Scam of the day – October 2, 2017 – Whole Foods suffers data breach

Add upscale grocery store Whole Foods to the list of companies suffering a data breach, however, the data breach only affects the company’s separate taprooms and full-service restaurants which use a different card reading system than the grocery stores so that if you shopped at the grocery store section of Whole Foods, you would not be affected by the data breach.  Most Whole Foods stores do not have taprooms or restaurants, but anyone who has shopped at a Whole Foods store recently should monitor their credit and debit card charges for indications of fraudulent use.

While the statement from Whole Foods disclosing the data breach made no mention of the type of credit card processing equipment used, it could be assumed that the taprooms and restaurants did not use the more secure EMV chip cards, but rather the extremely vulnerable magnetic strip cards.

TIPS

This is another opportunity to remind everyone to restrict your use of your debit card to use at ATMs and not to use it for retail purchases because the laws that protect you from fraudulent use of your debit card are not as strong as those that protect you in the event of the fraudulent use of your credit card.  Also, because data breaches in which credit cards and debit card information is stolen are so common, everyone should regularly monitor their credit card statements and bank accounts to which their debit cards are tied on a regular basis to look for evidence of fraudulent charges.

Scam of the day – April 28, 2017 – Chipotle suffers data breach

Chipotle Mexican Grill whose sales have only recently improved following food safety issues in 2016 just took another hit with its announcement that it had suffered a data breach affecting the credit card processing systems at its restaurants.  The data breach was just discovered and according to Chipotle occurred between March 24th and April 18th 2017. Here is a link to Chiptole’s public statement on the matter.

https://chipotle.com/security

TIPS

Because Chipotle has not yet determined the extent of the data breach or the identity of all affected restaurants, if you were a Chipotle customer during the period of the data breach, you should carefully check your credit card statements.  As more information about this data breach becomes available, I will inform you of it.

The primary reason for the continuing problem of  credit card data breaches at restaurants, hotels and retail establishments is that many of these companies  are still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Chipotle, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Chipotle and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Scam of the day – August 31, 2016 – Massive ATM heist

ATM robbery is increasing dramatically.  According to FICO Card Alert Service, a company that monitors ATM activity for banks, ATM skimming attacks increased by 546% from 2014 to 2015 and this trend shows no indication of slowing down in 2016.  Skimmers are small devices that can be attached to ATMs either on the outside or inside of the machine that capture the data from your card when you insert it into the ATM.  This problem is exacerbated by the fact that ATMs still are using the old-fashioned magnetic strip cards rather than being updated to take the newer EMV chip cards that create a new code for every transaction that would render the skimmer useless.   The trade regulations requiring the switch over to chip cards for ATMs  go into effect for ATM transactions using MasterCard debit cards  October 1, 2016, but Visa’s deadline is not until October 1, 2017.  The regulations themselves are not laws, but rather rules of the banks and credit card processors that shift liability for fraudulent card use to companies not switching over to the EMV card readers before the deadlines.  It has been estimated by the National ATM Council that less than half of ATMs will be EMV card ready by October 2016.

However, things aren’t as bad as you think.  They are far worse.

Enterprising criminals recently managed to hack 21 ATMs of the Government Savings Bank in Thailand stealing approximately $350,000.  What was significant about this particular hacking was that in this case, skimmers weren’t used in the attack on the ATMs and money was not stolen from individual account holders as in the recent 13 million dollar heist from Japanese ATMs located at convenience stores over a three hour period.  In this case, the hackers inserted a malware infected card into the ATMs that reprogrammed the ATMs to allow them to withdraw money from the ATMs directly without being allocated to any particular account.  Inserting malware through portable USB external hard drives into ATMs and reprogramming them to release cash to hackers is exposing vulnerabilities in the security of many ATMs.

