Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, and Morton’s. 

Update, 2:57 p.m. ET: Landry’s has acknowledged an investigation. Their press release is available here (PDF).

Original story:

Houston-based Landry’s Inc. owns and operates more than 500 properties, such as Landry’s Seafood, Chart House and Rainforest Cafe. Last week, I began hearing from banking industry sources who said fraud patterns on cards they’d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.

It remains unclear how many of Landry’s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An online FAQ about the incident posted to Landry’s site says the company does not yet know the extent of the breach.

Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.

Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry’s locations.

Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.

Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.

Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.

“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.”

Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.

“This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.

Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.

In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.

Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.

In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, Michaels Stores said it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.

Sadly, I don’t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. Here’s a look at one compromised card reader, and the handiwork that went into the thieves’ craft. Descriptions and images from other skimming devices can be found in my series All About Skimmers.

The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of “dip,” we’ll continue to see skimmers just about everywhere swiping is still allowed.

Remember that you are not liable for fraudulent card charges, but that it’s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Update: According to reporting from the Denver Post, the Safeway incident affected three stores in Colorado. All of the affected lanes were self-checkout lanes, the publication reported.

The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users. Perhaps more interestingly, the guy who found and reported the breach doesn’t even own a Mac, and discovered the data trove merely by browsing Shodan — a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.

IT helpdesk guy by day and security researcher by night, 31-year-old Chris Vickery said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.

Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. “Ports” are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with MongoDB, a popular database management system.

In short order, Vickery’s request turned up four different Internet addresses, all of which he later learned belonged to Kromtech, the company that makes MacKeeper.

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site totday. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk.

“Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,” the statement continues. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that’s the case, because some of the Shodan records he found that pointed back to Kromtech’s database were dated mid-November 2015.

“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Vickery said. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”

Vickery said he was able to connect to the database that Shodan turned up for him just by cutting and pasting the information into a commercial tool built to browse Mongo databases. Asked whether he’s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he’s not concerned (for background, see the controversy over bone-headed cases brought against researchers under the Computer Fraud and Abuse Act).

“It’s a concern, but I’ve made peace with that and you can’t live your life in fear,” he said. “I feel pretty confident that if you configure a server for public access — without authentication — and it gets publicly accessed, that’s not a crime.”

I admire Vickery’s courage and straightforward approach, and his story is a good reminder about the importance of organizations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn’t be public.  Consider taking the time to learn how to use Shodan (it’s actually fairly intuitive, but some data may only be available to paying subscribers); use it to see if your organization has unnecessarily exposed databases, networking devices, security cameras and other “Internet of Things” devices.

Finally, if you’re a MacKeeper customer and you re-used your MacKeeper user password at other sites, it’s now time change that password at the other sites — and not just to your new MacKeeper password! For more password do’s and don’ts, check out this primer.

With little more than a month to go before the start of the 2016 tax filing season, the IRS and the states are hunkering down for an expected slugfest with identity thieves who make a living requesting fraudulent tax refunds on behalf of victims. Here’s what you need to know going into January to protect you and your family.

The good news is that the states and Uncle Sam have got a whole new bag of technological tricks up their sleeves this coming tax season. The bad news is ID thieves are already testing those defenses, and will be working against a financially strapped federal agency that’s been forced to cede much of its ability to investigate and prosecute such crimes.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

By all accounts, the IRS has improved at blocking phony refund requests. The agency estimates it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Trouble is, it paid out some $5.8 billion in fraudulent refunds that year that it later determined were bogus, and experts say that is only the fraud the agency knows about, and the true number is likely much higher annually.

Perhaps in response to the IRS’s increasing ability to separate phony returns from legitimate ones, crooks last year massively focused on filing bogus refund requests with the 50 U.S states. To head off a recurrence of that trend in the 2016 filing season, the states and the IRS have hammered out an agreement to examine more than 20 new data elements collected by online providers like TurboTax and H&R Block.

Those new data elements include checking for the repetitive use of the same Internet address to rapidly file multiple returns, and reviewing computer device information (browser user agent string, cookies e.g.) tied to the return’s origin. Another check involves measuring the time it takes to file a return; fraudsters involved in tax refund fraud tend to breeze through returns in just a few minutes because they are generally copying and pasting information into the tax forms, or relying on an automated program to do it for them.

The hope is that the these new checks will let investigators more accurately flag suspicious refund requests processed by tax preparation firms, which also have agreed to beef up lax security around customer accounts. Under the agreement, online providers will enforce:

• new password standards to include a minimum of eight characters, with upper, lowercase, alphanumerical and special characters;
• a lock-out feature that blocks users with too many unsuccessful login attempts;
• the addition of three security questions;
• some sort of out-of-band verification for email addresses — sending an email or text to the customer with a personal identification number (PIN).

