Diners at local chain of pubs had their credit-card info stolen

Turns out those conventioneers who had their credit-card info had one thing in common: They all ate or drank at pubs run by the Briar Group, whose outlets include the Harp, Solas, Ned Devine's, the Green Briar and Anthem. And that means some locals probably had their data nabbed as well.

In a statement tonight, the chain says:

Based on the initial results of our investigation, we believe the unauthorized access to card data at our restaurants may have occurred from sometime in October 2013 to early November 2013. We are still working to determine the exact dates and will update this website when we learn more.

Even if you visited one of Briar Group’s restaurants during this period, your credit card data may not have been stolen or used.

However, we urge all of our customers during this period to monitor your credit card statements carefully for fraudulent charges. You should not be responsible for any unauthorized charges on your card; you can contact your card issuer for more information.

Riggs responds on Twitter:

Huh. I used to go to @solasboston. Now I know why @bankofamerica shut down my card a few weeks ago.



Free tagging: 


I have to give credit to Bank

I have to give credit to Bank of America for superior service on 12/13. I've experienced some of their security measures in the past and while malcontents may quibble at the time it takes to receive a new "permanent" debit/credit card, they are on top of the account security side.

I got a text, phone call, and email all within 30 minutes informing me of a potential data breach and telling me of their preventative measure to freeze my debit card. I went through everything with them by phone, got cash from my local branch, and had a temp card the next day.

Haven't heard from Briar Group.


PS, to Adam

Adam, you went through their press release (that was written by someone with a busted shift key or a child?) to turn the visually-rambling incoherence into sentences with capital letters?!

Love it!!


Again no surprise...

As I said in my post here...


This not uncommon at all. I find it funny that the news is now picking up on stories like this. Do you know how many times a day credit card numbers are stolen? More than you know. There's big money in theft and selling of illegally obtained numbers, and its not going to stop.

As I said in my previous post, the issue is with the current technology. If we moved to SmartCards like Europe has done years ago, we wouldn't be having this issue. But once again we are held back due to money. Money that the credit card processors say its needed to upgrade their magnetic card systems, the same money the processors want to force the costs onto the merchants. The merchants would have it the other way around, where the processors pay. Back and forth, back and forth about this topic for years. Maybe this will be a wake up call and card processors and merchants would have to work together to ditch the 1970s technology for smart cards. (but some how I little faith in that ever happening anytime soon)

*shrug* the card companies did it to themselves.. they need to upgrade, but refuse too. I'd love to find out if sucking up all the fraud vs upgrading a archaic system because remember in the end your card ends some one pays for fraud, and its you (as in high interest rates & fees) and the card processor and paying out fraud complaints. I just wonder what the ROI would be.. one might think it would be LESS to just upgrade rather than having larger and larger breaches to pay out on...

Worst than Credit Card Fraud

And I'm sure someone will ask (or not).. since I'm so vocal about all this stuff, if I still use Credit Cards.

Well as far as a 'credit card', I no longer have any 'real' credit cards. Well at least im the traditional fashion, meaning a credit card of its own, and not one that is just my bank card acting as a Visa card. Don't care too, I personally believe the whole banking/credit card/credit report crap is nothing but one big scam to milk people out of money they do not have, but that's beside the point.

I personally think.. and I like to inform people about this because.... there's a bigger security flaw that allows even easier to your bank accounts. Anyone wanna guess what that is. I'll give you a hint, they give you a book of these when you open your checking account.

That's right, CHECKS are the worst offenders while trying to prevent fraud. Why? Because of eChecks.. And for the sheer fact that on that peice of paper you give a fraudster every peice of information they need to commit fraud. Right in front of their eyes. Name, Address, Phone, account and routing number. You even give them a check number to start from.

eChecks don't require any sort of verification except what so ever. Unlike your debit card which requires a pin for you to setup, checks do not. They usually only require a zip code and account number. When an eCheck is processed, you just need to fill it out. And unlike debit or credit cards where verify and capture a sales balance when a charge comes thru, a eCheck only verifies that you have a positive balance (it could be 1 penny above zero and it would still approve). So in theory, someone could write several checks on one day, and since it takes 2-3 days for a bank to process a check (either a paper one or an electronic one), the perp would be long gone with your funds before you and your bank realized that those checks that cleared were not written by you.

Its scary. I refuse to write checks for this very reason. I need to write a check to someone I am not sure about? I go to the bank and get a money order.

