back to article Carders punch holes through Staples

US office giant Staples is investigating a possible credit and debit card breach of its Northeastern stores. Evidence for the hack, reported by cybercrime and prolific breach blower Brian Krebs, is apparently based on a dozen fraud monitor sources within different US banks. Staples has contacted police and said it was …

  1. Anonymous Coward
    Stop

    "We take the protection of customer information very seriously, and are working to resolve the situation"

    Why don't you just dial-a-stock-response and have done with it, will save a lot of time in the long run.

    1. frank ly Silver badge

      If they took it seriously, they'd have had a security audit and actual testing of their POS and other equipment as soon as high street retailers started to get hit by these attacks. That was how long ago?

    2. ecofeco Silver badge

      How dare you disparage them! They paid good money for that stock response!

  2. DrXym Silver badge

    Simple solution

    The USA should drag itself into the 21st century and use chip and pin. It's not clear to me why retailers, visa or customers tolerate a situation which allows cards to be cloned so easily or the virtually non existent security checks that happen at point of sale in the US.

    Chip and pin isn't foolproof but it would stop card skimming / cloning which must surely be the most common cause of credit card fraud by a long stretch.

    1. Tom 13

      Re: Simple solution

      The UK has now admitted Chip and Pin isn't infalible like they claimed it was. All it did was allow banks to dodge responsibility for fraud for a couple of years.

      What security checks do you think a minimum wage monkey could actually be trusted to make? Check the signature? Right. I've been to college, I know how easily fake IDs are obtained for getting into bars and bars ARE legally liable for serving minors.

      The only solution is to start holding the banks and the businesses with crap security responsible for the full extent of the economic damage they do to the users who are compromised by their failures. If that means the limited liabilities on corporations need to be modified, so be it. I'm all in for holding the officers of the corporation personally responsible for the breaches in cases like this.

      1. DrXym Silver badge

        Re: Simple solution

        "The UK has now admitted Chip and Pin isn't infalible like they claimed it was. All it did was allow banks to dodge responsibility for fraud for a couple of years."

        Who said it was? Not me. But it is FAR more difficult to clone or skim via chip and pin than a magnetic stripe.

        As for banks "dodging responsibility", there is no reason that the situation with US transactions must be the same, although there is reason to believe that if stores WERE responsible for bad transactions they'd audit their kit and their staff a lot more than they clearly do right now.

        "What security checks do you think a minimum wage monkey could actually be trusted to make? Check the signature? Right. I've been to college, I know how easily fake IDs are obtained for getting into bars and bars ARE legally liable for serving minors."

        The answer is "very few". Which is why chip and pin is important. Go shop in America some time and notice how security is virtually nonexistent. At best the store will have some broken screen you're supposed to sign but no one ever checks the card or the signature to the card.

        "The only solution is to start holding the banks and the businesses with crap security responsible for the full extent of the economic damage they do to the users who are compromised by their failures.

        The only solution eh? No it isn't. In this case, the immediate problem is that card skimmers are being installed in stores, possibly with collusion of staff / managers. Such skimmers wouldn't even be an issue if cards had a chip & pin and weren't swiped.

        1. Tom 13

          Re: wouldn't even be an issue if cards had a chip & pin

          Shoddy thinking. If the thieves have access to install a skimmer, they have access to install a device to intercept both the chip data and PIN transmission.

          I shop in US stores all the time. I for one am happy they no longer engage in the kabuki theater that use to be security for a credit card purchase. I remember the bad old days of a clerk pulling out a month old book to see if my credit card was on the list of stolen credit cards. And having my credit card declined because I made the fatal mistake of buying gas for my one car from the pump before heading inside to pay the clerk for the repair work they finished on my other car.

          It's not that I am unaware of the problems. In fact, I've just gone through the process of canceling one of my credit cards and getting a new one because dodgy charges showed up on it. Neither VISA nor I can identify where or how the card was compromised. But they caught it, no goods were exchanged, and the bad guys didn't get money. I don't expect chip and PIN would have prevented it, but their monitoring caught it.

    2. ecofeco Silver badge

      Re: Simple solution

      There's something about "progress" that screams "commie plot" to the average American and "capital expenditure with no immediate profit to me, er, the shareholders" to the average CEO.

      Too bad that wasn't sarcasm.

  3. Simon Rockman

    Bought something at Staples

    I bought a stapler from Staples at Staples corner, but they didn't have any spare staples which was odd because you would have thought it was a staple product.

    1. ecofeco Silver badge

      Re: Bought something at Staples

      Did you try Shelly's Sea Shells by the seashore? Sometime they carry shtaples.

  4. Glenn 6

    Until the government outlaws the practice of swiping credit cards into the POS system - which retailers do on purpose so they can track your purchase habits - these problems will continue.

    The only place you should be sticking your card into is a bank-supplied, independant payment pin pad terminal.

    1. Tom 13

      @Glenn 6

      Bullshit!

      Stores started swiping credit cards long before the data gathering began. They started it because transferring the numbers electronically was more accurate than running a card through a mini-mimeo machine and collecting a signature. The mini mimeo machine meant the numbers had to be transcribed later by workers at VISA. The reduction in losses was reflected in the reduced costs VISA passed along to the businesses for swiping cards instead of imprinting them. It's been about 15 years since I had to look at the numbers, but I don't expect that aspect of it has changed.

  5. Stevie Silver badge

    Bah!

    OFFS!

  6. ecofeco Silver badge

    The fun never ends!

    Alrighty! Any bets on next week's victim(s)?

    The categories are: gov, retail, financial

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019