Fred’s Inc., a discount general merchandise and pharmacy chain that operates 650 stores in more than a dozen states, disclosed today that it is investigating a potential credit card breach.

KrebsOnSecurity contacted Fred’s earlier this week, after hearing from multiple financial institutions about a pattern of fraud on customer cards indicating that Fred’s was the latest victim of card-stealing malware secretly installed on point-of-sale systems at checkout lanes.

Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.

Reached for comment about the allegations, the company issued the following response today:

Fred’s Inc. recently became aware of a potential data security incident and immediately launched an internal investigation to determine the scope of the issue. We retained Mandiant, a leading independent forensics firm, to examine our data security systems.

We want to assure our customers that protecting their information is one of our top priorities and we are taking this potential incident very seriously. Until this investigation is completed, it will be difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.

I am hearing about so many different retail breaches at retail and restaurant chains right now that I could do nothing but write about them full time and still fall behind.

A quick note about this blog: I’ve been on vacation for the past two weeks in Australia and New Zealand, which is why posting has been sporadic at best of late. Also, a glitch in our email server prevented many readers from receiving notifications of new updates over the last few weeks. Fixing the glitch caused subscribers to receive 10 days’ worth of email notifications all at once. Sorry for the inconvenience.

Missing Link Networks Inc., a credit card processor and point-of-sale vendor that serves a number of wineries in Northern California and elsewhere, disclosed today that a breach of its networks exposed card data for transactions it processed in the month of April 2015.

Earlier this week, I heard from a source at one of Sonoma, Calif.’s fancier wineries that their card processor had been breached. On Tuesday, I reached out to Calistoga, Calif. based Missing Link. Today, the company responded that it had begun notifying its customers about the incident, and that it was working with law enforcement and the card associations on an investigation.

“Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder,” the company’s founder and CEO, Paul Thienes, said in a written statement. “To that end, each of our winery clients will be sending out notice of this event to their customers and it is likely that individual consumers may receive a similar notice from multiple wineries.”

“The intruder gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year,” Thienes wrote. “The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway). We have identified and secured the method that was used to breach our platform. Additionally, to prevent a future reoccurrence, we are in the process of converting to a ‘token’ system so that credit card numbers will no longer be stored by the eCellar platform.”

Tokenization as a card security solution tends to be most attractive to businesses that must keep customer card numbers on file until the transaction is finalized, such as hotels, bars and rental car services. A January 2015 report by Gartner Inc. fraud analyst Avivah Litan found that at least 50 percent of Level 1 through Level 3 U.S. merchants have already adopted or will adopt tokenization in the next year.

Merchants retain tokens because they need to hang on to a single unique identifier of the customer for things like recurring billing, loyalty programs, and chargebacks and disputes. But experts say tokenization itself does not solve the problem that has fueled most retail card breaches in recent years: Malware remotely installed on point-of-sale devices that steals customer card data before it can be tokenized.

An alternative and far more secure approach to handling card data involves point-to-point encryption — essentially installing card readers and other technology that ensures customer card data is never transmitted in plain text anywhere in the retail environment. But many businesses have chosen tokenization in favor of encryption because it is cheaper and less complicated to implement in the short run. Merchants that adopt point-to-point encryption may also find themselves locked into a single credit card processor, because the encryption technology built into the newer readers often only works with a specific processor.

Chip card technology also will help. Merchants in the United States are gradually shifting to installing card readers that can accommodate more secure chip cards that adhere to the Europay, MasterCard and Visa or EMV standard. These chip cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied by point-of-sale malware.

Missing Link Networks offers a variety of products and services through its eCellar line, including point-of-sale technology and database solutions. The company joins a long list of other POS vendors that have disclosed breaches in recent months, including NEXTEP, HarborTouch and Signature Systems.

Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

The bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also issued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here.

As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly because its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.160. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer onWindows 8.x, should automatically update to version 18.0.0.160, although Chrome users on Mac systems will find 18.0.0.161 is actually the latest version, according to Adobe. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). See this graphic for the full Adobe version release.

Most applications bundled with Adobe AIR should check for updates on startup. If prompted, please download and install the AIR update. If you need to update manually, grab the latest version here.

As usual, please sound off in the comments section if you experience any issues applying any of these patches.

Last week, KrebsOnSecurity ran an interview with Julie Magee, Alabama’s chief tax administrator, to examine what the states are doing in tandem with the IRS and others to make it harder for ID thieves to commit tax refund fraud — a $6 billion a year problem. Today we’ll hear from John Valentine, chair of Utah’s State Tax Commission, about the challenges his state faced this year, as well as the prospect that tax preparation firms could be forced return to the U.S. Treasury any profits they make from processing fraudulent tax refunds.

Valentine was a tax attorney before being appointed the chair of Utah’s tax commission, so he’s familiar with the challenges facing both the tax preparation industry as well as the tax agencies.

