Malware attack on KY + South IN merchants

37 views
Skip to first unread message

Christopher Cprek

unread,
Apr 23, 2013, 9:58:02 AM4/23/13
to lvl1
I've know more than a few friends around LVL1 have had their card numbers stolen recently. 


"Merchants that were PCI [Payment Card Industry Data Security Standard] compliant only had the last four digits [of the debit and credit card numbers] in their systems, and that was all the malware could collect," he says. "But the merchants that were carrying the entire card numbers were exposed."

The Secret Service is not releasing the names of the affected merchants, nor is it yet naming the reseller who sold the vulnerable software to those merchants."

Anyone have any idea who these merchants without PCI compliance are, so I can not give them my business?

#

unread,
Apr 23, 2013, 12:52:21 PM4/23/13
to lv...@googlegroups.com
word ,  lol 
     most any payment gateway ive messed with wont let you use em till you meet pci standards.     they say somthen like we need to meet these things   before underwriters can ok it for us then they check an verify those things .   
  
     i have seen some where their API was messed up an could process CC's an look up mofo's infos ..   reported it an like most times for me they like lol your dumb ,, im like ok i know snicker snicker ,  then i use different a gateway

most any website i setup i turn the   keys over to the owner an say have at it ,, shouldnt need to see me unless you mess it up .   accounts,hosting,etc,,,
 
  i have seen some DIY it not knowing bout pci or anything an collect Payments an customer infos in there cart,  manually process it offline, lol   

what do you say to them ,, your doing it wrong when they think they saving a buck not needing a gateway . i dunno  , lol


id like to see the list ..   bet its alot









   

   

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

DE 'Tad' Heckaman III

unread,
Apr 23, 2013, 2:00:27 PM4/23/13
to lv...@googlegroups.com
"Area card issuers tied fraudulent transactions back to a number of merchants that had one thing in common - the same POS-system remote-access software, Meadors says."
I'd like to know what that software is.




On Tue, Apr 23, 2013 at 9:58 AM, Christopher Cprek <paxti...@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Tad Heckaman

Christopher Cprek

unread,
Apr 23, 2013, 2:08:56 PM4/23/13
to lvl1
I called the investigator's office directly and politely asked for the information. I was very clear that this was for my personal protection as a consumer. I got an aggressive (to put it mildly) response that they would not release the names due to liability concerns. 

Essobi

unread,
Apr 23, 2013, 3:01:44 PM4/23/13
to lv...@googlegroups.com, lvl1
Generally, from my experience vendor POS systems that are not pci compliant have your full card number on the receipt. 

-essobi

Joshua Wilcox

unread,
Apr 24, 2013, 10:14:36 PM4/24/13
to lv...@googlegroups.com
Anything in the news about this? Updates?

Christopher Cprek

unread,
Apr 24, 2013, 10:52:47 PM4/24/13
to lvl1
Nope. I left a message with the consumer protection division of the Attorney General's office on the odd chance I could suss out info from someone. But I haven't heard back and highly doubt it will go anywhere. 

Problem is, Kentucky has no security breach notification laws. So even though (according to the article) investigators know which companies keep your full credit card info... they are under no legal obligation to tell anyone... even the victim. And based on the aggressive push back I got from the agents, they feel exposed to liability to lawsuits if they name the company responsible for the breach.

Kentucky is one of four states with no security breach notification law:

I generally always check my receipts for plain view credit card info. Must have missed this one. 

My recommendation is everyone just use cash for everything.

Brad Luyster

unread,
Apr 24, 2013, 10:58:02 PM4/24/13
to LVL1 - Louisville's Hackerspace
Inline image 1

Daniel Tyler

unread,
Apr 25, 2013, 9:38:11 AM4/25/13
to lv...@googlegroups.com
Three weeks ago someone used my credit card information to make a local purchase at Office Depot for $900. I noticed the transaction on my account 1 day after the unauthorized purchase and promptly contacted Chase Credit Services. They immediately removed the fraudulant charge from my account, canceled my credit card and shipped two new cards next day to my house. I couldn't work out how the thief obtained my information other than maybe recording my information from a credit card swipe at a resturant where you give up your card to a stranger for a few minutes.  Anyway, the cost of this transaction will probably be absorbed by the local retailer but I can't be sure. One way that I think we can minimize this type of theft is to request new cards maybe twice/year. If this had been a debit card I'm not sure if the outcome would have been the same (for me).

