Cyber attacks on the rise as credit, debit card numbers become commodities

by Claudia Buck, Sacramento Bee

It’s a sad fact of modern American consumer life. Every time we swipe a piece of plastic at a gas station, grocery store or anywhere else, we’re vulnerable to cyber pickpockets.

That reality hit Sacramento earlier this month when the Raley’s grocery chain said it had been the victim of a cyber attack targeting customers’ credit and debit card numbers. The attack, which was reported to the FBI, is just one bite of a growing problem: Increasingly, credit and debit card numbers have become commodities sold by cyber thieves who harvest them from banks, businesses, restaurants and retailers.

“The sophistication of these attacks is unprecedented,” said G. Mark Hardy, president of National Security Corp., a Tampa-based cyber security consulting firm.

Last year, targeted attacks on businesses jumped 42 percent, according to Symantec, the Mountain View-based security software firm. Attacks spiked 31 percent among companies with fewer than 250 employees.

In recent years, restaurants like Paul Martin’s American Bistro and even the city of Sacramento have had their computer systems hacked or compromised.

It’s part of a shift from mass attacks by computer viruses, worms and other cyberthreats to more pinpointed, targeted infiltrations, say online security experts. The attackers, often located overseas, “find this method more effective because it allows them to fly under the radar and avoid drawing widespread attention to their malware,” said Brian Burch, vice president of consumer and small business marketing at Symantec, in an email.

Small businesses are frequently targeted because they often lack adequate security practices, said Burch. Additionally, because small firms often partner with bigger organizations, cybercriminals “sometimes use them to gain access to a larger company.”

Raley’s spokesman John Segale said forensic computer experts arrived “within hours” of the company being alerted to a possible security breach on May 30, and continue to investigate. The West Sacramento-based grocery chain also said it reported the incident to the FBI.

In an email, FBI spokeswoman Gina Swankie said the Sacramento office was aware of the Raley’s incident but could neither confirm nor deny that a formal investigation is under way.

For some Raley’s shoppers, the cyber attack was unnerving.

Longtime customer Pat Hoschler got a call June 3 from her financial institution, Schools Federal Credit Union, telling her that a suspicious $95 charge was made on her card in Atlanta. A second charge, for $125, was stopped by the credit union before it went through, she said.

The experience has made the Granite Bay resident nervous about swiping her debit card again.

“It gives me the creeps to think someone might be using my name and (debit) card information. I worry about it. I may not use my debit card anymore,” said Hoschler, who said she uses her debit card for Raley’s purchases several times a week.

Typically, the thieves who steal the data from retailers and other targets aren’t the ones who use it to rack up fraudulent charges. “There’s an underground ecosystem for the sale, transfer, purchase and exchange of stolen credit card and debit card information,” said security expert Hardy.

Total protection elusive

Investigations, arrests and convictions of cybercriminals are continual. Last week, federal prosecutors in New Jersey announced charges against eight members of an alleged international cyberring that hacked into the computers of major financial institutions and the U.S. military payroll service, attempting to steal at least $15 million from customer accounts.

In April, a Russian cybercrook was sentenced in Washington, D.C., to more than seven years in federal prison for trafficking in stolen credit and debit cards. When arrested, he was in possession of more than 2.5 million stolen credit and debit card numbers, according to the FBI.

Retailers like Raley’s that process credit card transactions must follow the industry’s safe-practices guidelines, known officially as the Payment Card Industry Data Security Standards. The so-called PCI guidelines require retailers who accept credit and debit cards to maintain a computer network fire wall, employ tough passwords and take other precautions.

Retailers who don’t comply face fines of up to $100,000 per month and can be held financially responsible for fraud investigations and compensation to victims.

Raley’s said it recently passed its PCI audit.

Unfortunately, said Hardy, retailers can do all the right things but still get attacked.

“It’s like wearing your seat belt, putting your kid in a car seat and having air bags in your car,” said Hardy. “You can still be hit by someone driving through a red light.”

Under PCI standards, retailers cannot hold onto a card’s PIN, the three-digit security code or sensitive information stored in a card’s magnetic stripe. In any card transaction, the company’s software must automatically delete that information.

Companies can, however, keep a card holder’s name, account number and expiration date, such as when they ask your permission to retain the information for automatic payments, subscriptions and the like.

Source of attack unknown

While the PCI standards are considered a good starting point, there are additional layers of software and computer security precautions available, say computer security experts. Among them: Change default passwords so they’re not easy to guess, restrict the use of PCs involved in processing card transactions so that employees surfing the Web don’t unwittingly pick up computer viruses, and train cashiers to look for plastic devices stuck into card readers to steal information.

Consultants like Hardy will conduct “penetration testing” where they deliberately break into a business’s computer network to pinpoint weaknesses.

Small businesses “need to come to grips with the fact that they could lose a lot more than just data,” said Robert Siciliano, online security expert for McAfee, in an email. “Their reputations are at stake, and their customers will lose confidence in their abilities to provide a safe haven for their data.”

In Raley’s case, the grocery chain announced June 6 that it was notified by a major credit card company that there was “questionable activity” connected to its computer network. Following that announcement, a number of Raley’s shoppers reported that their bank or credit union had alerted them to fraudulent charges on their credit cards.

The Raley’s investigation is ongoing and has yet to determine how or when the alleged attempt occurred, or how many customers may be affected. Segale said it does not appear that customers’ PINs or data used to create their “Something Extra” rewards card were accessed. He also noted that Raley’s doesn’t collect Social Security or driver’s license numbers, so identity theft is unlikely.

Without being specific, Segale said Raley’s has taken “a series of immediate steps to address this situation so our customers can have confidence in using their payment cards in any of our stores.”

He said the investigation is currently “a top priority” and the company is “sparing no expense” to uncover what happened.

Cybertheft can take many forms, such as card readers that are physically attached to ATM machines to “skim” account numbers or more sophisticated thievery that invades a computer network and gobbles up vast amounts of data.

In 2012, computer security experts identified a new type of widespread targeting, known as a “watering-hole” attack. In that scenario, cybercriminals seek to electronically invade a group or organization by noting the kind of websites the intended victim frequently visits. When a weakness is detected in one of those sites, it’s injected with malware or spyware, which then infects the entire group.

According to Symantec, one watering-hole attack last year infected 500 organizations in a single day.

For consumers, the best precaution is simple: Routinely check your monthly credit card and bank statements for suspicious charges.

“All that consumers can do is to pay close attention to their statements weekly and refute unauthorized charges ASAP, within 60 days as federal law (requires),” said McAfee’s Siciliano. If the charges are due to fraud and reported promptly, consumers are not held liable.

Ultimately, there’s one surefire defense: Cancel your card, and ask your bank to re-issue a new one. “In this situation,” said Hardy, “that’s probably the easiest, cheapest action an individual consumer can take.”