Bulk Reef Supply Security Breach
- Thread starter Jone
- Start date
soulpatch
New member
You can be compliant and still storing credit card data. It has to be stored in another DB with no query logic allowed to be run against it. When one does want to do inquiry then there is a paperwork trail to pull data. No CVV2 data is stored as it is not needed. Unless cleared all data is encrypted so you couldnt tell the card number anyway. Even when cleared the card numbers are given a unique masked value so while I can use the key and track the same credit card I am not actually using that card number.
As to guarding the consumer the US has some significant changes coming. If you are in Europe or using a few of the upper cards in the US you are familiar with the signature chip cards. Soon they will also require signature pin cards.
Basically this year the banks will be reissuing cards with a chip in them. The card is inserted at the register instead of being swiped so that it can read the chip and confirm it is in fact your card. It is more secure then current mag strips. The pin adds an additional layer and that should be coming online the end of this year.
The key part of the legislation though is that it changes liability from the bank to the retailer. If the retailer does not update their systems then they are liable for the fraud which should put more emphasis on stores checking IDs and other security measures to cover themselves. It might mean a few more seconds in line for us all but the added security will save a ton of headaches in this day and age of hackers.
Better yet is the rise of items like apple pay that simply submit a random token to the store instead of your actual card. Samsung has their own system coming out this year too as they just acquired a company to aid in their development.
Sad to say but we are in an age of digital crime and it will get worse for a while with these breaches.
MidwesternTexan
Average Joe
As I sit here at work, I wonder why everyone can't just do honest work anymore?
Why so many have to 'cheat,game' the system?
What's funnier, is that it happens so often, that usually unless it's at least a 5K loss,
they don';t even investigate it. Is that funny or what?
Why so many have to 'cheat,game' the system?
What's funnier, is that it happens so often, that usually unless it's at least a 5K loss,
they don';t even investigate it. Is that funny or what?
soulpatch
New member
With the rate of the online hacks you better be ready to do a lot less shopping places.
No more Home Depot, Target, BRS, Boscovs, Niemen Marcus, and many more should be off your list...
firemountain
New member
I had 3 purchases during the timeframe indicated. Luckily all were done through PayPal express. Gonna keep on checking my account regardless, and just changed my password to be safe.
ravenzme
New member
In Information Security here. I do Due Diligence on companies around the country, and people would be shocked at how poorly data is protected. Companies that do PCI self attestations are a joke. At rest encryption isn't even a standard with many online retailers, and when I ask why these people think they are protected from hacks like Target, etc, I often get the response "we have a firewall in place and use SSL". I have no idea if any of this is the case with BRS, not familiar with their security. Just saying from my experience, people just don't know how to protect the data they collect, and don't understand how to take care of the customer's financial or personal information. As long as companies make it easy, breaches will continue. Again, I am not accusing BRS of being lax, as I just don't know anything about them. But never assume a company has their security act together just because they are accepting credit card numbers over a website. Yes, it frustrates me too.
MondoBongo
Obligate Feeder Obsessed
i'm glad to hear they're finally bringing over enhanced security measures. i've heard tid bits about how cards in europe are more secure, glad to see it will be spreading.
it's also nice to hear that they're actually putting together some laws for this. when i was working with it a few years back, it was all civil penalties and governed by nothing more than industry guidelines.
i saw the talk about samsung bringing out their own pay system, but i don't know that i'm convinced those will be any better. i didn't care for apple pay when it was called google wallet.
i get that using the tokens almost like a claims auth has certain value for protection, but that card information is still stored somewhere. so it seems to just shift the target to larger clearinghouses of the data. where as today a subset of people had their information stolen from BRS, it would potentially be much more if samsung or apple were hacked. time will tell i suppose.
i assume i will getting my letter from BRS shortly. sadly my girlfriend bought me a vortech for christmas, and her card was apparently compromised. she already had to have it replaced about three weeks ago, and just get her letter from BRS last night when i had got home from work.
MondoBongo
Obligate Feeder Obsessed
the only reason i am even vaguely antiquated with a lot of this stuff is because a place i worked at had some serious violations i accidentally discovered.
they were keeping full customer data (credit card number, cvv2, social security number, address, telephone, birthdate, etc...) in a completely unencrypted database table, in a database that was directly publicly accessible via their classic ASP website, and to put the cherry on top, they had already been compromised by at least one severe SQL injection attack.
when i stumbled across it, i freaked. it took me months of beating the drum loudly to get them to clear me even two weeks to do the best i could to encrypt and secure the data. management just didn't think it was important, but finally gave me that small amount of time to at least shut me up.
i was able to get everything at least encrypted, and put some better authentication in place, but it was still far from perfect when i left.
really, really, scary.
marinelife
Active member
I got a letter in the mail from them offering me free membership to Experian's ProtectMyID Alert.