TIPS

The banking industry has got to keep pace with the attacks by sophisticated criminals upon ATMs.  Switching to EMV chip cards will help significantly from the less sophisticated hackers using skimmers, but it won’t help against the more sophisticated hackers attacking ATMs by changing the machine’s programming.  Better security needs to be implemented to combat this threat immediately.

Meanwhile as for us as customers, the best you can do is to generally refrain from using private ATMs and ATMs  that are not embedded in walls.  The stand-alone ATMs are more vulnerable to a number of different types of hacking.  You should also feel around to see if anything is loose where you insert your card and for any evidence of tampering and use another machine if you find any indication that the ATM has been altered in anyway.  Also cover the keypad when you insert your PIN.  Finally, monitor the bank account to which your ATM card is attached regularly to recognize any fraudulent use as soon as possible to avoid personal liability if you delay in reporting fraudulent use of your card.

Scam of the day – July 22, 2016 – Home Depot class action update

As I reported to you in March a tentative settlement was reached between Home Depot and the plaintiffs in a class action on behalf of the 56 million victims of Home Depot’s massive data breach which occurred between April and September of 2014.  The tentative settlement provides for a 13 million dollar fund to reimburse victims for out of pocket losses incurred  with an additional 6.5 million dollars being set aside for legal fees and other related expenses.  Home Depot announced also agreed to provide eighteen months of free credit monitoring through security company All Clear ID to affected shoppers.  You can receive payments through the settlement if you used your credit or debit card at a self checkout lane at Home Depot between April 10, 2014 and September 23, 2014 and your card information was stolen.  You also are eligible for a payment if you received notification that your email address was compromised or if you specifically received a settlement notice informing you that you are a member of the class action.  Payments of as much as $10,000 will be made to claimants who suffered out of pocket losses and unreimbursed charges as a result of the data breach.  In addition, affected shoppers can receive payments of $15 per hour for time spent remedying the problems they encountered as a result of the data breach.

Similar to the major data breach at Target which occurred a year earlier, Home Depot’s computers and credit card processing equipment were hacked when a third party party vendor’s computers were hacked thereby enabling the hackers to steal the passwords necessary for the third party vendor’s to access Home Depot’s computers.  As an additional part of the settlement Home Depot committed to make greater efforts at data security.

TIPS

If you believe you are entitled to payment as a part of the class action, click on this link for more information and to get the claim form which must be filed by October 29th.   http://www.homedepotbreachsettlement.com/frequently-asked-questions.aspx

A hearing on final approval of the settlement will occur on August 12th in the Federal District Court for Northern Georgia.

As for all of us, even if we were not a victim of this particular data breach, it is important to remember that we are only as safe as the places with which we do business that have the weakest security.  Greater use of EMV smart chip credit cards will reduce the effects of data breaches aimed at gaining credit card and debit card information, but many stores still have not shifted over to the new equipment required to process EMV smart chip credit cards.  However, whenever you can, you should use your EMV chip card.

Also, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not as strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.

Scam of the day – July 15, 2016 – Omni Hotels data breach

Omni Hotels and Resorts just became the latest hotel chain to suffered a massive data breach joining Hyatt, Hotels, Starwood Hotels, Hilton Hotels and Trump Hotels who all suffered similar data breaches in the last year in which credit card and debit card information of their customers was stolen by unknown hackers.  Although the data breach at Omni was just recently discovered, it goes back to December 23, 2015 and was stealing credit card and debit card data from Omni Hotels up until June 14, 2016.  The Omni data breach affected forty-eight of Omni’s sixty hotels in North America.  As often is the case, hackers who steal the credit and debit card data sell it in large batches to other cybercriminals on a part of the Internet called the Dark Web.    The first batches of stolen credit cards and debit card information started turning up on the Dark Web in February of 2016.  The hotel industry continues to be an easy target for hackers as it is an industry that services large numbers of people and often the hotels are individually operated franchises rather than operating under a central data security system.  It should be noted, however, that Omni does not operate franchises.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Omni hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Omni and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Certainly if you have been an Omni customer since December 23, 2015 you should carefully review your credit and debit card statements for indications of identity theft and fraudulent charges.  If you were affected by this particular data breach, Omni  is offering free credit monitoring services for a year through AllClear ID.  You can sign up for these services by clicking on this link  https://omnihotels.allclearid.com/

