Credit Card Breach At P.F. Chang's 117
schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes:
On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
Cash and checks (Score:2)
I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"
Re:Cash and checks (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
What, you don't buy anything?
Re: (Score:2)
Re: (Score:3)
This. Any bank that isn't a ripoff (and assuming that you don't have the worst credit in the world) offers zero liability for fraudulent purchases. Given that checks are tedious to write and process, and cash is easy to get lost or stolen, it doesn't make a whole lot of sense to pick them over a credit card.
I probably went to PF Changs in this time period, and used my credit card there no less (I'm not quite sure whether it was in April or in May that I last went) but I'm not at all concerned about it. I've
Re: (Score:3)
You fail to mention the full, tedious process for reporting fraudulent card transactions, and getting them reversed. Whenever I've had to do it (recently, almost yearly), There are records to review, paperwork to fax, etc. to confirm what charges are legit and which aren't.
It's a wash in effort between dealing with ca
Re: (Score:3)
You fail to mention the full, tedious process for reporting fraudulent card transactions, and getting them reversed. Whenever I've had to do it (recently, almost yearly), There are records to review, paperwork to fax, etc. to confirm what charges are legit and which aren't.
With my card, in most cases, I get a call where they verify a half-dozen or so purchases. There was once where they called me to say that my card was cancelled, with a new one in the mail. I've never had to fill out any paperwork from that particular bank/card, let alone had to fax anything. The policies vary company-by-company, so something that's onerous for you may be much easier for someone else.
Re: (Score:2)
Yes, anecdotal evidence means very little.
Re: (Score:2)
I have to agree that the CC company makes a difference, Capital One has always been the one to tell me when something bad has happened. Slight inconvenience to me. Somebody besides me ate the cost (probably Capital One.) So obviously their business model is profitable enough to not really worry too much.
That being said, it is about F'ing time that retailers and CC companies make the investment into chip and pin systems. Not perfect, but would basically shut down most causal card skimmers. The one-time
Re: (Score:2)
Tedious? Then you have the wrong credit card.
Every time this has happened to me with any card, they call me and ask me if I had made a few recent purchases. If I say no to any of them, they cancel the card and immediately ship me a new one. Max time 10 minutes. I need to type in the card number every time I make a purchase online anyhow. If I have to make a purchase in the couple of days it takes for the new card to arrive... I use a different card.
When your bank account is cleaned out, you are without mone
Re: (Score:2)
Re: (Score:1)
I use credit cards for 99% of my purchases. That way I avoid the issue of dealing with change and refilling on cash. I've never been held responsible for a fraudulent charge.
Plus using a credit card gives you 5% cashback for various categories of purchases.
Re:Cash and checks (Score:4, Insightful)
"I use credit cards for 99% of my purchases. That way I avoid the issue of dealing with change and refilling on cash. I've never been held responsible for a fraudulent charge."
- OTOH, I use CASH for 90% of my purchases. Only one retailer (a major online company) knows my card number and they are unlikely to leak it. Similarly I have no revealing 'loyalty cards' for grocery & drug store purchases.
So my wallet is much thinner than yours and I have little fear of identity theft. I carry $200-$400 at all times. If it is stolen, I will be unhappy but not as much as if my identity is stolen.
I don't think it's anyone's business if I purchase adult diapers or pron or medicines or alcohol. Should I reveal that in return for 'rewards'? You will have to decide for yourself if you want to advertise your lifestyle in exquisite detail to worldwide data marketers.
Re:Cash and checks (Score:5, Insightful)
I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"
Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.
Your solution of carrying cash exposes you to higher risk of direct loss or theft. And you lose the card rewards program.
As for cheques -- yeah, whatever, because those aren't stupidly easy to forge; and most people won't even take them anymore.
On the upside you have a smallish boost in privacy relating to your purchases. (locations, times, and amount spent)
Seems you've traded one set of small risks for another. Not sure that amounts to a real overall improvement though.
Re: (Score:2)
Don't neglect those rewards either. Every year I get a nice free $200 payment towards my credit card bill, and since I always pay it off before interest accrues, it's pure profit.
Stupid paypal always forces me to default to paying with a bank account, and when I try to pay with a credit card they insist that I don't do it because the credit card supposedly costs me more. Paypal just wants to make a higher profit margin.
