Costco, one of the world’s largest retailers, has warned customers that they may have had bank card details stolen, following reports that payment card skimming devices were discovered at Costco warehouses.
“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card expiration date, and CVV,” Kevin Green, VP Midwest region operations at Costco, wrote in a letter to potentially affected customers.
The letter, dated November 5, 2021, was uploaded to Documentcloud by Bleeping Computer.
The letter offers customers who may have been affected free credit monitoring from IDX for 12 months, but provides no further details on the device itself, nor the period in which it was operational.
It was discovered “as a result of regular pin pad inspections conducted by Costco personnel.” It was therefore potentially operational for any part of the period between this and the previous inspection. Fox Business reports that a total of five skimmers were found in four different Chicago-area warehouses during pin pad inspections at the end of August.
“The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers,” comments Randy Watkins, CTO at managed detection and response firm Critical Start.
Armen Najarian, chief identity officer at Outseer, warns that we can expect to see a growth in such attacks as we get closer to the holiday season – a threat made worse by staff shortages cause by the pandemic. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” he said.
“All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”
Such physical attacks only affect the users of the compromised devices and should not be confused with the software skimming technique of a Magecart attack. At Black Hat Europe on November 10, 2021, external attack surface management firm Cyberpion announced the possibility of a new wave of Magecart attacks. It analyzed more than 30,000 Magecart vulnerabilities over the last two years and found that more than 10,000 are still active.
“There were also severe lapses in enterprises disclosing security vulnerabilities or exploits occurring along their digital supply chains to their customers, ultimately placing all connected organizations at severe risk of a critical breach.”
Magecart is the common name for a style of cyber attack used by multiple threat actors. Hackers compromise third party code (typically JavaScript that runs in browsers) to steal, or scrape, information such as credit card data from web-applications (for example, online checkout software) or websites that incorporate the code. Big name victims of such attacks include British Airways and Ticketmaster in 2018, Forbes magazine in 2019, plus local US government portals and messaging service Telegram 2020.
“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. “Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.”
Related: Online Retailers Ill-Prepared for Holiday Season
Related: Hackers Favoring Shimmers Over Skimmers for ATM Attacks
Related: Hunting for Magecart With URLscan.io
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