Think about that before you write a check at Stop & Shop for groceries and hand it over to the cashier.

More and More, I am starting to realize that cash really is king, especially when it comes to preventing fraud.



Naive question

Isn't just a cost benefit thing? Wouldn't the banks or credit card companies say: "Gee costs X because of fraud and Y*X to change the payment system so it is cheaper to use what we have"? As someone else said at least some of the companies are pretty good at catching fraudulent charges. Of course "Y" in the above equation could be less then 1 and then you can say they are pretty stupid.

I heard on the news (and have not done an independent verification) that it would cost over a billion dollars to replace all the cards compromised by the Target fraud. And it has to cost Target at least as much. And this will happen again. Wouldn't that be a basic motivation to switch over?

Of course you ask the question in a different fashion.

I am guessing part of the problem is the sheer number of POS terminals. Upgrading large users such as Target is a no brainer, but there has to be at least 10 million mom and pop places (sorry no citation) that process credit cards. That is where the ROI would be negative.

One thing

I forgot to mention about the Merchants, which makes their case for the card processors to pay for new terminals in the end is that most Merchants already pay fees to..

1. Have the ability to process cards (a monthy charge just to have the account)
2. Pay a percentage of each sale to the card processor (i.e 100 dollar charge = 1 dollar goes to the card processor)
3. Rental Fees. Some Merchants PAY rental feels for their equipment.

So the merchants are already paying, and you want them to pay more?!?

I just remember a day a long time ago where ALL credit cards were not accept at every merchant. Remember when Discover cards could only be used at Sears? Or where some places accepted VISA but not MasterCard? It was a privileged to accept a certain credit card brand.. not just 'a given' as it is now.

We could go back to that. If some wise bank who owned some long-since forgotten Credit Card brand... for my example I'll say Diner's Club (which still exists), decides to go all smart chip and make their marketing play "Your Security is our high priority", and pushes it that way. Now merchants who want to sign on were given a new machine just to process Diner's club (as it used to be like years ago). Now slowly but surely, one by one card holders dump their 1970s MC/Visa/Amex cards, and now everyone uses Diner's Club. Where does this leave MC/Visa/Amex ? Still bickering about who's going to pay for PoS machines?

Just saying.. it could happen. A good analogy to this the CD-based Music Industry who fought digital media tooth and nail and made CDs sale drop to an all time low. It took low sales for them to embrace the technology, and now they do. Same will happen to credit card companies.

edit: changed "card processor" to "merchant" (inaccuracy)

No, not cost-effective to fix

The losses to fraud are less than converting to smart credit cards, for processors, banks, and merchants.

That is because they don't care what it costs individuals getting ripped off or having their life turned upside down with identity fraud. Nor is it worth their while to help out people who now have ruined credit ratings - no profit in that, only costs.

Rushing to EMV

I have two main objections to rushing headlong to adopt EMV.

First, from a technical standpoint, there are a lot of design and implementation problems that remain unresolved. PIN harvesting attacks, common around the world to get PINs from ATM users, break all the security EMV allegedly buys us right at the front door, and there's no good way around them. There are stupid shortcuts that were taken with padding the 'unguessable numbers' that reduce the keyspace by 48 bits that I know of (there could be other problems that reduce it further that I've forgotten). There's an attack out lately involving thieves going into posh restaurants at the beginning of lunch service, swapping the wireless handheld EMV readers there with their own, then sending an accomplice back at the end of dinner service to switch back the restaurant's own readers. EMV would have addressed the Target breach, but it's not clear (yet) if it would have prevented this flat-pack pub crack, and it obviously hasn't slowed the pace of innovation amongst the bad guys.

Second, and more worryingly to me personally, I'm concerned about the legal side of the equation. Consider that, when Chip and PIN was implemented in the UK, a ruling was put up by the Financial Services Authority which put the onus for proving fraudulent use of one's card on the cardholder. It was only after several high profile incidents (one, IIRC, involving a Labour front-bencher) that the FSA reversed course and put the onus on the banks to prove that their systems were secure in cases of suspected identity theft or card misuse. I can easily imagine our social betters in Washington and on Wall Street pushing very hard to make the US in 2015 look like the UK banks in 2006. If I have little faith in our ability to get the tech right the first (dozen) times, I have no faith in our legislators' abilities to get this right, liability-wise.