Scam of the day – June 1, 2016 – Skimmers found at Walmart self checkout lanes

Scamicide readers are familiar with skimmers which are devices that can be attached to any device into which your credit or debit card is placed for processing, such as an ATM, gas pump or pay terminal at a retail store.  Once attached, these skimmers are able to capture credit card information from the magnetic strip found on the card and use that information to make fraudulent charges using the victim’s credit card.  Fortunately, these skimmers do not work against the new EMV chip cards, but with only 60% of the credit cards in the United States being updated to the new EMV chip cards and even worse, only about 20% of the card terminals in the country having been updated to process EMV chip cards according to the Mercator Advisory Group.   Walmart was one of the first companies to switch over to credit card processing equipment that will process EMV chip cards, however, because many people still don’t have an EMV chip card, all credit card and debit card processing equipment will accommodate either magnetic strip cards or EMV chip cards.  Ironically, Walmarts in Virginia and Kentucky were hit with credit card data breaches through skimmers that were installed at the self-checkout lanes where criminals were able to install the skimmers over the existing Walmart credit card processor so that when customers used their old style magnetic strip credit cards, the information from their cards was stolen by the criminals and used to make them victims of identity theft.

TIPS

One of the first lessons from this story is that if you have an EMV chip credit card, use it as a chip card rather than swiping the magnetic strip that still appears on your card.  When your card is processed as a chip card, you are much safer and skimmers cannot capture the information from the card’s magnetic strip when it is used as a chip credit card.  If you don’t have an EMV chip credit card, ask your credit card company to issue one to you and if the stores where you shop don’t yet take the EMV chip card, find out why not and consider shopping at stores like Walmart and Target that have updated their equipment.

Scam of the day – March 11, 2016 – Possible Home Depot data breach settlement

A tentative settlement has been reached between Home Depot and the 56 million victims of its massive data breach which occurred between April and September of 2014.  The proposed settlement provides for a 13 million dollar fund to reimburse victims for out of pocket losses incurred  with an additional 6.5 million dollars being set aside for legal fees and other related expenses.  Shortly after the data breach, Home Depot announced that it would provide a year’s free credit monitoring through security company All Clear ID.  The offer was made to Home Depot customers who used their credit or debit cards at Home Depot between April 1, 2014 and September 9, 2014.  The proposed settlement of the class action brought by victims of the data breach must be approved by the judge overseeing the case.

Similar to the major data breach at Target which occurred a year earlier, Home Depot’s computers and credit card processing equipment was hacked when a third party party vendor’s computers were hacked thereby enabling the hackers to steal the passwords necessary for the third party vendor’s to access Home Depot’s computers.  As an additional part of the settlement Home Depot committed to make greater efforts at data security.

TIPS

As further developments in this settlement occur, I will inform you of those developments so if you were a victim of the Home Depot data breach, I will let you know what to do.  As for all of us, even if we were not a victim of this particular data breach, it is important to remember that we are only as safe as the places with which we do business that have the weakest security.  Greater implementation of EMV smart chip credit cards will reduce the effects of data breaches aimed at gaining credit card and debit card information, but many stores still have not shifted over to the new equipment required to process EMV smart chip credit cards.

Also, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.

