If you are responsible for cybersecurity or data protection in your organization, stop what you are doing and read this report. Actually, first, go patch your servers and applications and then read this report. Much like Verizon’s Data Breach Investigations Report (DBIR), the Payment Security Report (PSR) is a must-read for security professionals. While it […]… Read More
The post Verizon’s 2019 Payment Security Report – Not Just for PCI appeared first on The State of Security.
On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.
Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.
KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.
“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,” Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”
Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.
The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.
According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.
“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.”
Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems, often by compromising third-party firms that help manage these systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.
Companies that accept, store, process and transmit credit and debit card payments are required to implement so-called Payment Card Industry (PCI) security standards, but not all entities are required to prove that they have met them. While the PCI standards are widely considered a baseline for merchants that accept payment cards, many security experts advise companies to put in place protections that go well beyond these standards.
Even so, the 2019 Payment Security Report from Verizon indicates the number of companies that maintain full compliance with PCI standards decreased for the second year in a row to just 36.7 percent worldwide.
As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).
It’s really not worth worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.
Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.
Payment security continues to decline worldwide, with almost two-thirds of organizations failing to meet and maintain compliance standards, according to a new report released by Verizon.
The 2019 Payment Security Report (PSR) measured worldwide compliance with the Payment Card Industry Data Security Standard (PCI DSS), and found a 36.7% decline. Verizon’s 2018 PSR showed 52.5% compliance. The Americas had the lowest compliance with just 20.5% meeting the global standard.
“We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data,” said Rodolphe Simonetti, Global Managing Director for Security Consulting at Verizon.
PCI DSS was introduced by several major credit card companies in 2004 as an industry-wide standard for securing electronic payment data directing best practices regarding data storage and data transmission. While the standards for compliance vary according to an organization’s annual volume of credit card transactions, they generally require the following:
- A secure network
- Protection of cardholder data
- A vulnerability management program
- Access control measures
- Regular network testing and monitoring
- An information security policy
The decline in PCI compliance is a matter for concern as the frequency and cost of data breaches continue to rise. According to the 2019 PSR, not a single organization that experienced a breach was found to be fully compliant with PCI DSS.
“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches… Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization,” said Simonetti.
The post The Worldwide Failure to Comply with Payment Security Standards appeared first on Adam Levin.