Fraud in seven states starts with a local restaurant

Technorati Tag:

Date Reported:
10/14/08

Organization:
Horizon Restaurants Inc

Contractor/Consultant/Branch:
Lansky's (Bellevue)

Location:
Bellevue, Nebraska

Victims:
Customers

Number Affected:
Unknown*

*"about 40 victims and there could be more"

Types of Data:
Credit card magnetic strip information

Breach Description:
"Bellevue Police hope a surveillance photo will crack a major credit card scheme. Channel 6 News was first to report credit card numbers had been stolen from a Bellevue Lansky's in August."

Reference URL:
WOWT Channel 6 News
KETV Channel 7 News
Omaha World-Herald

Report Credit:
Mike McKnight, Omaha World-Herald

Response:
From the online sources cited above:

Bellevue police are investigating an extensive ID theft that has reached across seven states.
[Evan] Not ID theft so much as credit card fraud.

other charges have occurred in Arizona, Illinois, Tennessee, Michigan, Georgia, California and Iowa, and involve seven banks

Surveillance video from a Council Bluff's Wal-Mart is officers' only lead.


Source: Omaha World-Herald

Police want to question the man shown in the video because they believe he used one of the accounts.
[Evan] If you think you recognize the man pictured above, call Detective Roy Howell at .

All the cards involved in the ID theft were used at Lansky's Restaurant in Bellevue between June 8 and June 27.

Lansky's, at 3909 Twin Creek Drive, notified Bellevue police in August that it was receiving reports that credit cards were being used for unauthorized purchases

One card was charged more than $20,000.

So far, police have identified about 40 victims and there could be more.

Bellevue police detective Ray Howell said some diners' cards may not have been used yet.

Investigators said the accounts were breached electronically
[Evan] We can only speculate as to the exploit.

"The (credit card) information might have been obtained over the Web," Howell said
[Evan] Do you suppose the information was sent from Lansky's to the processor in clear-text (unencrypted)?  Are there still processors that operate this way?

They said the card numbers were cloned onto other cards and then used
[Evan] If you have the magnetic strip data, this is a piece of cake.  The bad guys can use any card with a magnetic strip to write to.  Gift cards, phone cards or bulk blank cards (~$30/100) are common.  A few hundred bucks for a card encoder and that's all she wrote.

"Banks have indicated that this happens all the time," said Bellevue police Lt. David Stukenholtz. He said a large amount of cards are compromised a couple of times each week.
[Evan] Sad but true.  The system is broken, but we could write a book about that.  Not now.

During the investigation, Bellevue police worked with the Secret Service for technical advice and enlisted the Douglas County Crime Lab to enhance the surveillance photos.

Meanwhile, the owners of Lansky's have switched to a dial-up credit transaction system and are working to make their credit transactions more secure.

No Lansky employees are suspected of the theft and there was no physical breach of the restaurant, police said.

Commentary:
Few retailers are immune to breaches involving the payment information they collect.  We read about small retailers and we read about large retailers (See: ).  The Payment Card Industry - Data Security Standards (PCI DSS) are meant to a address credit/debit card security, but it's important to note that compliance DOES NOT mean security.  I wonder what percentage of small retailers are PCI compliant anyway.

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
Page: 1 of 1
    Leave a comment