“I came out of the private sector and spent nearly 40 years suing the state tax commission and the IRS,” Valentine said. “Now I am that.”

Utah is actively engaged in an IRS task force made up of state, federal and industry tax experts trying to quash refund fraud. Like Alabama’s deputy tax commissioner Joe Garrett — who had a $7,700 fraudulent refund filed in his name — several of Utah’s senior tax administration officials also were victimized by ID thieves this year.

“We’ve had some of our senior people who had tax returns filed on their behalf,” Valentine said. “Of course, they had not filed them yet and we knew that they were more than a little suspicious.”

Among the steps the task force is considering is whether to mail all taxpayers an Identity Protection Personal Identification Number (IP PIN) that is tied to each taxpayer and must be included in each tax return. The IRS issues the IP PINs to taxpayers who have suffered tax return fraud. Additionally, consumers willing to swear they have been victims of identity theft can apply for a filing PIN, however the IRS is picky about granting those requests.

Even if the IRS were to switch to issuing IP PINs to all taxpayers, the agency would still run up against the thorny problem of how to verify consumers’ identity (no doubt, that challenge would be exacerbated by millions of taxpayers phoning the IRS after losing or misplacing their assigned PINs). A major focus of the working groups attention is finding better ways to authenticate people beyond merely requesting static identifiers (Social Security numbers, dates of birth) and other data that is frequently exposed in data breaches and is readily for sale on underground markets.

“They’re going to have to switch to a 2-factor authentication system, where they really strengthen the front-end of that authentication,” Valentine said of the tax preparation firms like TurboTax, which briefly shut down all state tax filing this year after a massive spike in phony refund requests put through its systems via hijacked and fraudulently created TurboTax accounts.

Valentine also made the decision to halt all Utah tax refunds around that same time.

“When we installed our [anti-fraud] analytics program, we thought we were getting a lot of false positives, so we did a bunch of back checking,” he said “While we were doing that, I made a decision to stop all refunds. For a period of two weeks Utah gave no refunds while we worked through the analytics to make sure we’d identified the nature and extent of the fraud. It turned out to be much more extensive than we’ve ever seen.”

In fact, ten times as much as any year prior, according to Valentine.

“We’ve always seen fraud where a tax practitioner will file a whole bunch of fraudulent returns, or we’ll see ID theft targeting a large employer. But this fraud wave was a little tougher, because it went across spectrum of employers, across the entire demographic of taxpayers, high low and middle income. Also, the fraud wasn’t regionalized — it was across the whole state — and [the fraudsters] didn’t seem to be selective as to who they hit. They got people of notoriety and people nobody knew. In the end, it appeared that the common factor among all of them was how you filed in 2013,” because the phony 2014 returns all included nearly identical information as the victim’s 2013 returns.

“What we saw in Utah was a population of the same information in the 2013 return into the 2014 return, with the exception of bank routing and bank account number,” Valentine said. “That’s a different fraud that we’d just never seen before.”

TurboTax’s lax security around authentication for new and existing accounts played a well-documented role in the type of fraud described by Valentine this year. But ID thieves also got help directly from the IRS this year. Late last month, the agency suspended the “get transcript” function that previously allowed taxpayers to order a copy of their previous year’s W2 information, among other data; turns out, crooks had used the service to pull tax data on more than 100,000 citizens, stealing tens of millions from the U.S. Treasury in the process.

PREPAID MADNESS

In March, Valentine testified on Capitol Hill on the tax fraud issue, and he urged lawmakers to change the way prepaid cards are numbered so that banks and tax administrators can more easily block or filter refunds destined for prepaid debit cards — the money laundering vehicle of choice for virtually all fraudulent refund requests.

Prepaids are notoriously easy for crooks to use for tax fraud because the process for opening a new prepaid and using it to receive funds can be done anonymously, unlike opening a new checking account at a local bank branch. When the refunds get deposited to prepaids, crooks can then very easily and anonymously use them as cash or to withdraw money at ATMs.

“The process for opening a prepaid debit card appears to be very easy,” Valentine said. “The normal ‘know your customer’ rules [that banks typically are required to follow] appear to be glossed over with this industry.”

Specifically, Valentine proposed modifying the routing number on prepaid cards so that the cards would be more easily distinguishable from debit cards attached to actual checking and savings accounts. Valentine said his suggestion was followed by many head nods by lawmakers in the committee hearing, but so far there doesn’t appear to have been any movement to change the status quo.

And that inertia seems to suit the prepaid card industry just fine. Brad Fauss, interim executive director and general counsel of the Network Branded Prepaid Card Association, said
the NBPCA believes that the key to solving identity theft tax refund fraud is to attack the problem at its source – where the identification credentials are compromised – rather than focusing on the method of disbursement after the fraud has occurred.

