Yet another major retailer — this time, office supply chain Staples — has fallen victim to a data breach, KrebsonSecurity reported.
More than half a dozen banks operating on the East Coast have seen fraudulent charges made at non-Staples businesses, such as supermarkets and other big-box retailers, by people using Staples cards, according to the report.
Those cards apparently were used previously at three Staples stores in New York City, seven in Pennsylvania, and one in New Jersey.
The pattern could indicate that the cash registers in some Staples locations were infected by card-stealing malware that let the thieves create counterfeit copies of cards that were swiped by legitimate users at infected payment terminals.
“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” said Mark Cautela, the chain’s senior public relations manager. “We take the protection of customer information very seriously.”
Customers who report fraudulent charges on their credit cards in a timely manner will not be liable for those charges, he said.
The Beat Goes On
Dairy Queen and Kmart both reported data breaches earlier this month.
Dairy Queen said its attackers used the Backoff malware — the same malware used in last year’s Target breach.
The Staples breach likely is small potatoes compared to the Target breach, which is estimated to have affected 110 million customers. It also pales in comparison to the breach JP Morgan Chase reported earlier this month, which impacted 76 million households and 7 million SMBs.
Tightening Up Security
The only way merchants can prevent malware from stealing mag stripe data on cards would be to prevent card data from arriving at the POS, said Mark Bower, vice president of product management for Voltage Security.
For mag cards, and even the EMV cards that are now being introduced, this entails “encrypting upstream of the POS using contemporary one-way encryption in a logically and physically secured card reader all the way to the payment processing host, beyond the retail store network,” Bower explained.
“All companies, not just retailers, need to put security at the center of their business practices,” said Pierluigi Stella, chief technology officer at Network Box USA.
That includes educating users to exercise caution when clicking on email links, segmenting networks to prevent attacks spreading throughout the company, and implementing true real-time monitoring, “because if 76 million records can escape a Chase network, someone’s definitely not looking,” he told TechNewsWorld.
Might Apple Pay Help?
Apple Pay, which launched Monday, is being touted as a secure way to make payments.
“Apple has explained in detail tokenization, Touch ID and Secure Element, but no details were made available around card validation when adding your card to Apple Pay,” said Damien Hugoo, product manager at Easy Solutions.
The layered security around payments offered by Touch ID, tokenization and Secure Element are good, but account security validation is lacking, he told TechNewsWorld.
“Can you add your grandmother’s card or a stolen card?” Hugoo asked.
Still, banks will assume fraud liability when Apple Pay is used, so consumers likely will be safe, he acknowledged, which means “it might be up to the bank to validate the account being added to Apple Pay.”
To Shop or Not to Shop?
Forty-five percent of 865 American adults polled earlier this month said they definitely would not return to a retailer that had been hacked, and another 29 percent said they probably would not shop at such stores, Creditcards.com found.
However, “as a security executive, I believe that [hacked] stores will probably be safer this holiday season,” said Stealthbits CTO Kyle Kennedy.
The breached stores “have implemented significantly tighter controls,” he told TechNewsWorld, “as they are actively being monitored more closely than before by … consumers, the market, the industry and their own organization.”