Experts Analysis Of Wawa Breach Potentially Compromised 30 Million+ Payment Cards

By   ISBuzz Team
Writer , Information Security Buzz | Jan 30, 2020 06:26 am PST

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

Now, on the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Mark Bell
Mark Bell , Managing Director
InfoSec Expert
January 30, 2020 2:45 pm

This is why it is so important that merchants and card issuers need to fully adopt EMV chip and contactless technology to prevent card-present fraud on a scale such as this. Although the magnetic stripe likely will not go away for years to come, card readers should not allow the use of the magnetic stripe if a card is EMV chip-enabled. It’s hard to understand how a breach of this magnitude is still occurring in today’s card-present security environment. If the point-of-sale terminals in use were in fact not EMV capable, the liability for the fraud will fall entirely on Wawa.

Last edited 3 years ago by Mark Bell
Robert Capps
InfoSec Expert
January 30, 2020 2:41 pm

Many retailers and are suffering from PoS attacks as hackers deploy malware within the merchant payment ecosystem, in an effort to steal credit card information as consumers provide it. Once stolen, this card data, including card number, expiration date, CVV, and some consumer information, are sold on the dark web to hackers who are amassing this stolen information for counterfeit cards and card-not-present fraud. Unfortunately, these types of attacks are not going away. Millions of user records flood the dark web, available for cybercriminals to use to create synthetic identities or to steal whole identities: to open up new lines of credit, new credit cards, or use passwords to take over online accounts. The best approach that many online companies are already taking is to protect consumers with behavioral biometrics, combined with other security layers, to limit fraud and identify customers by their online behavior instead of relying on stolen credit card information or credentials. This method allows companies to more easily identify potentially fraudulent transactions that use credit cards that have been stolen before the transaction is completed. At the same time, consumers should check their credit card statements frequently and contact their bank regarding any suspicious transactions they might see.

Last edited 3 years ago by Robert Capps
Stuart Sharp
Stuart Sharp , VP of Solution Engineering
InfoSec Expert
January 30, 2020 2:39 pm

The recent focus by cybercrime groups on fuel dispenser merchants in the US highlights the fact that cybercriminal will target the weakest link. Defending against any type of computer-related crime must be based on a strategy of reducing risk. Companies can greatly likelihood that they will be a target of cybercriminals by taking some simple first steps. In Wawa’s case, this could have been to install chip-based card readers. Whether or not these readers would have prevented the attack, they would have reduced the number of cards stolen and likely led the attackers to find a more high-yield target.

Last edited 3 years ago by Stuart Sharp
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
January 30, 2020 2:37 pm

It\’s become almost a reflex now: another letter in the mailbox, \”we regret to inform you that due to a breach, your personal data may have been….\” The number of identity compromises by this point is over 10 times the population of the United States, and yet life continues. The unthinkable has become the mundane and the routine. This still doesn\’t excuse the breaches.

Fool me once, shame on you. Fool me twice, shame on me. Fool me ten times, enough is enough! It\’s time to really up the ante: minimize the extent of possible breaches and compromises, minimize exposure when breaches like this occur. Having customer data is a privilege, not a right. The time to beef up security is long past. Simply automating the apology process smacks of insincerity. This still needs a light shone on it. Explanations for breaches of this sort in the payment card and financial services demand a little more than a form letter and business as usual. Transparency is essential and then a demonstration of lessons learned. For those who haven\’t been breached, show us you\’ve learned from the lessons learned by others. If someone finds a new way to compromise data, the numbers shouldn\’t be in the 10s of millions, and the stories of how it\’s done should be getting more sophisticated. If not, it\’s like hanging a sign outside saying \”jobs wanted\” by the fraudsters and that\’s not acceptable in 2020.

Last edited 3 years ago by Sam Curry
James McQuiggan
James McQuiggan , Security Awareness Advocate
InfoSec Expert
January 30, 2020 2:36 pm

It\’s been a month since the Wawa breach was discovered that the card information is showing up as available for criminal hackers. At this point, it is unlikely that a lot of these card numbers will be sold because the Card Verification Value (CVV) information wasn\’t part of the data breach and thus makes them difficult to use in the wild. The intent of having the card information could be used for spear phishing attacks against the consumers, as they pretend to be the credit card organisation.

The email would be carefully crafted to be from the credit card company, informing them the card was stolen and certain actions need to be taken to prevent any future fraud. They word the email to get the person to click on a link to reset a password or request a new card. This type of trick is common and the consumer may take action without verifying the email first, which could expose their information to a greater risk.

The payments systems in the U.S. do not fully utilise the same secure features that other countries use to reduce the risk of counterfeit payments from criminals. With the gathering of all the card information, the criminals can sell this information to other criminal groups for profit, however, in the past, not a lot of them have been purchased or used by the criminals. Granted, it\’s a huge overhaul of all the POS systems at gas stations to get them upgraded to the new secure readers, but they have until October 2020 to complete the changes or the gas stations become fully responsible for all of the costs without any support from federal funding.

Last edited 3 years ago by James McQuiggan

Recent Posts

Would love your thoughts, please comment.x