Julie Magee, Alabama’s chief tax administrator, said the state/IRS task force opted not to disclose all 20 of the data elements they will be collecting from tax prep firms.

“The thieves are going to figure these out on their own, and they’re already testing our defenses,” Magee told KrebsOnSecurity. “We don’t want to do anything to make that easier for them.”

ANALYSIS

Whether or not we see an increase in tax refund fraud next year, one thing seems certain: the IRS will prosecute far fewer of the crooks involved. Congress has persistently underfunded the IRS, and budget cuts have pushed prosecutions of identity thieves to a new low. According to the IRS’s 2015 Annual Report, IRS identity theft criminal investigations are down almost 50 percent since 2013.

Tax fraudsters were so aggressive last year that they figured out how to steal consumer identities directly from the agency itself. In August 2015, the IRS disclosed that crooks abused the “Get Transcript” feature on its Web site to steal Social Security numbers and information from previous years’ tax filings on more than 334,000 Americans.

The IRS has responded to the problem of tax ID theft partly by offering Identity Protection PINs (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, consumers still have to request an IP PIN by applying for one at the agency’s site, or by mailing in form 14039 (PDF).

Incredibly, the process that thieves abused to steal tax transcripts from 334,000 taxpayers this year from the IRS’s site also works to fraudulently obtain a consumer’s IP PIN. In fact, the following redacted screen shot from a notorious cybercrime forum shows a seasoned tax fraudster teaching would-be scammers how to use the IRS’s site to obtain a victim’s IP PIN.

Both the Get Transcript and the process to retrieve an IP PIN from the IRS’s site are vulnerable because they rely on the applicant supplying static information that is trivial for thieves to obtain, including the taxpayer’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing, but much of the data is readily available via free online social networking and consumer tracking services like Spokeo.

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

My guess is that a huge chunk of 334,000 victimized via the IRS’s site this year probably will not request the IP PIN and will in fact have fraudulent tax returns filed with their info — whether they request the IP PIN and it is stolen or not. The IRS should just issue the IP PINs to affected taxpayers, instead of asking victims to do it themselves.

Incidentally, the IRS’s Twitter account is still promoting the online Get Transcript capability, even though it no longer offers the service online. For now, the only way to obtain a transcript is via snail mail.

DON’T BE THE NEXT VICTIM

In notifying 334,000 taxpayers affected by its Get Transcript debacle, the IRS predictably offered victims free credit monitoring services from Equifax. The IRS makes no mention of a more effective way to block ID thieves: Placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why freezes are more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit.

While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN. Also, anyone who has a freeze in place will need to temporarily lift that freeze to take advantage of any credit monitoring services (in this case, the consumer would need to briefly thaw a freeze at Equifax).

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible after the 2016 Tax Filing Season begins — which is usually the second or third week in January. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

–Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

FIGHT BACK

Thieves involved in tax return fraud may be laughing all the way to the bank, but that doesn’t mean we have to suck it up and take it: Exercise your rights to obtain a copy of the phony return, and you may just help put crooks in jail.

If you become of the victim of tax fraud and are motivated to learn who helped to defraud you and Uncle Sam, you can file form 4506 (plus a $50 fee) to get a copy of the return. That information can be shared with your local police, who may be able to use to track down people who help launder the proceeds from tax refund fraud.

Earlier this year, I wrote about Isha Sesay, a Pennsylvania woman who was arrested for receiving phony IRS refunds on behalf of at least two tax fraud victims. Among Sesay’s victims was resident Mike Kasper, whose request for the filing led to Sesay’s arrest. Kasper’s hard work helped expose the IRS’s pervasive authentication weaknesses and later testified to Congress about his ordeal. Sesay is currently scheduled to plead guilty (PDF) to the charges on Dec. 18.

Turns out, Kasper’s sleuthing was key to Sesay’s prosecution. When he found out he’d been victimized, Kasper requested the copy of returns that fraudsters filed in his name, but he did so before filing form 14039 to request an IP PIN.  Had he done it in the opposite order, the IRS would have redacted all of Ms. Sesay personal and financial information.

In testimony before the Senate this year, IRS Commissioner John Koskinen explained the reasoning behind that decision: A fraudulent return could include the personal information of other people. The end result is that it is better to file form 4506 and pay $50 to request a photocopy of the fraudulent return before you file form 14039 to formally report the fraud.

