[BreachExchange] Sears Announces Kmart Malware Attack - Says EMV 'Chip' Payment System Prevented Large Scale Fraud

Destry Winant destry at riskbasedsecurity.com
Thu Jun 1 23:57:57 EDT 2017


http://www.zerohedge.com/news/2017-06-01/sears-announces-kmart-malware-attack-says-emv-chip-payment-system-prevented-large-sc

Five days after Chipotle, Inc. announced a massive malware attack
<http://ibankcoin.com/zeropointnow/2017/05/27/chipotle-hacked-in-massive-breach-customer-payment-data-stolen-from-thousands-of-restaurants-cmg/>
resulted
in widespread theft of customer payment data, Kmart parent company Sears ($
SHLD <https://finance.yahoo.com/quote/SHLD?p=SHLD>) revealed that several
Kmart locations had been similarly infested with malware. While the beleagured
company
<http://www.zerohedge.com/news/2017-03-23/sears-enters-death-spiral-vendors-halt-shipments-insurers-bail>
disclosed that
"certain credit card numbers" were compromised, it appears the majority of
customers were unaffected
<https://ibankcoin.com/zeropointnow/files/2017/06/nomonitoring.png> -
 which the company says is thanks to their decision upgrade all Kmart
locations to EMV "smart chip
<https://ibankcoin.com/zeropointnow/files/2017/06/emv_chip.png>" credit and
debit card Point-of-sale (POS) machines.

This is in stark contrast to a 2014 malware attack
<https://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/>
on
Kmart's older magnetic swipe Point of Sale system which resulted in the
theft of customer data - allowing thieves to create counterfeit cards,
according to Sears spokesman Chris Brathwaite.

Kmart has issued a FAQ
<http://download.sears.com/perf/pdf/01_PRIVILEGED%20AND%20CONFIDENTIAL%20FAQ_FINAL.pdf>
regarding
the hack.

While Kmart looks to have dodged a bullet, Chipotle is still using magnetic
POS machines

Chipotle ($CMG <https://finance.yahoo.com/quote/CMG/?p=CMG>) declined
to upgrade to the newer EMV chip reading equipment in 2015 – citing
inefficiencies and concerns over delays in the authentication process in a
fast paced food service environment.

The breach could mean big trouble for shares of Chipotle, which have only
partially recovered from an E.coli outbreak in late 2015. According to
Reuters <https://www.reuters.com/article/us-chipotle-cyber-idUSKBN18M2BY>,
security analysts say the company will likely face a fine based on the size
of the breach and number of records compromised.

Who knows, maybe the GMO-refusing
<http://www.thehealthyhomeeconomist.com/monsanto-wont-take-gmo-free-chipotle-news-sitting-down/>
burrito
merchants carry separate cyberliability insurance?
<https://www.bloomberg.com/news/articles/2014-08-28/cyberliability-insurance-for-when-your-business-gets-hacked>

In 2015 the credit card industry shifted liability to those who haven't
upgraded to EMV systems

Per Gizmodo
<http://gizmodo.com/the-gizmodo-guide-to-the-new-emv-chip-credit-card-payme-1734011799>
...

If stores accept EVM payments, the credit card companies still accept
liability for counterfeit fraud. That’s true even if the store accepts EMV
payments, but also accepts magnetic stripe payments, and one of those
magnetic stripe payments turns out to be fraudulent. The technical wording
from Visa is, “The party that has made investment in EMV deployment is
protected from financial liability for card-present counterfeit fraud
losses on this date. If neither or both parties are EMV compliant, the
fraud liability remains the same as it is today."

While EMV payment systems don't prevent over-the-phone credit card fraud,
MasterCard said overall fraud had dropped 54% year-over-year in January of
2016
<http://www.pymnts.com/news/emv/2016/mastercard-fraud-costs-emv-impact/>.
That's significant.

 As the banking industry shifts towards convenient and safe digital payment
systems and a cashless society
<http://www.zerohedge.com/news/2016-11-16/war-cash-intensifies-citibank-stop-accepting-cash-some-branches>,
enjoy
the smell of paper
<https://ibankcoin.com/zeropointnow/files/2017/06/abb6b6b85ee1c2d28a00b41403f86a8d.jpg>
fiat
currency while it's still around. Then go hang out with your gold and
silver collection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170601/d5129b14/attachment.html>


More information about the BreachExchange mailing list