Staples: Breach May Have Affected 1.16 Million Customers' Cards 97
mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.
Honestly (Score:5, Insightful)
I'm beginning to believe no one has a fracking clue about IT security, that no one understands that security is a process, not a product, that audits are conducted weekly, monthly, yearly with documentation to show findings, changes, what works, what doesn't.
I'm honestly thinking about taking cash from the bank and using that for all my purchases -- using the Dave Ramsey envelope technique I used to get out of debt a decade ago -- until the people that run these companies get a clue about how to run a business with a modicum of common sense. If Walmart can keep safe, anyone can. Really.
Re: (Score:1)
I use cash for the most part. It has lots of pleasant side-effects, like giving you a solid object that lets you feel how much you're spending, and impressing women (either the under 25 crowd, who like the look of the green stuff, or the 25-30 (now that I'm getting older) ones who look at you like you're obviously responsible husband-material because you use cash over plastic).
Re: (Score:2)
I use cash for the most part. It has lots of pleasant side-effects, like giving you a solid object that lets you feel how much you're spending, and impressing women (either the under 25 crowd, who like the look of the green stuff, or the 25-30 (now that I'm getting older) ones who look at you like you're obviously responsible husband-material because you use cash over plastic).
You are missing out on free cash using plastic. You need to eat, you need to pay bills, you need gas(assuming you own a vehicle). You are going to pay for those things anyway. There is no reason to not pay for it on the card , reap the cash back benefits and cash in when you need to. (i usually end up with about $400 or so for the year.)
Re: Honestly (Score:2, Funny)
Hope you never have a run-in with a civil forfeiture traffic stop.
Re: (Score:2)
Satoshi Nakamoto does.
Re: (Score:2)
Neener (Score:2, Funny)
When I shop at Staples, I use Apple Pay.
Re: Neener (Score:3)
Or Google Wallet.
Let's not credit Apple alone with a solution when there are at least two major players in that market both encompassing a large install base and indeed Apple bringing their solution to the table much later.
Re: (Score:3)
Both schemes are just part of the NFC standard, which has worldwide support. The problem with Google Wallet in favor of Apple Pay is that GW requires sharing customer data with Google. Better hope there isn't a breach. GW also requires the user open an app on his device and enter a PIN. AP just comes up when you touch an iPhone to the point-of-sale terminal, and authenticates with your thumbprint.
Re: (Score:3)
An app is opened, but by the Apple Pay hardware rather than by the user. This keeps the interface simple and does not require any daemon in the OS; the user just pulls out her phone, touches it to the cash register, and authenticates with a designated fingerprint until a 'Done' checkmark pops up. Other schemes require the user to turn on the phone, go into a specified app, and enter a PIN.
The ACH transfer scheme being pushed by Walmart also requires that the user scan a QR code that is generated by the cas
Re: (Score:2)
Personally at this point my favorite is LevelUp, though its a lot more localized. Its just a barcode picture, you point whatever version you have to the machine, it turns green, you're done, save a ton of money, and can use whatever device you want (android wear watches work nicely with it).
Its not as fancy shmancy as NFC, but it the deal is better for both the customer (get pretty decent discounts) and the merchant (pretty much no transaction fee whatever and free hardware in many cases)
Quote from the hackers (Score:5, Funny)
That was easy [staples.com].
Quote from people who read your joke (Score:2)
That was easy
I think it's about time... (Score:2)
Re:I think it's about time... (Score:5, Informative)
I think it's about time we implemented some sort of single use credit card system.
That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.
Look for it to be all over the US by October of next year.
Re: (Score:2)
Re: (Score:2)
As someone who's worked in the industry, they've been trying to get it to work for at least a year. For some reason Not Invented Here reigns supreme, and we have to figure out how to get it to work without any help from the UK.
Re: (Score:2)
Re: (Score:2)
I think it's about time we implemented some sort of single use credit card system.
That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.
Look for it to be all over the US by October of next year.
For the past two years, my Visa provider intercepts the authorizations that are made via the internet, and electronically asks me to respond to questions that only I know the answer (mothers name, graduation year, etc). If I fail, the transaction authorization fails. So, just because someone knows the 3 digit code on the back of the card means zero.
And our credit cards have had the chip version since 2011. That technology is just coming into force in the USA, after 4 years of fraud.