#

unread,
Apr 25, 2013, 10:36:37 AM4/25/13
to lv...@googlegroups.com
  one thing i can say a person that steals my id is going to be sad im so broke credit card companies want money to open a account , lol

     nah but for internet shopping you can get pre paid credit cards  at walmart ,etc,an they are  only good for how much money you load onto them ,  

reading back over this thread alot of you all have had problems recently ?

Jeff Johnson

unread,
Apr 25, 2013, 11:00:02 AM4/25/13
to lv...@googlegroups.com, paxti...@gmail.com
Yeah, and in New Orleans don't ever use a credit card if you can help it.  Holly and I went there last year and I only used my card 5 times.  Russians had already gotten the number before I got home, according to the fraud department voicemails we got when we landed.  They gave us new cards and didn't charge us for any of the fraud stuff.

Jeff Johnson

unread,
Apr 25, 2013, 11:04:37 AM4/25/13
to lv...@googlegroups.com
I wish someone would just develop a system that scans our thumbprint and shows the cards I have registered from a central bank including my picture on their screen.  The charges could be applied to the card of my choice and the retailer never sees the number as it would go from the central bank to the cc company and pay the retailer.

Online charges would be trickier though.

Getting a new card is always a pain because my recurring services (i.e. netflix etc) go on my card.  Re doing those is always a major chore.

Greg Miller

unread,
Apr 25, 2013, 2:00:31 PM4/25/13
to lv...@googlegroups.com
For credit cards, the maximum amount you can ever be held liable
for is $50. Debit cards are a little different, but unless someone
steals your physical card and you realize it and you don't report it,
then you can't be held liable for any fraudulent activity as long as you
report it within 60 days of receiving your statement. The bank has 30
days to add the money back into your account, and I can't remember how
that affects overdraft fees.

More info:
http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards

Essobi

unread,
Apr 25, 2013, 3:12:20 PM4/25/13
to lvl1
So the reason they won't drop the names, is because they were not PCI compliant, which in turn would make them civilly liable.

And there's no breach law in Kentucky, so... Maybe we should change that.



--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.





--
Essobi

Ben Hibben

unread,
Apr 25, 2013, 3:20:22 PM4/25/13
to lvl1
+1; how do we get a bill written and introduced?

Blenster


To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.

DE 'Tad' Heckaman III

unread,
Apr 25, 2013, 3:21:38 PM4/25/13
to lv...@googlegroups.com
I thought there was So. Indiana businesses involved too... does Indiana have the same issue releasing the names?
--
Tad Heckaman

Christopher Cprek

unread,
Apr 25, 2013, 3:21:52 PM4/25/13
to lvl1
Yep. That's why I'm contacting the Attorney General's office, to try and put it on their radar. 

A little bit of media exposure would help too I imagine. Contact your state reps of course.


On Thu, Apr 25, 2013 at 3:20 PM, Ben Hibben <the.bl...@gmail.com> wrote:

Tyler Martin

unread,
Apr 25, 2013, 3:21:51 PM4/25/13
to lv...@googlegroups.com

Essobi

unread,
Apr 25, 2013, 3:23:18 PM4/25/13
to lvl1
I'll ask my mother-in-law.  She got this passed.  http://www.lrc.state.ky.us/krs/199-00/525.PDF

199.525 Dissemination of post-adoption information about medical or genetic 
condition affecting an adopted person.




On Thu, Apr 25, 2013 at 3:20 PM, Ben Hibben <the.bl...@gmail.com> wrote:



--
Essobi

Christopher Cprek

unread,
Apr 25, 2013, 3:26:37 PM4/25/13
to lvl1
This is the Indiana law:


The only law enforcement agency referenced in the original article is the Kentucky Electronic Crimes Task Force. If there's a Indiana agency investigating this, I don't know who it is atm.

Tim Miller

unread,
Apr 25, 2013, 3:35:14 PM4/25/13
to LVL1
preemptive reminder: LVL1's 501c3  can be put at risk if politicking is performed by members of the LVL1 and it can be construed by an IRS person that the actions were performed by LVL1 as an organization or by individuals on behalf of LVL1. 

John Coder

unread,
Apr 25, 2013, 3:38:14 PM4/25/13
to lv...@googlegroups.com
Unfortunately that ondiana law applies to state agencies

Essobi

unread,
Apr 25, 2013, 3:44:09 PM4/25/13
to lvl1
I'm not an official member.  I'll start poking around about it, and I did suggest it first. :D


On Thu, Apr 25, 2013 at 3:38 PM, John Coder <cod...@yahoo.com> wrote:
Unfortunately that ondiana law applies to state agencies
--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.





