Payment card users at three Canadian stores of high-end retailer Saks Fifth Avenue may have been victimized in a huge data breach because of the way they used – or had to use – their cards in point of sales devices, says a security vendor who broke the news of theft.
Dmitry Chorine, co-founder of New York City-based Gemini Advisory, which specializes in retrieving compromised data and brand monitoring, said he believes the Toronto-area outlets were among the Saks stores across North America that hadn’t yet updated their POS systems to accept credit and debit cards with EMV chips that encrypt owner data.
As a result instead of inserting cards at the bottom of POS readers, where the chips can be scanned, customers in those stores swiped their cards, which reads the insecure data stored on black magnetic stripes on the back of the cards.
That would explain why among a sample of 125,000 records the number of Canadian cards put on a dark web stolen card marketplace last week a “is fairly small in compared to the U.S. cards,” Chorine said in an interview Monday.
His company revealed – and Saks Canadian owner Hudson’s Bay Co. confirmed – the breach at Saks and partner retailer Lord & Taylor. Gemini said that on March 28 the JokerStash hacking syndicate (called by some researchers Fin7) announced it had 5 million stolen credit and debit cards for sale on its market. The 125,000 records, apparently published to show the bona fides of the thieves, came from that haul.
Gemini said by working with unnamed financial organizations it “confirmed with a high degree of confidence” the compromised records came from the two retailers, mainly stores in New York and New Jersey. However, Chorine said that by analyzing the metadata in the posted records his firm believes three suburban Toronto-area Saks Canadian stores — in Mississauga, Pickering and Brampton – were also victimized. The card data suggests the theft started around May, 2017.
Hudson’s Bay Co. said in a news release that it is aware of a “data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America.” There is no indication so far, it added, customer data was taken from its iconic Hudson’s Bay and Home Outfitters stores or online portals in Canada, or HBC Europe.
The retailer said there is no indication Social Security or Social Insurance numbers, driver’s license numbers, or PINs had been stolen.
Chorine said from the records JokerStash posted it can’t determine how the thieves got the data, only that it is likely through POS malware and probably from mag stripes. So far there is no malware that can read EMV chips, he said, so it’s “very unlikely” the gang was able to steal the information from a Hudson’s Bay database.
If the gang did, he added, “we are observing the first ever compromised data from EMV chips, and if that’s the case then its’ probably going to be the biggest hack of the century because so much invested in the technology and hope has been put into EMV chip I don’t think any financial or retail company is prepared deal with it.”
Chorine said JokerStash runs one of the largest markets for stolen credit cards. After watching the gang for over two years Chorine said his firm has learned it is operated by Russian-speaking persons, who could be from that country states like Ukraine and Belarus where many speak that language. The gang also offers English speaking support staff for international buyers from their marketplace. JokerStash runs one of the largest marketplaces of stolen credit cards, Chorine said.
The syndicate is believed to have been behind hacks at Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.
The haul from Saks/Lord & Taylor was so big the gang announced it with the branding “Bigbadaboom-2.”
When criminals post stolen payment card data for sale they include metadata taken from the cards showing where they came from. Criminals want to know this so they can best monetize what they’re buying: If a card is from Toronto and suddenly is used by a criminal in Los Angeles the card issuer will know its a fake transaction and cancel the card. If a criminal uses the card locally the odds of getting away with it are higher. That’s how Gemini determined stolen card data in this haul included records from Canadian stores, Chorine said.
As for what CISOs here should do to stop POS data thefts, Chorine said they have to make sure their systems accept EMV cards. Because chip-and-PIN cards were been distributed here years before the U.S., the odds are that’s already done.
Second, security awareness training on two levels is vital. Sales staff have to be told to refuse to allow customers to swipe cards on POS readers. Sometimes, however, stores are to blame for data thefts, Chorine said. Because EMV transactions take a minute longer to process, he’s seen high volume businesses like restaurants tape over the bottom slot of a POS reader to force customers to swipe their cards.
In addition, because POS malware often is spread initially through malicious links or documents in email, staff have to be trained to watch for signs of compromised messages.
Another strategy would be to encourage customers to pay with smartphones equipped with Apple Pay or Google Pay apps, he added, rather than use a payment card.
James Lerud, head of the behavioral research team at security vendor Verodin, echoed the recommendation on refusing to allow customers to swipe payment cards. The financial industry does a great job detecting fraud, he said but it is a last line of defence for consumers.
In a statement, Hudson’s Bay said it is setting up a call centre to handle customer queries. “The Company deeply regrets any inconvenience or concern this may cause,” the statement said. Once it has determined who might have been impacted customers will be notified and offered free identity protection services, including credit and web monitoring. Meanwhile, Saks and Lord & Taylor customers should review their account statements and contact their card issuers immediately if they identify activity or transactions they don’t recognize.