On any given day, there are thousands of gift cards from top retailers for sale online that can be had for a fraction of their face value. Some of these are exactly what they appear to be: legitimate gift cards sold through third-party sites that specialize in reselling used or unwanted cards. But many of the more steeply discounted gift cards for sale online are in fact the product of merchandise return fraud, meaning consumers who purchase them unwittingly help thieves rob the stores that issued the cards.

This type of scam mainly impacts brick-and-mortar retailers that issue gift cards when consumers return merchandise at a store without presenting a receipt. Last week I heard from KrebsOnSecurity reader Lisa who recently went online to purchase a bunch of steeply discounted gift cards issued by pet supply chain Petco.

Lisa owns two Rottweilers that both eat a good chunk of their weight each month in dog food, so Lisa said she felt like she’d really hit on a bargain when she found a $165 Petco gift card for sale at a popular online gift card retailer for $120 (a nearly 30 percent discount on the value).

“When I went to Petco to get my monthly supply of dog food and snacks for my Rotties, I used my merchandise card and the manager shared with me that folks are stealing merchandise from one Petco store and returning the items to another without a receipt and then selling the cards to places like raise.com and cardpool.com at a discounted price,” Lisa recounted.

Petco’s official policy is that for returns more than 60 days after the purchase — or if the receipt is unavailable — the value of the goods returned will be refunded to a merchandise card. Lisa said she bought the Petco card from raise.com, but she said the company never disclosed that the card was a merchandise return card — a fact that was printed on the front of the card she received.

“I feel really bad now because my purchase of these cards may have contributed to unlawful activities,” Lisa said. “Even though I saved $40+, Petco actually lost money as a result.”

Neither Raise nor Petco responded to requests for comment. But a look at the available Petco cards for sale via one gift card tracking site — giftcardgranny.com — shows Petco cards routinely sell for at least 25 percent off their value.

In any case, this fraud scheme is hardly specific to Petco. Cards from Petsmart, a competitor that also offers merchandise return cards, generally sell at 20 percent off their value. Clothier H&M’s cards average about 30 percent off.

Contrast these discounts with those for gift cards from restaurants, fuel stations and other businesses that generally don’t have to deal with customer returns and you’ll notice two interesting patterns: For starters, the face value of the cards from merchants that don’t take customer returns are far more likely to be even amounts, such as $50, $25 and $40. The percentage off the face value also tends to be much lower — between 3 and 15 percent. For example, see the discount percentage and value of cards from Starbucks and Chevron.

“Twenty-five percent off is really high, and there aren’t many that offer that high of a discount,” said Damon McCoy, an assistant professor of computer science at New York University and an expert on fraud involving stored value cards. “Normally, it is around 5 percent to 15 percent.”

According to a study conducted jointly by KingRogers International and The Retail Equation, approximately nine percent of all returns in the United States are fraudulent. The National Retail Foundation estimates that the problem will cost U.S. retailers nearly $11 billion this year.

Investigators say the crimes very often are tied to identity theft rings and drug addicts. Last month, authorities in Michigan convicted a 46-year-old father of four for running a large-scale fencing operation that used teams of prostitutes, heroin users, parolees and panhandlers to steal high-priced items from local Home Depot stores and then return the goods to a different Home Depot location in exchange for store debit cards.

Of course, another huge source card of gift card fraud are cards purchased with stolen credit cards. Thieves will buy “dumps” — card data stolen from brick-and-mortar businesses — and encode that data onto anything with a magnetic strip and try to buy high-dollar gift cards from a range of retailers. The carded gift cards very often wind up for sale online at steep 20-30 percent discounts.

Earlier this year I saw part of this process in action at a Giant grocery store in Maryland. The man in front of me in line looked and smelled homeless. The only items he was trying to buy were several $200 gift cards that Giant had on sale for various retailers. When the first card he swiped was declined, the man fished two more cards out of his wallet. Each was similarly declined, but the man just shrugged and walked out of the store. I asked the cashier if this sort of thing happened often, and he just shook his head and said, “Man, you have no idea.”

Lisa admits she remains conflicted over whether she would buy another steeply discounted card to help feed her dogs. But she said retailers could help stem this type of fraud by tying merchandise return cards to the identity of the person who returned the merchandise in the first place. Most stores that issue merchandise return cards now require the person returning the goods to show a valid state driver’s license, but the cards are not tied to that customer, nor do stores check ID when consumers use merchandise return cards at the store to purchase goods.