I do know my bank has already changed my card.
I do know my bank has already changed my card.
I had 4 accounts breached in early January all of which were used to purchase in excess of $5000 from BRS in the prior 2 months. I figured they had to be connected but could not prove it. The last month has been hell having basically all my accounts frozen, fighting charges, and waiting for replacement cards.
Very unhappy and disappointed it was them!
Very unhappy and disappointed it was them!
That is just it. it's not just a BRS problem. My insurance company Anthem just got hacked. Unfortunately you can't get around it unless you drop off the grid completely. What saved me was that I had phone alerts set on all my accounts that I can. It doesn't stop it from happening but it gives you more time to react and minimize the damage.
soulpatch
New member
You can blame your local stores for the wait on this. Retail did not want to spend the money on improved card readers and lobbied against this all. It took legislation that changed liability onto the shoulders of the retailer should they not comply that changed their tune. The recent hacks have also sped up some adoption of new tech.
The laws are more in pushing the liability away from the banks. Some might see this as a red flag but I dont. (disclosure I work for a bank now). I see it as good since stores have become WAY too lax in just swiping a card and not doing anything else. Think about the last time you were asked for id. Yet go and try to buy a pack of cigarettes and see how quickly you get carded. The threat of liability on the store will lead to significant changes.
Totally seperate systems and honestly they are the future as they are more secure since they do not send your actual card number to the retailer but an encrypted number. Think of it like they send a gift card upc to the store for the exact amount needed.
the card info is still stored same place it is now. There is no difference to operation though your phone could be stolen and it woudl have your cards on them. Depending on your security features would dictate what they had access to.
How it works is no different then you swiping your card. You hold your phone over the reader and the reader sends the total to your phone which then pings the processor. The processor pings visa/mc to ensure it is an actual card (the card you are trying to pay with) and it pings the bank that you have balance available instantly. Everything comes back ok in a split second and the phone transmits a scrambled card number to the register and you go on your way.
Apple/Samsung are just the transmitters for the data and do not store it. It was a huge concern about the storage of data with apple pay for the banking industry for the reasons your brought up. They do not which is why you see so many banks as partners. Should see the same thing when samsung's system comes out as well.
Hopefully she used a credit card from a reputable bank as many of the big banks are understanding of these things ESPECIALLY if you can trace it to a breach announcement like this.
soulpatch
New member
Exactly. Though in this day and age people should almost avoid using their debit cards unless their bank has sufficient fraud protections. Sadly many smaller banks do not cover their individuals enough and even the larger banks can be sluggish in making the corrections.
Credit cards on the other hand are held to a higher standard and are a bit easier/faster to deal with. And please do not confuse using your debit card as a credit card as the same thing.
Ramble On Rose
New member
A couple of those did a lot more than apologize and offer a year of fraud protection. I know I won't shop at BRS unless they do more than issue a statement and say they are sorry. They're not Home Depot, Target, etc... I can just as easily click on Premium Aquatics or other sites.
SecretiveFish
Member
I freaking thought so! We ended up with fraud on multiple cards, and the converging store was Bulk Reef Supply. It was a PAIN to get this cleared up, multiple calls to credit card companies with general ineptitude on the employees part (is this intentional so that the customer just gives up?!?).
Someone in Australia was buying airline tickets and someone else tried to buy stuff at victoria's secret and someone else bought something off hotwire (which I had never heard of) and another online store I also had never heard of.
My favorite issue to clear up was a charge to T-Mobile (we have never used T-Mobile) and my credit card company told me that it was a valid charge for additional services on a pre-paid cell phone. Great! Except we never made that purchase!!!!
Someone in Australia was buying airline tickets and someone else tried to buy stuff at victoria's secret and someone else bought something off hotwire (which I had never heard of) and another online store I also had never heard of.
My favorite issue to clear up was a charge to T-Mobile (we have never used T-Mobile) and my credit card company told me that it was a valid charge for additional services on a pre-paid cell phone. Great! Except we never made that purchase!!!!
Similar threads
