Everything is hacked ... eventually

a_skeleton_03 said:

So it seems to happen all the time but this time it was done to someplace dear and close to me.

Chipotle says hackers stole payment card info in data breach

If someone was to search my name in that I would be in there an embarrassing amount of times. I ate at Chipotle in Germany for Thanksgiving one year. It was the first Chipotle opened there and it was the first week of it being open. Also to be fair we spent the night before in a legit castle and they served us a breakfast for kings.

I read this article every month probably at least once and it reminds me of how really unsecure the internet is as a whole.

Everything Is Broken – The Message – Medium

Click to expand...

Awesome and compensation for customers affected... zero.

This is going to be the new response 'sorry guys but what can you do?'

Also, let's stop calling 'installing malware' hacking. I would bet three burritos and a fake copy of my credit card it was an inside person with access to some part of the PoS system that allowed access or installed it directly.

Palum said:

Awesome and compensation for customers affected... zero.

This is going to be the new response 'sorry guys but what can you do?'

Also, let's stop calling 'installing malware' hacking. I would bet three burritos and a fake copy of my credit card it was an inside person with access to some part of the PoS system that allowed access or installed it directly.

Click to expand...

Cant, because then Podesta would no longer have been HACKED BY THE RUSSIANS - and would be labeled as the truth, dumbass clicked clickbait fakeemail and entered his password.

So the MSM keeps on with everything is a HACK LEET HAXXORRR!!!!

Palum said:

Awesome and compensation for customers affected... zero.

This is going to be the new response 'sorry guys but what can you do?'

Also, let's stop calling 'installing malware' hacking. I would bet three burritos and a fake copy of my credit card it was an inside person with access to some part of the PoS system that allowed access or installed it directly.

Click to expand...

These stupid fuckers leave their unpatched Window XP Embedded POS systems accessible to the internet. There's no need for conspiracy, there's enough need for IT and lack of talent/ability/care to go around and explain these hacks.

This is exactly what hacking is. Find the vulnerability, use it.

Kiroy said:

We don't eat there often but we just barely dodged that window of time. I do love that they aren't even going to contact affected customers. With the news cycle though, putting your head in the sand is probably the best strategy. People will likely forget in a day or two when starbucks releases another Fagboy Sugar Shake or Trump opens his first concentration camp.

Click to expand...

Earlier this year I had a CC that was less than 3 weeks old and had only been used at 4 places get hit with $1000 in fraud charges from SJW type stores( skinny jean stores in Cali, candy shops and such ).
It had been used to pay the electric bill, and 3 fast food places. The items frauded were sent to IL and I live in KY.
Naturally it didn't cost me a dime other than some time to sort out but it still remains a mystery how that info was even obtained on the card. They had the security code and everything but not the right phone number or address.
I just assumed tyen did it.

On a serious note though I've noticed all my CC/bank institutions now tell you to log out and restart your browser on every visit. Makes me think some of these breeches are carrying over in cookies or browser information somehow.

chaos said:

These stupid fuckers leave their unpatched Window XP Embedded POS systems accessible to the internet. There's no need for conspiracy, there's enough need for IT and lack of talent/ability/care to go around and explain these hacks.

This is exactly what hacking is. Find the vulnerability, use it.

Click to expand...

Yea but which of the last ones have had an outside attacker do this? I can't think of a single one.

Kiroy said:

I believe that if Chipotle wasn't using chip readers they are on the hook for any fraud instead of the banks. Could honestly get interesting if that was the case.

Click to expand...

I still have a few cards which I was issued new ones of this year without chips in them. Most of them have carried over though.
Most fraud takes place online where all you need is a few details to use a card. Some don't even verify billing information or allow shipping different than billing.
Massive overhaul of how transactions work virtually need to take place.
Worse is when fraud does occur even your own institutions don't seem to care. I tried without much success to get info on the addresses and number used in my case to try and figure out how the fraud took place.
They didn't seem to care to get IP's, address the items were sent to and/or names used.
Was told likely someone with a rfid reader had scanned my wallet or that one of the people in the drive thrus had sold that information elsewhere.
2 of those 3 fast food stops I remember them having my card a lengthy amount of time, >1 minute which would have been plenty to photo the front and back.

All in all it was shitty because I wanted the person caught but the bank just issued immediate funds to cover the charges and said don't worry about it. I mean wtf, stop letting these people get away with it.

Kiroy said:

I believe that if Chipotle wasn't using chip readers they are on the hook for any fraud instead of the banks. Could honestly get interesting if that was the case.

Click to expand...

That's not what the liability shift means. It means that they are liable for charges if they accept non-chip payment, not that they are liable for losses associated with a breach. So if i I steal your card and use it at Chipotle and they accept it, they are liable for that charge. But if Chipotle gets hacked and loses all the cards, they are not liable for all of those associated charges.

