On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.
Since then three additional stores have been identified as being compromised.
The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common—they had been used at Cost Plus.
I picked up this story in an article on SignonSanDiego.com published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.
Both the SignonSanDiego.com article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.
Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.
Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.
In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.
Article Author: Ed Dickson
Having worked around financial crimes for a number of years, I noticed they seemed to be on the rise. One reason for this is technology, which grows more rapidly than laws designed to protect us from it. …
Article comments