Re: (Score:2)
The risk of forged checks is there even if you never use them yourself.
Re: (Score:2)
Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.
Not really, the average loss from credit card fraud is $500, it costs Australia $2 billion annually. Eventually this costs comes back to you.
Your solution of carrying cash exposes you to higher risk of direct loss or theft. And you lose the card rewards program.
LoL @ rewards program.
Seriously, carrying cash does not increase your theft profile, with the addition of contactless payments that do not require a form of authentication, plastic is now as at risk as cash. Yep, sure you can tell me "but the bank will cover me" but all you're really saying is "I'm naive like a child". The bank only covers its self.
Seriously, rew
Re: (Score:2)
Compared to the costs of using credit cards (most of them hidden like interchange fees and merchant service fees) cash is cheaper.
You still pay those when you use cash because the agreement between the credit card company and the merchant forbids the merchant from offering a lower price when goods are purchased with cash.
In fact, given the number of high profile breaches in recent days it seems carrying cash is safer. You can expect more breaches as criminals figure out ways to colelct your card information from NFC without you even taking your card out of your wallet.
As others have already said, it's not the cardholder that takes the loss when fraud occurs. It's the merchant. Sucks for them, of course, but certainly not for the cardholder. So I'm not sure why you're still rambling on about the safety of cash. If a thug steals your wallet full of cash, it's gone for ever. Not so if
Re: (Score:2)
Fortunately, not legally enforceable.
Dual pricing is permitted by law in Australia precisely because it is illegal for a third party to force a hidden cost onto a business. For a moment, consider the people you are defending here, they are forcing extra costs on merchats, which results in higher prices and you're
Re: (Score:2)
Lots of businesses do a cash discount. The only way you dont know about this is because you dont do cash transactions... your loss.
Most of the business I've dealt with that do a cash discount have nothing at all to do with credit card fees. They are simply committing tax evasion; as a cash transaction lets them avoid putting it on the books. Which is fine, but lets not pretend its because of big bad credit card companies.
And what does the merchant do when they take a loss? Put prices up to compensate.
Yes.
Y
Re: (Score:2)
I think the problem with your argument is that you are in a different country (Austrailia) than most of us (US). The laws and processes there appear to be quite different. Here:
1) There is minimal difficulty in disputing charges. Most banks have the process pretty streamlined, so on the rare occasion it happens, it's relatively simple to deal with and causes you no disruption (at least with credit cards...debit cards can be a little more dicey with the potential for bounced payments and stuff, which is why
Re: (Score:2)
Is it a real issue or a theoretical issue? I've seen a few fraudulent charges over the years, and the bank has never given me any greif over any of them.
Not really, the average loss from credit card fraud is $500, it costs Australia $2 billion annually. Eventually this costs comes back to you.
Because nobody would commit fraud if credit cards did not exist.
Re: (Score:2)
.. And you lose the card rewards program.
....
Cash reward for credit cards isn't a cash reward. You must be the type that thinks trickle down economy is good.
Here's how the cash rewards work. The CC company says "Hey, our Customers are stupid. They pay high interest rates to us for convince. How about we tell these sheep that they can get cash back, while we up their interest rate 1% to pay that cash back.
Car analogy: You go to buy a new car. The Dealer says they give you $1000 cash back if you buy this certain model. You think, cool, I'll
Re: (Score:1)
That's how it works for some "wankers" but for me I pay them $0 in interest and they pay me thousands of dollars a year in cash back.
Re: (Score:2)
Here's how the cash rewards work. The CC company says "Hey, our Customers are stupid. They pay high interest rates to us for convince. How about we tell these sheep that they can get cash back, while we up their interest rate 1% to pay that cash back.
As I pay my balance off virtually all the time my rewards cash back far exceeds any interest payments and fees.
I guess its like the lottery -- a tax on people bad at math. Except unlike the lottery, I can win at this game. And do.
Re: (Score:1)
Often, the rewards are paid out of the merchant's pocket, not even the credit card company or the bank that issued it. Merchants are charged a percentage ranging from about 1% to 4% on purchases. Rewards cards often take the highest percentages.
In effect, your "cash back" is paid by the person from whom you are purchasing merchandise/services. That results in higher prices, as merchants adjust pricing to meet their net profit needs.