“Separately tracking routing and transit numbers, or RTNs, for prepaid accounts is impractical because financial institutions often use the same RTN’s for multiple banking products, such as checking accounts and prepaid cards, and fundamentally falls short since it will not stop fraud but will only prompt fraudsters to utilize alternative disbursement vehicles,” Fauss said.

Nevertheless, tax return fraud could become a dicey legal and financial quagmire for banks, tax preparation firms and prepaid card providers, each of which charge hefty fees for processing such transactions (see this story for a breakdown of how these companies are profiting from refund fraud).

Asked whether he was aware of anyone urging or requiring financial and tax providers to disgorge profits from tax refunds they process that turn out to be fraudulent, the formerly litigious tax attorney said these firms should be very concerned about that risk.

“I’m not aware of anyone calling for that, no, but under general principles of law, that’s one that would be a normal recourse,” he said. “Coming from the private sector, that would be the type of thing you would normally expect to see someone asserting. If I were general counsel for these third-party vendors, I would be saying, ‘Man, we run exposure here for disgorgement of fees that were from fraudulent returns, so we’ve got to clean this up right away.’”

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

A seemingly never-ending stream of breaches at banks, healthcare providers, insurance companies and data brokers has created a robust market for thieves who sell identity data. Even without the help of mega breaches like the 80 million identities leaked in the Anthem compromise or last week’s news about 4 million records from the U.S. Office of Personnel Management gone missing, crooks already have access to the information needed to open new lines of credit or file phony tax refund requests in your name.

If your response to this breachapalooza is to do what each of the breached organizations suggest — to take them up on one or two years’ worth of free credit monitoring services — you might sleep better at night but you will probably not be any more protected against crooks stealing your identity. As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus. 

There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.” I routinely do public speaking engagements in front of bankers and other experts in the financial industry, and I’m amazed at how often I hear from people in this community who are puzzled to learn that there is even such a thing as a security freeze (to be fair, most of these people are in the business of opening new lines of credit, not blocking such activity).

Also, there is a great deal of misinformation and/or bad information about security freezes available online. As such, I thought it best to approach this subject in the form of a Q&A, which is the most direct method I know how to impart knowledge about a subject in way that is easy for readers to digest.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it. 

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. 

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Equifax has a decent breakdown of the state laws and freeze fees/requirements.

Q: What’s involved in unfreezing my file?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or perhaps research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: Yes (unless you’ve previously qualified for a free freeze). However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them.

Q: I’ve heard that tax refund fraud is a big deal now. Would having a fraud alert or security freeze prevent thieves from filing phony tax refund requests in my name with the states and with the Internal Revenue Service?

A: Neither would stop thieves from fraudulently requesting a refund in your name. However, a freeze on your credit file would have prevented thieves from using the IRS’s own Web site to request a copy of your previous year’s tax transcript — a problem the IRS said led to tax fraud on 100,000 Americans this year and that prompted the agency to suspend online access to the information. For more information on what you can do to minimize your exposure to tax refund fraud, see this primer.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link. 

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

PERSONAL EXPERIENCE

A couple of years back, I was signed up for a credit monitoring service and had several unauthorized applications for credit filed in my name in rapid succession. Over a period of weeks, I fielded numerous calls from the credit monitoring firm, and spent many grueling hours on the phone with the firm’s technicians and with the banks that had been tricked into granting the credit — all in a bid to convince the latter that I had not in fact asked them for a new credit line.

The banks in question insisted that I verify my identity by giving them all of my personal information that they didn’t already have, and I was indignant that they should have been that careful before opening the new fraudulent accounts. Needless to say, the experience was extremely frustrating and massively time-consuming.

We eventually got that straightened out, but it took weeks. Not long after that episode, I decided to freeze my credit and that of my wife’s at all of the major bureaus. Turns out, I did that none too soon: A few weeks later, I broke a story about a credit card breach at nationwide beauty chain Sally Beauty, detailing how the cards stolen from Sally Beauty customers had wound up for sale on Rescator[dot]cc, the same fraud shop that had been principally responsible for selling cards stolen in the wake of the massive data breaches at Home Depot and Target.

In response to my reporting about him and his site, Rescator changed his site’s home page to a photoshopped picture of my driver’s license, and linked his customers (mostly identity thieves and credit card hustlers) to a full copy of my credit report along with links to dozens of sites where one can apply for instant credit. Rescator also encouraged his friends and customers to apply for new credit in my name.

Over the next few weeks, I received multiple rejection letters from various financial firms, stating that although they had hoped to be able to grant my application for new credit, they were unable to do so because they could not view my credit file. The freeze had done its job.

In summary, credit monitoring services are helpful in digging you out of an identity theft ditch. But if you want true piece of mind, freeze your credit file.