Re: (Score:2)
Don't let dictators censor us! (Score:1)
Now that we're through talking about Innocence of Muslims and the arrest of its producer, can we talk about what happened to Sony?
Re:One number to breach them all (Score:4)
"I can only think the reason it hasn't been fixed is because fraud makes the banks money"
No, the reason is that the CTO/CFO/CIO/Cxo don't go to jail for criminal negligence.
Re: (Score:2)
I make a habit to never put my CC in stores that run windows or that outsource to India, or any nation where the coders are paid a pitance of western coders. As such, I have not had my CC's stolen.
People need to put together mass lawsuits against companies and their CEO/CIO personally. Once that starts happening, then and only then, will things change.
Even here, it would be nice to see a lawyer step up and state that they are willing to do a class action against the
Re: (Score:2)
Why can't I load up, say, a Mastercard app on my phone, login, tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
Because that would be immensely tedious and annoying. Look at how the TSA has made the process of taking an airplane a fucking pain in the ass... Intrusive security is not an acceptable solution.
The problem is not the credit card transaction. The problem is how companies store information they don't need out of convenience and laziness.
Re:One number to breach them all (Score:5, Informative)
I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.
Well, you would be very wrong. Fraud costs both the retailers and the banks money. The real problem is that issuing new chip cards would cost the banks more than the fraud. Not only are the cards about a dollar more expensive each, and they still have to be re-issued about every three years, but the systems that inject encrypted keys into them, and store the keys on their databases, are very expensive. Banks are notoriously cheap when it comes to spending money that won't make them money.
The other reason EMV hasn't rolled out across the U.S. is that millions of retailers have about 12 million old credit card terminals spread across the country, and most are owned by cheap store owners who don't like being told they have to spend money to replace them. Most retailers have been dragging their feet, not wanting to make an expensive change. But the new members of the breach-of-the-month club are mad about the insecure systems they've been forced to use, and are now championing the rapid switch to EMV instead of fighting it. The smaller retailers are also impacted now, and are no longer resisting.
The irony is that EMV readers for the small retailers are far, far cheaper than the old terminals, and the rates for using new companies like Square, Intuit, and PayPal are much lower than the typical old bank rates for the old credit card readers.
close enough is pretty simple. $200 CC or cash (Score:2)
That was a useful system. There are two simple ways to get approximately the same amount of security, in exchange for the same or less amount of hassle.
> tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
> I go to Target or Staples or wherever, spend $25, the number is never valid again and I have nothing to worry about.
For $25-$50, that's called cash. No need to pay the credit card company $1 on a $25 transaction, and you are paying them, indi
Shoosh, don't mention Windows :) (Score:1)
Re:companies need to be held accountable; Not quot (Score:2)
Re: (Score:2)
PCI violations are much worse than that, if they actually fine you.
Would this solution stem these unending breaches? (Score:2)
Enlighten me Slashdotters...
Are these companies storing Credit Card data in plain readable text? I ask because there seems to be no end to these breaches.
Why not try this as a solution?
Store these numbers and all pertinent information like Unix/Linux stores passwords. I am meant to understand that even if one stole the "hashed" details they would be of no use. What am I missing?
Re: (Score:2)
Tokenization isn't new. There's no reason to store the card number these days, other than software vendors with their heads in the sand.
Re:Would this solution stem these unending breache (Score:5, Insightful)
It's not a case of a data center being hacked and data at rest being stolen. When the POS is compromised (which is how most of these incidents happen, it was the same with Target) it's more insidious. It's like having someone install a keylogger on your computer - it does not matter how your password is stored on the backend if the password can be obtained while you type it.
The issue is how casual some organizations are about their POS security. If they were to adopt a "need to know" approach as opposed to a "whatever is convenient" approach these incidents would not have the same impact.
Re: (Score:2)
this isn't a password you can hash and compare hashes. You have to use the number, so it kind of has to be in number form somewhere... Even if it was encrypted and the key was on a different machine... it will get read and decrypted next time its needed. Then you can steal it there.
Now for a lot of cases you don't need to store credit card numbers at all, you can just replay a transaction, but thats not always possible.
Re: (Score:2)
*COUGH* [wikipedia.org] there's a solution to this already.