It's correct that you, the account holder, are paying your own reward, but i
Re: (Score:2)
It's correct that you, the account holder, are paying your own reward, but it's not so direct that it is paid out of interest+fees.
In that case, not using a rewards card means I'm paying for other peoples rewards, and not getting any myself; so I'm still ahead using a rewards card vs not using one.
Re: (Score:1)
Now I have to avoid you at the grocery store for fear of being in line behind you while you write a check.
Re: (Score:2)
I almost always use cash at the grocery store. I'm the one waiting in line for person running their card through the machine. Checks are for the big purchases.
Re: (Score:2)
Umm...no. Cash takes considerably longer to tender than credit. The customer takes time selecting the bills and coins, the cashier takes time counting it, then enters the amount in the cash register, and after the till opens, they have to count out the customer's change. This takes an average of about 16 seconds per transaction.
A credit transaction today is a swipe of a card, and can be processed and authorized in under one second.
Chip and PIN is not as fast as a magnetic stripe due to the very limited CP
Re: (Score:2)
Cash takes considerably longer to tender than credit. The customer takes time selecting the bills and coins, the cashier takes time counting it, then enters the amount in the cash register, and after the till opens, they have to count out the customer's change.
The one assumption you make here is that the credit card user is on the ball, and swipes either before the final total is rung or immediately after. I have seen many customers stand there until the cashier tells them the total, then reach into their wallet/purse and hunt the credit card, swipe it the wrong way, finally get it right, then hit "debit" on a card that is credit only.
Granted, these same people would likely take even longer to pay with cash, but I can see why some people think that cash is faste
Re: (Score:2)
Considering that cashiers can hardly do math anymore even when the POS tells them which bills to provide in change... cards are much faster.
(Not that I blame them, I can hardly do basic math either. That is what the computer is for.)
Re: (Score:2)
I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"
I also tend to stay away from places with "Bistro" in the name. You can generally count on a 50% or more higher price, with no commensurate increase in quality.
"Bob's Chinese" is more likely to try harder.
Re: (Score:2)
Re: (Score:3)
Checks are more insecure than credit cards...
Re: (Score:2)
I usually use EMV + PIN
should be safe enough. I wonder why people keep useing those magnetic stripes.
Re: (Score:2)
Re: (Score:2)
I use cash or checks for 99% of my purchases. That way I avoid this issue. I'm also an old guy so "Get off my lawn!"
If you use personal checks for everything, are a complete fool. Checks are trivially easy to fake. All they need is your bank account number, helpfully printed in clear text on the front of the check. The bank's routing number is published information. There is absolutely no protection in the personal check system.
Your name does not need to be on the check they create. All they need is an ID from somebody, and that person's name on the check. There is no protection built into the system at all.
If you do hav
Re: (Score:2)
Re: (Score:3)
Someone's let the POS out of the bag! (Score:5, Interesting)
If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.
Re: (Score:3)
If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.
Yes, they have been compromised at the factory, which I stated in the Target Breaches, but no ones to believe because I will NOT name my sources.
Re: (Score:2)
It seems like all the POS compromises were inside jobs of one description or another. Pay minimum wage, chop and change employees, means you system will get compromised, it is just a matter of time. Looks like all instore purchase will require cameras at the checkout to to photograph every person making a credit card purchase. All deliveries based upon online credit card purchases will require an identified and photographed individual to accept them (skype could become popular for online purchase, no video
Re:Someone's let the POS out of the bag! (Score:4, Insightful)
If it's stripe data, that implies the POS readers were compromised, just like Target. Interesting.
Yes, they have been compromised at the factory, which I stated in the Target Breaches, but no ones to believe because I will NOT name my sources.
And you are cross at people for believing your claim with no evidence? You must be religious.
Re: (Score:2)
Because PCI compliance means security! Brought to you by my PCI Compliance Consulting Firm.
Re: (Score:3)
Nothing in the article says they stored these numbers. Target had their card readers compromised. It could be the same case here.
Re: (Score:2)
Exactly, there's no law to prohibit anyone from storing CC information, just a strong suggestion not to. Best practice preaches PCI/DSS compliance, but really it's the CC schemes that are broken. The schemes represent a compromise between convenience and 'security'. Here's an interesting Twitter stream: Need A Debit Card? [twitter.com], some even post photographs of both sides of the card and then wonder why their accounts are empty.