Scam of the day – January 29, 2016 – Wendy’s suffers apparent data breach

Fast food hamburger chain Wendy’s announced that it had discovered “reports of unusual activity involving payment cards” at some of its restaurants and is presently investigating the matter in order to determine the full extent of the apparent data breach and where it occurred.    This story was first reported by Krebs on Security.  Wendy’s operates 5,600 company owned and franchised restaurants around the world although initial reports do not tend to indicate that the apparent data breach affected all stores.  As is so often the case, the apparent data breach was first discovered not by Wendy’s itself, but by credit card processing banks noticing a pattern of fraudulent use of credit and debit cards that could be traced back to Wendy’s restaurants.  In fact, at this time, the incident appears to follow the pattern that I described in a column I wrote for USA Today in September of 2014.  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

Wendy’s still uses the old fashioned magnetic strip credit cards which are much easier targets for hackers than the EMV chip cards which have been required to be used by companies since October of 2015.  The rules requiring companies to switch to the new smart cards carry no specific penalty, but in the event of a data breach can result in the company not using the EMV chip cards to be responsible for the costs of fraudulent use of stolen card information.  It should also be noted that although October 1, 2015 was the deadline for retailers to switch to EMV smart card processing for credit cards and debit cards to avoid liability in the event of a data breach, the deadline for ATMs and gas station pumps to switch to the EMV smart cards is not until October 1, 2017.

TIPS

As consumers the best thing we can do is to use your EMV chip card whenever possible.  Stores such as WallMart and Target have switched to the new cards.  If you have not yet received a new EMV chip card from your credit card company, contact them and get one as soon as possible.  It still is a good idea to not use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Wendy’s during the last year, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.

 

Scam of the day – November 27, 2015 – Hilton hotels become latest to suffer a data breach

In a data breach similar to the recently disclosed data breaches at Starwood hotels, Sheraton hotels, Westin hotels and the Trump Hotel Collection, Hilton Worldwide hotels has just announced that it suffered a data breach due to hacking of its point-of sale credit and debit card processors between November 18, 2014 and December 5, 2014 as well as between April 21, 2015 and July 27, 2015.  Hilton did not indicate which of its 4,500 hotels were affected by the data breach in which the hackers managed to steal cardholder names, credit and debit card numbers, security codes and expiration dates.  The theft of this information puts Hilton customers who stayed at a Hilton hotel during those time periods in extreme danger of identity theft and abuse of their credit and debit cards.  Hilton also owns and operates the Conrad, Double Tree and Hampton Inn hotel chains so travelers who stayed at those hotels during the time of the data breaches are also at risk.

As is so often the case in these types of data breaches, HIlton is offering a year of free credit monitoring to those affected by the data breach although it is certainly late to be counting on this to provide significant assistance.  Here is a link to information as to how to apply for the free credit monitoring. http://news.hiltonworldwide.com/index.cfm/misc/guestupdate/hilton-worldwide-guest-update

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandate credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at the Hilton hotels, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hilton and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Hilton properties since November of 2014 you should carefully monitor your credit card account and bank account for any indication of a problem.

Scam of the day – September 29, 2015 – Hilton Hotels data breach

Hilton Hotels appear to be the latest in a long line of companies that have suffered a significant data breach involving credit cards and debit cards.  The hacking appears to have occurred between April 21, 2015 and July 27, 2015 although it may go back as far as November of 2014.  As is most often the case, the hacking was not discovered by Hilton, but rather by a number of credit card issuing banks that picked up a pattern of fraudulent charges that they were able to trace back to gift shops and restaurants at a number of Hilton properties which include not only Hilton Hotels, but Embassy Suites, Doubletree, Hampton Inn and Suites as well as the Waldorf Astoria Hotels and Resorts.  This type of data breach is something about which I wrote for USA Today in a column a year ago in which I explained the pattern for these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

For its part, Hilton released a statement saying, “Hilton Worldwide is strongly committed to protecting our customers’ credit card information.  We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously and we are looking into this matter.”

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards about which I wrote in detail in September 23rd’s Scam of the day.  New regulations mandate credit card issuers and retailers to switch over to the new smart EMV chip cards by October 1st or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so by October 1st.  If smart EMV chip cards had been used at Hilton, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hilton and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Hilton properties during the dates indicted above, you should carefully monitor your credit card account and bank account for any indication of a problem.