Chinese PAX payment terminal manufacturer raided by FBI in Florida

PAX Technology Warehouse in Jacksonville Florida was the subject of a search and investigation October 26, 2021 by the Federal Bureau of Investigation, the Department of Homeland Security, and several other agencies. PAX is a Chinese credit card terminal provider that significantly grew it’s global reach, including the US, during the transition to EMV chip terminals.

Brian Krebs, a cybersecurity investigative journalist, reported a major US payment processor noticed that PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information. Something didn’t add up and PAX didn’t give any good answers.

FBI Statement: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

US vendors in the payments ecosystem were quick to respond. The sale and installation of PAX terminals has already been prohibited by some.

Fresno Woman Pleads Guilty to Committing $100,000 in Credit Card Fraud

FRESNO, Calif. — Alena Nicole George, 43, of Fresno, pleaded guilty today to access device fraud, Acting U.S. Attorney Phillip A. Talbert announced.

According to court documents, from February through April 2019, George used a credit card that was fraudulently opened in the identity of a victim with a name similar to her own name to make $100,000 in purchases at national retailers and cash advances at a national bank.

This case is the product of an investigation by the Federal Bureau of Investigation and the U.S. Postal Inspection Service. Assistant U.S. Attorneys Vincente Tennerelli and Joseph Barton are prosecuting the case.

George is scheduled to be sentenced by U.S. District Judge Dale A. Drozd on Jan. 21, 2022. George faces a maximum statutory penalty of 10 years in prison and a $250,000 fine. The actual sentence, however, will be determined at the discretion of the court after consideration of any applicable statutory factors and the Federal Sentencing Guidelines, which take into account a number of variables.

https://www.justice.gov/usao-edca/pr/fresno-woman-pleads-guilty-committing-100000-credit-card-fraud

U.S. data breaches Q3 2021

Identity Theft Resource Center to Share Latest Data Breach Analysis with U.S. Senate Commerce Committee; Number of Data Breaches in 2021 Surpasses all of 2020

The number of data breach victims dramatically increased in Q3 2021 due to a series of data exposures during the quarter 

SAN DIEGO, October 6, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, released its U.S. data breach findings for the third quarter?(Q3)?of 2021. According to the data breach analysis,?the number of data breaches publicly-reported in the U.S. decreased nine (9) percent in Q3 2021 (446 breaches) compared to Q2 2021 (491 breaches). However, the number of data breaches through September 30, 2021 has exceeded the total number of events in Full-Year (FY) 2020 by 17 percent (1,291 breaches in 2021 compared to 1,108 breaches in 2020). The trendline continues to point to a record-breaking year for data compromises (the all-time high of 1,529 breaches was set in 2017). 

For Q3 2021, the number of data compromise victims (160 million) is higher than Q1 and Q2 2021 combined (121 million). The dramatic rise in victims is primarily due to a series of unsecured cloud databases, not data breaches. Also, the total number of cyberattack-related data compromises year-to-date (YTD) is up 27 percent compared to FY 2020. Phishing and Ransomware continue to be, far and away, the primary attack vectors. 

Download the ITRC’s 2021 Q3 Data Breach Analysis and Key Takeaways 

“While the total number of data breaches dropped slightly in Q3, we are only 238 data breaches away from tying the all-time record for data compromises in a single year,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “It’s also interesting to note that the 1,111 data breaches from cyberattacks so far this year exceeds the total number of data compromises from all causes in 2020. Everyone needs to continue to practice good cyber-hygiene to protect themselves and their loved ones as these crimes continue to increase.” 

Other findings in the analysis include: 

  • There have been no publicly-reported data breaches to date in 2021 attributed to payment card skimming services.  
  • Some organizations and state agencies are not including specifics about data compromises or reporting them on a timely basis. One state has not posted a data breach notice since September 2020. 

Enhancing Data Security – U.S. Senate Committee Hearing – Oct. 6, 2021

The ITRC will testify before the U.S. Senate Committee on Commerce, Science & Transportation today to present the findings from our Q3 Data Breach Analysis. Watch the hearing on enhancing data security live at 10 a.m. EST/7 a.m. PST.  ITRC COO, James E. Lee, issued a written statement for the record as part of a hearing with the U.S. Senate Committee. 

For more information about recent data breaches, or?the increase in the number of?data breaches discussed in?the?latest?trend analysis, consumers and businesses should visit the ITRC’s data breach tracking tool,?notified.??? 

Anyone?can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting ?www.idtheftcenter.org to live-chat.?? 