--
Essobi

Tim Miller

unread,
Apr 25, 2013, 3:56:05 PM4/25/13
to LVL1
Nothing saying members can't individually pursue this needed change in law, just saying the LVL1 mailing list is not the right forum. 

Christopher Cprek

unread,
Apr 25, 2013, 4:03:04 PM4/25/13
to lvl1
Discussion of factual information regarding state and federal law isn't a problem. It could be problematic if there were a proposed piece of legislation or candidate and the discussion was an attempt to sway votes. But good catch on noting it before it's a problem. Thanks Tim.


Greg Miller

unread,
Apr 25, 2013, 4:07:22 PM4/25/13
to lv...@googlegroups.com
That's not exactly true, 501c3's can get involved in politics, they are
just limited in spending money or favoring a specific candidate. I'm
involved with both the Louisville Astronomical Society and the Kentucky
Waterways Alliance, both of which are 501c3's and both have had
involvement in lobbying. And just being a member doesn't forfeit your
right to anything, each member is still permitted to engage in political
activities individually.

E.g:
http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202

Essobi

unread,
Apr 25, 2013, 4:09:59 PM4/25/13
to lvl1
Mary Byron Foundation has been very active in lobbying for victim rights too... *shrug* 


--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.





--
Essobi

Tim Miller

unread,
Apr 25, 2013, 4:11:43 PM4/25/13
to LVL1
Thanks for the advice, I was saying do not drag LVL1 into politics that is not our business. Our business is to make awesome things and keep the hackerspace's door open.

Those other things are not what LVL1 is in business for.


To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.

Essobi

unread,
Apr 25, 2013, 4:18:32 PM4/25/13
to lvl1
Touche.  I'm not a member, and I don't represent LVL1 in any capacity publicly.

--
Essobi

Pat McCarthy

unread,
Apr 25, 2013, 5:51:27 PM4/25/13
to lv...@googlegroups.com

 

From: lv...@googlegroups.com [mailto:lv...@googlegroups.com] On Behalf Of Essobi
Sent: Thursday, April 25, 2013 4:19 PM
To: lvl1
Subject: Re: {LVL1} Malware attack on KY + South IN merchants

 

Touche.  I'm not a member, and I don't represent LVL1 in any capacity publicly.

 

On Thu, Apr 25, 2013 at 4:11 PM, Tim Miller <timmil...@gmail.com> wrote:

Thanks for the advice, I was saying do not drag LVL1 into politics that is not our business. Our business is to make awesome things and keep the hackerspace's door open.

 

Those other things are not what LVL1 is in business for.

On Thu, Apr 25, 2013 at 4:09 PM, Essobi <ess...@gmail.com> wrote:

Mary Byron Foundation has been very active in lobbying for victim rights too... *shrug* 

On Thu, Apr 25, 2013 at 4:07 PM, Greg Miller <gmi...@gregmiller.net> wrote:

That's not exactly true, 501c3's can get involved in politics, they are just limited in spending money or favoring a specific candidate.  I'm involved with both the Louisville Astronomical Society and the Kentucky Waterways Alliance, both of which are 501c3's and both have had involvement in lobbying.  And just being a member doesn't forfeit your right to anything, each member is still permitted to engage in political activities individually.

E.g:
http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202



On 4/25/2013 3:35 PM, Tim Miller wrote:

preemptive reminder: LVL1's 501c3  can be put at risk if politicking is performed by members of the LVL1 and it can be construed by an IRS person that the actions were performed by LVL1 as an organization or by individuals on behalf of LVL1.

 

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



 

--
Essobi

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



 

--
Essobi

--

You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+uns...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 


The information transmitted is intended only for the person or entity to which it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information in error,
please contact the sender and delete or destroy the material/information.

#

unread,
May 22, 2013, 9:52:57 AM5/22/13
to lv...@googlegroups.com

   Dangit ,,   GF's credit card was stolen i believe from this ..     she like you buy somthen from North carolina with my card ?       about 200$ worth of stuff ..        im like i cant aford to pay attention let alone pay you back 200$ ,, lol   call the police !!

     googled " louisville credit card stolen used in north carolina "  an this artical popped up http://www.wave3.com/story/21911646/louisville-credit-card-processor-hacked-card-numbers-stolen

       Bastards !
Reply all
Reply to author
Forward
0 new messages