Re: (Score:2)
PCI/DSS isn't simply about being able to claim nebulous adherence to "best practices"; it's about an organization's ability to maintain a business relationship with their customers and an upstream merchant account provider under certain agreed upon minimum standards for data security. Quoting PCI Data Storage Do’s and Don’ts [pcisecuritystandards.org]:
Do not store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization.
This point in particular is not flexible in nature. Storing that specific information, or failing to take specific steps to secure the access perimeter and specific systems
Re: (Score:2)
What the fuck. That twitter feed might as well be titled "the stupidest people in the world".
Re: (Score:1)
Because when deadbeat freeloaders file chargebacks they have to have the data to prove they actually swiped a card.
Bad naming choice (Score:1)
Target store is going to change its name to Kick Me.
My balance was over the limit... (Score:2)
...but half an hour later, it was empty again.
Restaurants etc. (Score:2)
Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.
Re:Restaurants etc. (Score:4, Insightful)
Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.
Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.
Re: (Score:1)
Minimize the number of places you expose your CC numbers. Pay cash where feasible. Use debit cards ONLY at bank terminals. Be especially careful at restaurants and gas stations.
Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.
This really has to be one of the most naive things I've heard in a long time.
Sadly I hear it quite often.
"The bank will look after me, the bank's got my back".
Why do you think the bank wont drop you like a hot brick if you become too much of a liability? Why do you think the bank actually works for you and not the shareholders?
I'm not a paranoid nutcase, I'm happy to use the services of a bank but I also know that they will try to screw me over as much as possible. That's their business, to make
Re: (Score:2)
Why do you think the bank actually works for you...
I have no such illusion. I am not a liability. They make money off me. I presume they take about 3% of everything I run through the card, less the 1% they send back to me... So, 2% is theirs.
If they had to choose between eating a few fraudulent charges, and losing me as a customer they'd eat the charges. So, no, I'm not being naive. I know exactly what I'm worth to them.
Re: (Score:2)
"The bank will look after me, the bank's got my back".
Because if the bank doesn't have my back, I take my money elsewhere.
Re: (Score:2)
Ugh I spend $50K a year through the credit card. Someone got our numbers somehow once and ran up few grand, we didn't have to pay a dime. The GP is spot on, the bank will go to the bat for you.
I had a $1000 draw on my account from Mexico, I reported it to the bank and they said they'd check the signature and if all was in order I wouldn't be charged for it.
I mentioned I didn't think it worked that way, come to find out my Mom traveled to Mexico as dental charges were dirt cheap.
being a tad old she used the wrong card.
Re: (Score:1)
Why does your *mom* have a card to *your* bank account?
You're close enough to your parent to have her with a direct line into your banking, but not enough to know when she's travelling to a foreign country for medical purposes?
Sorry, just seems to be a bit odd to me.
Re: (Score:2)
Why does your *mom* have a card to *your* bank account?
Was sure that was going to come up. My Mom was my Money Manager, it worked out very well she paid all my bills with my money and gave me an allowance each week. It worked as I mentioned very well for me. For some reason he had her savings account as part of my account. She's getting a bit (well a lot forgetful) when asked where to take the money from (in Mexico) she mentioned the wrong one account, and the end of me having a money manager.
Re: (Score:2)
Why does your *mom* have a card to *your* bank account?
Was sure that was going to come up. My Mom was my Money Manager, it worked out very well she paid all my bills with my money and gave me an allowance each week.
When I took back control of my money, Bank of America asked if I wanted a Credit Card, I mentioned I don't trust myself with a credit card, I only purchase what I can afford. I got a credit card two weeks later.
Re: (Score:2)
Or, if your in good standing with your bank, don't worry about it. The banks are good about fraudulent charges in the civilized world.
But who eats the loss? I seriously doubt it's the bank. AFAIK they bill the merchant which means there IS problem (because the merchant will project those chargebacks into the price of his goods).
The right solution is payment system where you don't give your secret keys when you make a payment. For example bitcoin or other cryptocurrencies.
Re: (Score:2)
Re: (Score:2)
Costco might not take other CREDIT cards, but they POS debit just fine.