About the Identity Theft Resource Center

Founded in 1999, the Identity Theft Resource Center® (ITRC)?is a?national?nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.?Through public and private support, the ITRC provides no-cost victim assistance and consumer education through?its website?live-chat?idtheftcenter.org?and?toll-free phone number 888.400.5530.?The ITRC also?equips?consumers and businesses?with?information about recent data breaches through its data breach tracking tool,?notified.?The ITRC offers help to specific?populations, including?the?deaf/hard of?hearing and?blind/low?vision?communities.? 

What is carding and how can merchants mitigate risk?

Ecommerce merchants have been hit by credit card carding attacks by fraudsters for years. There’s tons of cardholder data on the dark web and even DIY instructions on how to commit fraud. With EMV implemented in retail, and the fast growth of ecommerce due to Coronavirus, carding is a serious risk for merchants for both attempted and successful transactions.

What is carding?

Carding, also known as credit card stuffing or card verification, is a web security threat where unauthorized people (carders or attackers) use multiple software tools, primarily bots, to attempt to verify if a debit or credit card is good. A typical bot attack will incur thousands of attempted authorizations. Bots do not typically seek a particular site, just opportunities to exploit a weakness.

What are the costly repercussions of carding attacks?

The merchant is dealt with several financial blows:

  • Attempted transactions will incur a payment gateway fee.
  • Attempted transactions may incur a merchant account authorization fee if the gateway didn’t kill before getting to the acquirer. This can happen if the gateway supports a rules based decision making.
  • Completed transaction fraud whereby the product was shipped to the fraudster because the card was approved.
  • Chargeback fees can be initiated by the issuer or the cardholder. If the merchant is not using 3-D Secure, they will surely be out of luck.

How can merchants mitigate risk of bot attacks?

A key first line of defense is preventing the bot initiating an exchange with payment gateway. For example, reCAPTCHA is a free developer tool from Google to protect your web site from abuse. reCAPTCHA v3 returns a score for each request without user friction, which means if it passes, the user can check out. Have you ever had to go through multiple screen challenges to identify the sidewalks or traffic lights? reCAPTCHA v3 is different from older versions. The score is based on interactions with your site and enables you to take an appropriate action for your site automatically. For more information click here for Google reCAPTCHA.

Note, PCI DSS V 3.2.1 Requirement 6: Develop and maintain secure systems and applications. this section includes web sites. Visa cites using Velocity tools specifically in their ecommerce guidance for merchants. For example, a fraud mitigation velocity tool might automatically manage attempted transactions based upon number of attempts from same IP address or other duplicate data within a specific timeframe. Note, fraudsters have gotten smarter and bot attacks are not as simplistic to detect as just a few years ago. For this reason, the use of AI and other tools is growing, especially for larger merchants.

Call Christine Speedy, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

Massive Travel Industry Data Leak

Prestige Software’s main product Cloud Hospitality, the channel management software to the travel industries biggest consumer buying web sites, including Expedia, Hotels.com, and booking.com left data exposed for over 10 million log files, dating all the way back to 2013. At the November 6, 2020 breaking news, it was not yet known whether the data left open on a server was stolen or not. However, we know that criminals run scripts looking for data all the time so it won’t be a surprise if there was a breach.

A channel manager is used to manage bookings across multiple webs sites, including hotels and restaurants. For example with vacancy management, if there is one room left and someone buys it on booking.com, it will show unavailable on hotels.com. With millions of records exposed around the globe, there is sure to be fall out.

Because both personal and credit card data was exposed, I recommend consumers change their travel web site passwords, email passwords, and keep an on on credit card usage or set up alerts.

The data contained full card data and the security code. It’s a PCI Compliance and card network violation to store sensitive cardholder data, therefore, they could lose the ability to store, transmit, and handle all credit card data. While the booking platforms did not expose the data, there is certainly a weakness. For more information from the team that broke the news, see https://www.websiteplanet.com/blog/prestige-soft-breach-report/.

This incident demonstrates your security is only as good as your weakest link. What actions have you taken to remediate deletion of old records both paper and digital? What about your partners? I know of multiple solutions providers that enable merchants to create their own digital credit card authorization forms. This form is then reviewed or downloaded by an employee, with card data key entered then into some other system by the employee. There are so many things wrong with this, including the signature is not even a valid form of defense for card not present. 3-D Secure is the way to go.

  1. If your company uses a 3rd party for billing and or collections, ask questions.
  2. If you’re not using updated tools to keep card numbers out of employee hands, hardware and software, you’re at risk.
  3. Remember, if cardholder data can be decrypted and viewed, you’re at risk.
  4. If you can see the full card number and security code after authorization, that is not compliant.

Contact me for a FREE checkup for common problems IT and security professionals might miss.

If your company has card data that can be retrieved and viewed, you’re at risk too. I fix that.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.