Expect plenty more bad news like today’s Dairy Queen credit card hack story. As they say, there’s plenty more where that came from. There’s something a little different about this latest spat of credit card hacks, however, and you should know about it.
Brian Krebs told the world last night that some DQ stores/franchises have been hacked; or at least banks are seeing fraud patterns typical of such a hack. DQ headquarters seems to know nothing, which isn’t uncommon — many individually-owned stores don’t have to report security incidents to the brand owner.
Here’s two things to know about this hack:
Recently, the U.S. Secret Service issued a bulletin warning U.S. retail outlets that hackers have become very efficient at stealing cards from stores that allow remote access of credit card processing computers. Using malicious software called “Backoff,” criminal gangs have compromised stores of all sizes. The impact is huge.
“The Secret Service currently estimates that over 1,000 U.S. business are affected,” the advisory says.
The memo says the Backoff software has been used to attack store computers since October 2013, but wasn’t’ detected by antivirus software until August of this year, giving criminals an incredibly long window to rampage through networks holding credit card data.
Apparently the announcement last week about hacks at UPS stores was directly related to the Secret Service advisory, which inspired the store to check for Backoff. That’s also might be true for the Supervalu/grocery store hack announced a couple of weeks ago.
By my math, that means there’s 998 of these announcements to come — 997 if DQ is confirmed as part of this problem.
As for what you really need to know, my ears perked up at this part of Krebs’ story:
“We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores,” said a fraud investigator Krebs spoke with.
Here’s why that’s important for you:
Hackers who steal bulk card data in this manner sell it online to other criminals, who sometimes use it to create “clone” cards by encoding the stolen data on new credit card plastic; then the clone cards are used at gas stations and other shops where close inspection is unlikely.
If you’ve ever had a sales clerk ask to see your card, and then manually enter the last four digits of the card into the cash register, that small check is designed to stop some versions of card cloning.
Consumers who’ve indulged in DQ desserts this summer shouldn’t over-react. As usual, they are not responsible for fraud that appears on their card, as long as they report it in a timely manner. Note, however, that criminals in this case used the stolen data at dollar stores. Consumers are much less likely to spot low-value fraud; so watch those bills carefully. If you don’t report it, you’ll pay for it.
I’ll repeat because it’s worth repeating: Scan your bills for unexpected low-value transactions, and make sure you dispute them promptly.