Ogden case may be tip of iceberg in growing wave of retail cyber crimes

Feb 12 2014 - 6:43am

OGDEN -- Doug Russell keeps close tabs on his bank accounts. 

So when the Bank of Utah notified him recently that his debit card had been compromised and they'd have to issue a new one, Russell expressed surprise because he had not noticed any inappropriate transactions taking place. 

And he also felt instant dismay.

"I told her I can't be without my card," Russell said of the phone conversation he had with a Ben Lomond branch employee. 

Russell was relieved to find out the bank could issue him a new card immediately.

Russell's dilemma dates back to purchases he made at Harbor Freight Tools on Harrisville Road between May 6 and June 30, 2013. According to www.harborfreight.com, the giant tool retailer operates more than 500 stores nationwide in addition to its web presence.

Harbor Freight issued an online statement Oct. 31 about the data breach.

"Over the summer, Harbor Freight Tools' payment processing system was illegally attacked by cyber-criminals. The attack was similar to attacks reported by other national retailers," said Harbor Freight CEO Eric Smidt. 

"In response, we immediately engaged a leading cyber-security company to investigate and notices were posted in every store and on our website. We blocked the attack and adopted enhanced security measures to make our systems more secure than ever," Smidt said.

The entire message can be read at http://www.harborfreight.com/protectingcustomers.

Experts view these rash of attacks as "likely to be the leading edge of a wave of serious cybercrime" due to hackers honing their skills in breaching the nation's outdated payment systems.

The oft-used defense of installing antivirus software and monitoring accounts for unusual activity now provides little resistance against Eastern European criminal gangs, because programmers can write malicious code or purchase inexpensive hacking kits online. Those tools allow criminals to probe for system weaknesses in wireless networks, computer servers and retail card readers.

According to an unnamed FBI official, almost two dozen companies have been hacked in cases similar to the Target breach and more are expected to fall victim in the months ahead. So far, the names of all of the compromised firms have not been revealed and it is unclear how many shoppers have had their credit card numbers and other personal data stolen.

Problems related to the Harbor Freight breach have not yet surfaced in Utah's Department of Commerce or the state Attorney General's office.

"We have not heard about it," said Jennifer Bolton, Commerce Department spokeswoman.

Bolton recommended that people who made Harbor Freight purchases between May 6 and June 30 using credit or debit cards should contact their financial institutions.

Scott Morrill, program manager for the state AG's office, said that the Harbor Freight breach is very similar to what happened to Target and Neiman Marcus -- and just as serious. If thieves have an account number, expiration date and security code, they can still make purchases at some online sites.

"We're all victims of this problem in some way or another," Morrill said.

However, he knew of no fraudulent charges so far in relation to Harbor Freight's breach. And Morrill attributes that to credit card companies watching their customers' spending habits closely to register anything unusual.

"They're pretty good at it, thank goodness," Morrill said.

However, these defenses may already be inadequate. 

The Bank of Utah, which operates 13 branches along the Wasatch Front from Logan to Orem, first received notification in July that some of its account holders might be affected due to the seven-week Harbor Freight breach.

Chief Deposit Officer Craig Roper said it affected less than 1 percent of their debit card holders or somewhere between 50 to 100 Bank of Utah customers.

"We are very fortunate," Roper said, noting they received a short list in July of compromised cards that were considered to be high risk, and then another short lower-risk list more recently.

Risk refers to how many layers of information cyber attackers managed to infiltrate. Customer names, card numbers, expiration dates and security codes are stored in separate layers, Roper said, and if the criminal manages to get all the way to the security code, "that's very serious." 

"We reissue cards when it gets to the expiration date layer," Roper said.

So far, no Bank of Utah cardholders have been hit with fraudulent charges due to the Harbor Freight hacking, Roper said.

According to Harbor Freight's Oct. 31 statement, for most transactions during that period, the attacker likely only found "track 2" data on the card's magnetic stripe, which would include account number, expiration date, and verification number. 

"For less than 1 percent of these transactions, the attacker may have found data that also included the cardholder's name," the Harbor Freight statement said.

Roper is urging Bank of Utah cardholders to check their accounts often.

"The best thing you can do is be vigilant as far as watching your own cards, accounts and money," Roper said.

With cybercrime on the rise, high-tech security advances are also needed to keep pace with increased risk, Roper added.

"One that we're looking at to roll out later this year is an app you can install on your smart phone to turn your debit card on and off," Roper said, which would give customers added control in how and when their funds get spent.

The Washington Post contributed to this story.

Contact reporter Cathy McKitrick at 801-625-4214 or cmckitrick@standard.net. Follow her on Twitter at @catmck.

From Around the Web