Details please (Score:2)
details yes. Average attacker breaks average secur (Score:2)
I've worked in the field of IT security, so I too will be looking forward to learning details. The story of the TJX incident was quite interesting- not just the technical details, but also the conversations between the perpetrators, the fact they knew they were getting greedy and should have gotten out of Dodge, etc.
I'm not so sure it needs to be either really crappy security or a great cracker. Generally, breaking things is easier than making things, so an average bad guy can defeat average securit
it will not matter (Score:2)
Re: (Score:2)
The deal there is *your* lapse of security does not affect *my* finances. Millions are getting compromised because of a single entitiy here.
Re: (Score:2)
Staples accepts NFC payments, so if I buy something there, I'm using ApplePay, which is a single-use token and more secure than anything else out there, as far as I can tell.
Why? It would not matter. (Score:3)
1) they run windows.
2) they outsourced to India.
3) the company is not allowed to operate in India.
Basically, Indians are being bought off to leave backdoors on the production system.
Network Level (Score:5, Insightful)
It seems that these POS systems should be more restricted at the network level. In our communications with our banking partners we have single IP address access to the communication server - among other measures (well, dual actually in some cases.... in case of system outages). Only specific IP addresses using specific ports are allowed to traverse the network to even reach the machine. That's before you even start talking about any real security measures.
If that were in effect for the POS systems, the malware would dump its payload down a black hole unless it also compromised the routers along the way. Maybe that's asking a little much for a bunch of retailers, but it is pretty simple to implement.
Re: (Score:3)
Otherwise it's potentially just a matter of inserting a tiny reprogramable USB stick when there are few cashiers on and the cashier who is on isn't looking for a few seconds (ie two people walking into a Staples store can pull this off really easily).
Indeed, so much this.
I've seen open USB ports on all sorts of POS terminals and it just boggles my mind, especially because I've been in industrial environments in small companies where hot-gluing USB ports shut is a matter of course.
You can buy a USB flash dri
Re: (Score:3)
There should be more isolation, yep. When I handled POS the terminals had no local storage at all, they were network booted from images on the site server and the LAN they were on had no outside access at all. The site servers were on our own wide-area network that connected them to corporate, and there were only two network segments (Development and Support) that could connect to the site servers (sites couldn't even connect to each other). Access to the Dev and Support networks from the rest of the compan
Re: (Score:2)
So Cory did it?
Re: (Score:2)
It doesn't help that most POS systems that I've recently used at fast food restaurants still run unpatched copies of Windows XP and often have other unpatched systems sitting on the same network switch with them.
That's a PCI compliance violation, by the way, but they never bother to fix it until they fail an audit. The store owners are just too busy slinging fries to learn about IT security or even give a damn about their systems unless they are completely down.
So, yeah, pay cash for your fast food unless y
Let's just post all of our cards on line now (Score:2)
Besides, they can't use all of them.
No one will care about retailer hacks until (Score:2)
Someone hacks a pharmacy chain. Credit card and medical info? Jackpot.
No, they will not (Score:2)
Comment removed (Score:5, Informative)
Re: (Score:3)
Well, the Indian coders are paid less than $10K / year back in India. All it takes is somebody from china, Russia, North Korea, Venezuela, Iran, etc to offer just ONE of them
Re: (Score:2)
Re: (Score:2)
However, I DO know that they can be held personally liable.
Windows and outsourced again (Score:2)
When will managers learn to think?
Re: (Score:2)
Remember you still have to use a Staples Rewards card to avoid being overcharged with cash.
Internal vs POS (Score:1)
I don't live in the US but I visited last year. I made a purchase at Target (not Staples, I know) and was shocked when the clerk did two things with my CC: they first ran the card through the in-house POS computer. And then put the card in the hand-held bank issued (I assume) POS device to conduct the sale. I asked her why she ran it through the in-house computer and of course was told that it was "policy" and that's how it works. Don't worry, I didn't have a pointless argument with the sales clerk.
But this
Whitelist based operating system? (Score:2)
Windows at a POS gives the employees of an empty store a lot of entertainment options, but it also causes problems when malware gets bundled with the hot new app of the moment. So, it looks like Staples should invest in a new POS system that is better locked-down. If malware is showing up on your task lists, you at least need a format and reinstall to be sure you're safe.