Hackers stole credit card data from Buckle stores

Xavier Trudeau
Juin 19, 2017

It's unclear exactly how many cardholders may have been affected, but credit cards used at the store between October 28, 2016 and April 14 of this year could have been hacked.

On Friday morning, KrebsOnSecurity contacted The Buckle after receiving multiple tips from sources in the financial industry about a pattern of fraud on customer credit and debit cards which suggested a breach of point-of-sale systems at Buckle stores across the country.

"All Buckle stores had EMV (chip card) technology enabled during the time that the incident occurred", Buckle revealed on Friday.

Virtually every other country that has made the jump to chip-based cards saw fraud trends shifting from card-present to card-not-present (online, phone) fraud as it became more hard for thieves to counterfeit physical credit cards.

The malware copied account data stored on the magnetic stripe on payment cards such as cardholder names, card numbers and expiration dates.

"Armed with that information, thieves can clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers", security blog KrebsOnSecurity, who first reported the breach, wrote. The company disclosed the breach less than 24 hours later.

"The trouble is that not all banks have issued chip-enabled cards, which are far more expensive and hard for thieves to counterfeit", KrebsOnSecurity explains. As part of Buckle's response, connections between Buckle's network and potentially malicious external IP addresses were blocked, potentially compromised systems were isolated, and malware-related files residing on Buckle's systems were eradicated.

It advised customers to monitor their payment card statements for any suspicious, unauthorised activity and report any such cases to their bank or credit card company. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were "chip-on-chip", or generated by a chip card used at a chip-based terminal. "We are cooperating fully with card brands and forensic investigation services".

D'autres rapports CampDesrEcrues

Discuter de cet article