Payment Breaches Reveal Preventative Security Controls 'Are Not Enough'

Recent data breaches have potentially exposed tens of millions of payment cardholders’ personal information. Security experts have seen the early signs that this information is already being sold in the digital criminal underground.

Alfred Ng of CNET reported that LiveRamp, a major Facebook data partner suffered a cybersecurity incident in October 2019, in which hackers commandeered the personal account of a LiveRamp employee and used it to access the company’s business manager account – allowing fraudsters to run ads using other people’s money.

CNET pointed out when hackers take over a single account belonging to one of Facebook’s biggest data partners, it means a widespread campaign that could lead to thousands of dollars lost and a huge number of credit card numbers stolen.

Hackers target the core of Facebook’s territory, its advertisers, knowing the same tools marketers use on the social network could effectively scam people as well. In December, for example, Facebook filed a lawsuit against a Chinese ad company in which Facebook’s lawyers alleged the hackers took over other peoples’ ad accounts through malware on browser extensions. They then spent at least $4 million with those accounts’ credit cards for fraudulent products between 2016 and 2019.

Jason Kent, hacker-in-residence at the Sunnyvale, Calif.-based Cequence Security, said, “The criminal organization is getting premium ad services for free and using them to advertise fake websites that in turn, just collect credit card data. That is the end goal of this type of fraud, more credit card numbers.” Kent added, “Hacking into an ad network or partner that spends huge money on ads allows the criminals to target demographics, regions and specific people with ads that would normally be very expensive.”

In another incident, Zack Whittaker of TechCrunch reported Cornerstone Payment Systems, an independent sales organization in the merchant processing industry, left a database containing 6.7 million customer payment transactions records unprotected since 2013.

Security researcher Anurag Sen found the database, noting a review of a portion of the database disclosed each record contained names, email addresses and in many cases, postal addresses. Each record also had the name of the merchant paid, the card type, the last four digits of the card number and its expiration date.

“This is an example of the importance of auditing permissions on databases and all internet accessible services,” Erich Kron, security awareness advocate at the Tampa, Fla.-based KnowBe4, said. “While the data included in this database was limited to fairly low value information, enterprising cybercriminals can still use it against their victims.”

Kron suggested almost any type of information is usable in social engineering or phishing attacks to legitimize the communication using information the victim would not expect bad actors to know. “For example, data from this breach could be used in a phishing attack. The email could read, ‘Thank you for your contribution of $500 last fall, we wanted to say thank you with this gift.’ and send them a link to an infected website.”

Meanwhile, Brian Krebs, in his KrebsOnSecurity blog, revealed a major aftershock from fuel and convenience store chain Wawa, and the revelation in late December 2019 that a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide.

“Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops,” Krebs said. On the evening of Monday, Jan. 27, a popular fraud marketplace known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly included more than 30 million card accounts issued by thousands of financial institutions across 40-plus U.S. states and more than one million global customers.

Wawa, which said in a statement that the company’s card payment processor will be on heightened alert for fraudulent activity, and acknowledged the data’s appearance on Joker’s Stash, also encouraged affected customers to review their financial charges and report unauthorized transactions to their financial institution immediately.

On Dec. 19, 2019, the Pennsylvania-based Wawa sent an announcement to patrons saying on Dec. 10 the company discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers around March 4 at potentially all Wawa locations. The exposed information included debit and credit card numbers, expiration dates and cardholder names. Wawa said the breach did not expose PINs or CVV records.

Wawa customers filed a federal lawsuit against Wawa, claiming the company was negligent and should have taken more aggressive steps to protect card information. CU Times reported in mid-January that First Choice Federal Credit Union filed a class-action lawsuit against Wawa and is seeking damages related to the data security breach.

Kevin Watson, CEO at the St. Louis-based Netsurion, said, “This data breach goes to show the tried-and-true POS intrusion for the sake of selling stolen credit card data has not gone out of style for hackers. The thing is that all businesses, especially multi-unit POS environments like Wawa, need to invest not only in preventative security controls, but more so in detection and response security controls.” Watson maintained there is no debate that perfect prevention is not practical. “So, while basic preventative controls like anti-virus and managed firewalls are foundational, they are not enough.”