[Robin Garr]

Uh oh ... This could be a problem for some Louisville merchants ... have any of our local restaurant or other retail people been hit by this? Apparently it affected one particular point-of-sale system.

Retailers Attacked by POS Malware
Remote Software Vulnerability Exploited, Cards Compromised
By Tracy Kitten, Bank Info Security, April 10, 2013.

A point-of-sale-software vulnerability is to blame for a malware attack that exposed hundreds of debit and credit accounts in and around Louisville, Ky., says one affected card issuer.

Area card issuers have tied fraudulent transactions back to a number of merchants that have one thing in common - the same POS-system remote-access software. And although fraudulent transactions so far have only been linked to accounts in Kentucky, the malware has likely affected POS networks and systems in other states as well, says Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust.

Now the U.S. Secret Service and banking institutions are working to pinpoint the merchant points of compromise to contain the attack that could date back to February, she says.

Full story ...

http://www.bankinfosecurity.com/retaile ... are-a-5670

I have not heard about this, does anybody know which POS system was compromised or credit card processor?

[Robin Garr]

I have not heard about this, does anybody know which POS system was compromised or credit card processor?

I was told on Facebook that it is not Aloha ...

I received a call from my credit card issuer's Fraud Dept. yesterrday morning. All that they could tell me was that someone had attempted to use my credit card at an out-of-state pharmacy on Sunday. Which raised some red flags with their fraud group.

Apparently, the transaction was made using an "actual plastic" replica of my card. Note: I only have one copy of my credit card and it was still in my possession. I was staring at it as I spoke with them on the phone.

The Fraud Dept said that "one of the merchants that I have done business with appears to have been hacked" The credit card issuer (a large national credit card issuer) could not give me any info on who the merchant might be when I spoke to them yesterday afternoon.

I'll bet a dollar that I'm a victom of the malware POS thing. The good news is that it was caught instantly by my credit card company.

Has anyone else in Louisville had this happen recently?

Has anyone else in Louisville had this happen recently?

I got took for around $700, all in North Carolina, all on the 14th.

CVS
Food Lion
Walgreens
Kangaroo Express
Marathon

DH's card was used at a Rite Aid in South Carolina (I think he said) on the 15th. Credit card/bank caught it right away.

Has anyone else in Louisville had this happen recently?

I got took for around $700, all in North Carolina, all on the 14th.

CVS
Food Lion
Walgreens
Kangaroo Express
Marathon

Dang!!! I had multiple attempted charges in North Carolina - all grocery stores - all last week. Unfortunately, one of the attempts turned into an actual charge of almost $150 and currently waiting on the bank to investigate and hopefully give me the money back. Also waiting for a new debit card. Living without a debit card is a real pain!

No funky charges here luckily, but I did get a call from the bank to cancel our cards and reissue new ones.

Mine was caught immediately too. It's was a $128 charge at a CVS in Michigan.

I noticed that several of the fraudulent charges mentioned above were pharmacies (CVS, Rite-Aid, Walgreens). Do you think that pharmacies (and perhaps grocery stores with pharmacies), could be the source of the POS problem?

By the way, my charge was also attempted on the 14th.

With all the pharmacy charges, I wonder if they are trying to buy ephedrine pills to make meth?

I got taken a few years ago for about a grand. Oddly, it was the same day as a local chicken wing restaurant was hacked, but I had never eaten there. It took two weeks but I got all the money back. About 30 transactions came through my account in the space of about 5 minutes from all over the world, so it wasn't a situation where someone had made a physical copy of my card. I never found out for sure but my suspicion was that it was related to the Sony Playstation store being hacked. The person I dealt with at the bank acted like it was a fairly common occurrence.

Im a hypocrite on this, as I use credit and debit cards both, but really folks, the solution is simple: CASH.

It saves the retailers money, there arent privacy concerns, there arent identity theft concerns. Its basically untrackable, for those who have black helicopter concerns.

Yeah, you have to worry about physical theft, but honestly, that is less of a concern for me than virtual theft.

Ive considered going near cash only multiple times. I doubt I would ever go 100% as gas stations are too convenient with a card. But really, going to cash for 95% of purchases wouldnt be hard to do at all.

Rob,

For some people, cash may make a lot of sense. I am self-employed as a landlord and try to use my credit card (and only one credit card) for all transactions. It makes it easier to track my rental expenses at tax time. If I paid for my rental expenses with cash, I know myself well enough to know that I'd lose about half of the receipts.

That said, I rarely use my debit card at merchants for the very reason that this thread exists. The debit card is simply used to get money out of a pass-through account at an ATM. That account never has more than $200 at a time. And I usually remove the $200 as soon as I sweep it over, so it's rarely there more than an hour at a time.

Fraudulent credit card transactions can usually be reversed/cancelled/caught with no problem. Debit cards attached to an account with actual money could do some damage. Or, at least cause some pain while waiting for the bank to sort it all out.

MICROS Systems, Inc. is not the point-of-sale company with this malware / breach issue. Credit card security (PCI) is a major concern for MICROS, for our customers' sites and for their guest. Bomgar, the remote access software we utilize to support our sites, is PCI compliant.

As Robin noted above, it wasn't any Aloha sites that were hit, in fact it wasn't limited to any one Point of Sale Software. It appears that it was actually an insecure remote access tool that a local dealer was using/recommending that seems to have caused the issue. We aren't in the business of pointing out flaws in other systems, and are really just heart sick to see anyone go through the coming investigation on both the restaurant and/or the consumer side. We just wanted to make sure that our valued Aloha customers can rest assure that it wasn't us, and that we will continue to be vigilant in assisting them with keeping their systems secured.