An Open Letter to the Next Four Retailers to Suffer Breaches of their POS Systems

A 17-year-old Russian boy named Sergey Taraspov, who uses the name “ree[4],” writes software he calls BlackPOS or “Kaptoxa” that can scrape payment card information during the moment of the swipe from point of sale (POS) systems, the one moment at which the card information is decrypted and (for the sensitive information) not yet destroyed.  He sells it “off-the-shelf” to Eastern European crime rings for $2,000 or a percentage of sales of personal information.   Once it’s in a retailer’s systems (e.g., through a targeted phish), it doesn’t stop with the PII but can send back so much more.

Seven retailers are targeted and invaded by Kaptoxa.  Three of them—HouseofStraw, HouseofSticks and HouseofSand – are outed by security blogger Brian Krebs before they tell their customers about it.  HouseofStraw and HouseofSticks wait until their lawyers and “crisis managers” and law enforcement say it is OK to disclose, then do so, dutifully offering useless (because payment card numbers can simply be changed) and expensive credit monitoring in messages that are crafted badly both from CRM (because they are written by “crisis managers”) and technical (because they look like phishing emails) standpoints.  HouseofSticks later offers even less useful credit monitoring to victims of a massive, related breach of email addresses.  Both of them are facing numerous customer class actions and state and federal investigations, and HouseofSticks a shareholder derivative suit.  HouseofSand is outed earlier in the forensics process, and acknowledges the issue, but has little to report and no strong action plan for its customers.  Three of the remaining retailers don’t know yet.

You represent HouseofBricks, which is just discovering (through its merchant processor) the first evidence of exfiltration of card numbers. What should HouseofBricks (HoB) do?

  • Immediately,  as soon as it sees the slightest sign of trouble and before any investigation, HoB should contact as many customers as could conceivably be involved and tell them something like: “We just discovered there may be an issue with some credit card numbers.  We’re investigating fully and will keep you fully apprised, but want to warn you to check your bank/credit card statements immediately, and if you see any strange charges, call your bank/issuer and get it to reissue your card, also immediately.  Then please call to tell us right afterwards.”  House0fSticks should also immediately warn customers of the email breach and give them tips on avoiding phishing attacks.  Why?
    • The banks have 13 months within which to decide whether to reissue cards, and in those 13 months the fraud costs are piling up, costs that will be shifted to HoB, so the banks can afford to let them pile up.
    • The major harm to be avoided from an email breach is phishing attacks, and the only way to prevent them is to warn consumers what to watch for.
    • For once, consumers know that new and sophisticated malware is invading retailers, so they will not blame HoB for disclosing the issue, particularly if it does so in a way that is faster and more effective than the previous three.
    • The holiday shopping season is over.
  • If HoB communicates with its customers by email, it should not send emails containing links on which to click for more information, or otherwise include features in the email which are likely to make reasonably paranoid consumers assume that they are phishing emails.
  • HoB should not offer credit monitoring.   It’s not the best way to prevent harm in a credit card breach; card reissue is.  And in an email breach, credit monitoring is irrelevant and useless in relation to the primary phishing risk.  Credit monitoring is both expensive and absurdly time-limited (particularly in a market so rich in stolen card numbers, where there’s never any problem for the black market in just waiting a year until the monitoring expires), and there are so many better ways to spend that money building trust with HoB’s customers.   If the customer does not want to cancel the card because it would mean unravelling too many online or automatic payment relationships, there are better ways to get long-term protection.  (Credit monitoring makes more sense for breaches of types of information that retailers generally don’t have except on their employees, such as social security or driver’s license number breaches.)
  • HoB should communicate early and often with the appropriate state AGs/regulators/law enforcement, and take advantage of federal law enforcement knowledge of Kaptoxa.  If law enforcement objects to the open customer outreach strategy, HoB may want to politely point out that the criminals are well aware that they have been detected, but are happily going about the trade in personal information on open internet websites.
  • Once HoB investigates and determines containment and remediation costs, it may want to weigh the costs of outsourcing its point of sale (POS) system entirely or solely in connection with capture of cardholder information, either forever or until more secure credit cards are introduced.  Payment processors majoring in security have developed systems of “aliases” that would allow HoB to build customer profiles without exposure to cardholder information.  And creating that huge, integrated national or global POS system, which HoB did in part to try to improve security, may have only succeeded in turning HoB into a really big “target.”