tampering through the installation of a skimmer.  Often with a little care you can identify the problem before it occurs.