Olebass said:

Earlier this year I had a CC that was less than 3 weeks old and had only been used at 4 places get hit with $1000 in fraud charges from SJW type stores( skinny jean stores in Cali, candy shops and such ).
It had been used to pay the electric bill, and 3 fast food places. The items frauded were sent to IL and I live in KY.
Naturally it didn't cost me a dime other than some time to sort out but it still remains a mystery how that info was even obtained on the card. They had the security code and everything but not the right phone number or address.
I just assumed tyen did it.

On a serious note though I've noticed all my CC/bank institutions now tell you to log out and restart your browser on every visit. Makes me think some of these breeches are carrying over in cookies or browser information somehow.

Click to expand...

I had a card that got stolen about two months ago. Not the card, but the number. All the charges were rejected and it wasn't really a hassle (besides having to call the bank and ask wtf was going on... which, not really a hassle). But it was weird. The charges were all over the place and obviously, stupidly fradulent. These guys were trying $2.00 credit charges to places in China. LOTS of them.

I guess policies vary and they were just trying to suss out the tolerances of automated fraud detection. But that had to have told them exactly nothing. First off -- China. Second off.. dozens of two dollar charges all within about an hour of each other.

It's a good thing that most criminals seem to be idiots.

Palum said:

Yea but which of the last ones have had an outside attacker do this? I can't think of a single one.

Click to expand...

The major ones I can think of off the top of my head (TJ Max, Home Depot, Target, Wendy's, Ashley Madison, T-Mobile, etc) were all outside attackers.

Kiroy said:

So the banks are still liable overall for fraud stemming from this fuck up? I don't see that precedence lasting long moving into the future where this type of thing is more frequent.

As a retailer our POS system is completely separate from our actual card swiper. Our swiper just flat out goes strait through to our merchant services (we give our customers two receipts because of this). I can't imagine having the card swipe actually go through a system that's attached to a PC. I didn't even think that was possible.

Click to expand...

From what I understand, liability shift isn't even a law, it's just part of the EMV shit that (could be wrong, not my particular rodeo) is enforced as part of the agreement between the merchant and the card companies, but separate from PCI I think.

Yeah, XP embedded is still huge in merchants. Fucking unreal. Shit, MS still supports it.

We need a law, but our government is so dysfunctional that even if they did it they'd probably fuck it up. We're probably better off.

chaos said:

The major ones I can think of off the top of my head (TJ Max, Home Depot, Target, Wendy's, Ashley Madison, T-Mobile, etc) were all outside attackers.

Click to expand...

Target = attackers 'stole' credentials from a vendor.
Home Depot = attackers 'stole' credentials from a vendor.

I'm not saying there was no hacking involved in any of these but you can't ever make anything secure when you are letting randos have access to payment processing systems.

Palum said:

Target = attackers 'stole' credentials from a vendor.
Home Depot = attackers 'stole' credentials from a vendor.

I'm not saying there was no hacking involved in any of these but you can't ever make anything secure when you are letting randos have access to payment processing systems.

Click to expand...

Right, but they didn't steal creds from a vendor for the payment system. They stole creds from a vendor for a different subsystem, moved laterally through the network, popped the payment systems. Stitched it all up with some scripts communicating with external C2 systems (the malware) and stole to their hearts content. The Target thing was like eggs 101 for lateral movement & persistence. This is what hacking is.

iannis said:

I had a card that got stolen about two months ago. Not the card, but the number. All the charges were rejected and it wasn't really a hassle (besides having to call the bank and ask wtf was going on... which, not really a hassle). But it was weird. The charges were all over the place and obviously, stupidly fradulent. These guys were trying $2.00 credit charges to places in China. LOTS of them.

I guess policies vary and they were just trying to suss out the tolerances of automated fraud detection. But that had to have told them exactly nothing. First off -- China. Second off.. dozens of two dollar charges all within about an hour of each other.

It's a good thing that most criminals seem to be idiots.

Click to expand...

The only other time it happened to me was a paypal mastercard and I woke up one morning about 2 years ago with a call asking if I was buying coffee in London. I was like no I am in Kentucky. Someone overseas was using my card number to try and purchase a $8 eqiv drink. Crazy shit. That one I am 99% sure was due to home depot though and that massive card fraud. About the only place I used it back then.

I'm alright with leaving it up to contracts as long as the consumer is protected.

I've got a feeling that something like this could significantly impact a bank. There's probably no one event that could shutter a bank, but a year worth of hacks and pushing debt onto their customers? This is one area where the bank actually does have a vested interest in consumer protection.

So we need THAT law. But we have that law. When my card got stolen the bank was on top of that shit. I didn't know it had been until I checked the messages three days later and there was one "weird ass shit on your CC -- call us, bro". Because it was going to be coming out of THEIR pocket.

chipotle is dope