Aside, any AMEX will work as a Costco card to activate their gas pumps, for membership gas prices without membership. Any Discover does the same at Sam's gas pumps. [At least until later this year when they phase out Discover.]
Re: (Score:2)
Re: (Score:2)
Carry hundreds of dollars worth of cash around with you at all times = security.
Re: (Score:2)
Use Bitcoin already! (Score:1)
And yes, I am serious. I am now going to get my flame suite on though.
Re: (Score:1)
I would, except I had them all deposited at Mt. Gox.
Touché
I as meaning the public/private key technology though and not a crooked company involved with it though.
When all said and done, you can "hack" a credit card with a pen and paper, even a photocopier will work. The system as archaic and in need of a replacement.
Re: (Score:1)
The system as archaic and in need of a replacement.
Gonna troll myself here... you meant is not as you fat fingered dumbass.
If you're eating at P.F. Chang's... (Score:2)
Got a call from my CC fraud dept today (Score:2)
Re: (Score:2)
"Gee, this card can't handle a $20 charge for lunch, so I'll try to buy something MORE expensive with it...."
CC Fraud vs Bitcoin (Score:1)
The thing I like about bitcoin is it allows the user to determine how secure or insecure they wish to be while with credit cards they are dependent upon multiple third parties security measures and the weakest link in the chain can expose you to fraud. I never had an issue with fraud in Bitcoin and have had multiple issues with fraud with debit/cc's where I needed to get replacement cards and was liable for the deductible.
When I pay a retailer with Bitcoin I don't have to worry about identity theft or my a
Re: (Score:1)
I cannot agree more, I even just bogged about it;-
http://mineforeman.com/2014/06... [mineforeman.com]
Bitcoin's public/private key system avoids the issue all together.
With a credit card when you hand over your plastic you have effectively just handed over you private key for someone to copy with a magnetic strip reader, a photocopier or even something as old school like a pen and paper.
Almost, but not quite (Score:1)
Bitcoin does solve the issue of being able to electronically pay people you may not trust, but so does PayPal. Bitcoin transactions are slow to confirm, you have no protection as a buyer to perform a chargeback (for example, you buy tickets for a concert that turn out to be counterfeit) and the price of Bitcoin is extremely unstable. Bitcoin also is not really free of transaction fees, either. You will pay a fee to an exchange when buying Bitcoin with fiat.
Bitcoin's deflationary design also makes it lous
Re: (Score:1)
I am going to stay ontopic rather than discuss all of your statements.
Bitcoin does solve the issue of being able to electronically pay people you may not trust, but so does PayPal.
Isn't the chargeback potential a risk under paypal not found for bitcoin? When someone gets paid the charge can be reversed at any time per Paypal's discretion. Thieves will buy bitcoins all the time on ebay with stolen paypal accounts and than the seller will be out all the money when paypal reverses the transaction. Additionally, isn't paypals security polices also a risk for the user unlike with bitcoin where you can trust the mathemat
Re: (Score:1)
Isn't the chargeback potential a risk under paypal not found for bitcoin? When someone gets paid the charge can be reversed at any time per Paypal's discretion. Thieves will buy bitcoins all the time on ebay with stolen paypal accounts and than the seller will be out all the money when paypal reverses the transaction. Additionally, isn't paypals security polices also a risk for the user unlike with bitcoin where you can trust the mathematics and network which is immune from many traditional attack vectors?
Yes, chargebacks are a potential fraud risk for business owners. As a customer, though, being able to perform a chargeback is an important safeguard against a seller that doesn't make good on their part of a transaction.
While having your bank/credit card information on file at PayPal is also a potential security risk, it's still significantly less of a risk than trusting every business you allow to directly process your credit card.
Credit card Security is a none term (Score:2)
The only way almost all credit card thefts have been realized is their sale on different web sites. These Security personal check the sites at regular intervals (or informed of them) then point and say AH! HA!
Re: (Score:2)
none = non
Massive Breach? (Score:2)
China is 3rd most visited country. (Score:2)
Given that China is the 3rd most visited country in the world, this is probably not nationwide problem, but also for tourists who have been there and have paid with credit card at this China bistro chain.
It's good that such a problem hasn't happened in one of European countries, or in USA, because the problem would have likely been much bigger due to larger base of people using credit cards.
(here's hopelessly hoping that editors do better job writing "articles" outside their US-only minds)