By Lucy Komisar
March 6, 2014
Last October, my mother was notified by her credit card company that there was a suspicious charge for $800 on her card. Her card was replaced and she lost nothing. She thought one of the clerks at Sally Beauty Supply was responsible. That was the last purchase she had made on that card. After that she used cash at the store. (Sally is a national chain and Mom likes to shop there.)
Today’s NY Times mentions Sally in a story about credit card theft.
What it does not mention is that this (apparently) was going on for many months without a fix or public notice. The theft of Mom’s card information happened nearly five months ago. It is clear that the card issuer (Citibank) did not follow up (adequately or at all) when put on notice about this problem.
Gigantic sums of money may be being stolen from banks in this manner. The federal law that limits individual losses to $50 per card protects the banks, but hides the real losses that the banks pass on without scaring customers out of using their cards.
This is the way it works:
1. The bank removes the fraudulent charge from the card holder’s account. (No cost to cardholder)
2. The bank charges back the vendor (retail store, etc..) that accepted the fraudulent charge (No cost to bank)
3. The vendor’s costs are increased by the charge and profit is reduced.
Federal Law limits to $50 the amount of loss to a card holder from credit card fraud. Credit card companies choose not to charge cardholders that $50. This system supports heavy use of credit cards, because the users don’t have to be concerned with fraud if they inform the credit card issuer in a timely manner.
* Someone steals your credit card info and buy $1000 worth of merchandise.
* You call the credit card company and inform them of the fraudulent transaction as soon as you are aware of it.
* They cancel the card number and issue you another one.
* The bank charges back the $1000 to the vendor who accepted the charge and who keeps the loss.
The banks collect very profitable fees from credit card transactions. Fraud doesn’t diminish their business, because cardholders don’t care about it, since they don’t appear to pay for it.
The vendor eats the cost and increases the prices of products to cover the loss as much as it can. Some of the vendor’s products may be discontinued, because added cost makes them unprofitable.
But all costs of products and services are eventually borne by the consumer (and the economy as a whole) when the costs of goods and services increase to cover the fraud. In essence, this is a transfer payment from our economy to the thieves. And when the banks don’t follow up reported fraud with proper action — as appears to have happened with Sally — fraud and institutional inefficiency reduce business activity and employment.
The NY Times story:
In what may be the latest cyberattack on an American retailer, Sally Beauty Holdings said Wednesday that it had been investigating a security breach that others say may have resulted in hundreds of thousands of stolen customer credit cards.
Sally Beauty Holdings, which had $3.6 billion in revenue last year, sells beauty products to consumers as well as to professionals at places like salons. Sally Beauty Supply, one of its main business units, has 3,300 stores in several countries and operates 2,600 retail stores in the United States.
Karen Fugate, a spokeswoman for the company, based in Denton, Tex., said that on Feb. 25, its intrusion detection technology, called TripWire, had identified an intrusion into its systems. In response, Ms. Fugate said, Sally Beauty shut down all incoming communications to the retailer‘s systems and hired a forensics team from Verizon, which has been investigating recent breaches at Target and other companies.
Verizon is now investigating the breach, but Ms. Fugate said company officials and forensics efforts have yet to tie fraudulent activity on customers‘ credit cards to the breach.
“We have yet to find any evidence that customers‘ credit card data has been compromised,” Ms. Fugate said Wednesday.
The Secret Service, which has been conducting an inquiry into recent breaches at Target, Neiman Marcus and others, said it was not investigating a breach at Sally Beauty.
The intrusion at Sally Beauty was first reported Wednesday by Brian Krebs, the independent security blogger. Mr. Krebs noted this week that a fresh batch of 282,000 stolen credit and debit cards had gone on sale in an underground crime store.
Mr. Krebs said that representatives from affected banks had purchased several stolen credit cards from popular sites where they are sold and discovered that 15 of them were used recently at Sally Beauty.
If the breach is confirmed, Sally Beauty will be the fourth major retailer ” after Target, Neiman Marcus and Michaels ” to confirm that its systems were compromised recently.
A report last week from Bloomberg identified Sears as another company that had been breached, but the company and law enforcement officials have denied reports.
The tally of customers affected by recent breaches at Neiman Marcus, Target, Michaels and others now exceeds one-third of the American population. In those cases, criminals installed so-called malware on retailers‘ systems, which fed customers‘ payment details back to their computer servers.
The breaches are believed to have been perpetrated by the same group of criminals in Eastern Europe, and to be part of a broader cyberattack directed at as many as six other retailers, according to two people investigating the breaches who were not authorized to speak publicly.
The entry point for each breach differed, according to one law enforcement official. At Target, the entry point is believed to be a Pennsylvania company that provided heating, air conditioning and refrigeration services to Target. Criminals were able to use the company‘s login credentials to gain access to Target‘s systems, and eventually to its point-of-sale systems.
According to two people briefed on the company‘s internal investigation, criminals were able to do so because Target‘s network was “flat” ” or was not designed in such a way that certain systems required higher levels of authentication.
On Wednesday, as Sally Beauty confirmed its compromise and looked into reports of the breach, Target said its chief information officer, Beth Jacob, had resigned.
(end of NYT story)
Could this be related to the destruction of strong encryption effected by backdoors required by the NSA. Is the NSA an accessory to international crime?