Wednesday, June 20, 2007
ChoicePoint Victims May Have Compensation Coming
The Federal Trade Commission has established a special web site addressing the settlement between ChoicePoint and the FTC. This pertains to a 2005 data breach in which 163,000 U.S. consumers may have had their personal data compromised.
The FTC is seeking out those consumers who were harmed so that they may be compensated. ChoicePoint agreed to pay a $10 million fine and created a $5 million victims fund. While the FTC is mailing claim forms to consumers who may have been affected, there can be many, many more than the 2,400 they believe they know about now.
Claims must be submitted by August 18, 2007.
Do you have a customer who was a victim in this data breach? Please ensure they are aware of this.
Claims forms in English and Spanish are available with more information from the special FTC page.
The Federal Trade Commission has established a special web site addressing the settlement between ChoicePoint and the FTC. This pertains to a 2005 data breach in which 163,000 U.S. consumers may have had their personal data compromised.
The FTC is seeking out those consumers who were harmed so that they may be compensated. ChoicePoint agreed to pay a $10 million fine and created a $5 million victims fund. While the FTC is mailing claim forms to consumers who may have been affected, there can be many, many more than the 2,400 they believe they know about now.
Claims must be submitted by August 18, 2007.
Do you have a customer who was a victim in this data breach? Please ensure they are aware of this.
Claims forms in English and Spanish are available with more information from the special FTC page.
Tuesday, June 05, 2007
Swipe Your Card, Swipe Your Identity
What do California, Florida, Massachusetts, Nevada, Pennsylvania, and Rhode Island have in common? A similar fraud has happened in each state, though we don't know that they're all related. This is a new twist on skimming at a POS reader.
You've heard of skimming where a second magnetic stripe reader is installed and the PIN is gained by shoulder surfing or via a hidden camera. And you may have read about a large data breach where the POS terminals transmitted the PIN with the stripe data for magnetic storage on a server which was later accessed and used. These two security components, the mag stripe and PIN, are not supposed to be stored together because that is the lock and the key, to the bank accounts associated with the card.
A stand alone ATM would be a good target for a skimming fraud because it can be accessed by the criminal easily and generally without being questioned. In-store machines are more conspicuous and are seen continually by those in the store. They should be safer, unless a store employee is part of the fraud. But now we have a new scenario.
In Rhode Island the fraudsters went into a Stop & Shop grocery store late at night when employee staffing was minimal. One person distracted the employee by looking for assistance in getting a product on a distant aisle while the second person went to an inactive register and replaced the POS keypad. The replacement has an extra circuit board or storage device that saves the mag stripe data and the PIN of all those who use it. The device works normally for the store, properly reading and processing transactions. But it also now saves the data unbeknownst to the store or the customer. This means that the "security" often assumed because of the devices location is theoretical at best. This is also done with gas pump readers. The fraudsters return at a later time and either switch the devices back or just rip out theirs and run.
While authorities in California, Florida, Massachusetts, Pennsylvania, and Rhode Island estimate losses at $100,000 each, Las Vegas police believe millions of dollars may have been taken. The Las Vegas police have not made any arrests yet. The Rhode Island police have been more successful. When investigators discovered replaced keypads at the Shop & Shop grocery stores in Bristol, Coventry, Cranston, Providence, and Warwick, Rhode Island, and in Seekonk, Massachusetts, they waited for the fraudsters to return. The Coventry police and Rhode Island State Police worked with the Secret Service in arresting four suspects from California.
What do California, Florida, Massachusetts, Nevada, Pennsylvania, and Rhode Island have in common? A similar fraud has happened in each state, though we don't know that they're all related. This is a new twist on skimming at a POS reader.
You've heard of skimming where a second magnetic stripe reader is installed and the PIN is gained by shoulder surfing or via a hidden camera. And you may have read about a large data breach where the POS terminals transmitted the PIN with the stripe data for magnetic storage on a server which was later accessed and used. These two security components, the mag stripe and PIN, are not supposed to be stored together because that is the lock and the key, to the bank accounts associated with the card.
A stand alone ATM would be a good target for a skimming fraud because it can be accessed by the criminal easily and generally without being questioned. In-store machines are more conspicuous and are seen continually by those in the store. They should be safer, unless a store employee is part of the fraud. But now we have a new scenario.
In Rhode Island the fraudsters went into a Stop & Shop grocery store late at night when employee staffing was minimal. One person distracted the employee by looking for assistance in getting a product on a distant aisle while the second person went to an inactive register and replaced the POS keypad. The replacement has an extra circuit board or storage device that saves the mag stripe data and the PIN of all those who use it. The device works normally for the store, properly reading and processing transactions. But it also now saves the data unbeknownst to the store or the customer. This means that the "security" often assumed because of the devices location is theoretical at best. This is also done with gas pump readers. The fraudsters return at a later time and either switch the devices back or just rip out theirs and run.
While authorities in California, Florida, Massachusetts, Pennsylvania, and Rhode Island estimate losses at $100,000 each, Las Vegas police believe millions of dollars may have been taken. The Las Vegas police have not made any arrests yet. The Rhode Island police have been more successful. When investigators discovered replaced keypads at the Shop & Shop grocery stores in Bristol, Coventry, Cranston, Providence, and Warwick, Rhode Island, and in Seekonk, Massachusetts, they waited for the fraudsters to return. The Coventry police and Rhode Island State Police worked with the Secret Service in arresting four suspects from California.
