
Credit cards used on cvsphoto.com may have been compromised - heavymark
http://www.cvsphoto.com/
======
akerl_
For those not looking to click through to the site:

====

We have been made aware that customer credit card information collected by the
independent vendor who manages and hosts CVSPhoto.com may have been
compromised. As a precaution, as our investigation is underway, we are
temporarily shutting down access to online and related mobile photo services.
We apologize for the inconvenience and are working diligently to resume
service as soon as possible. Your images are saved and you will have access to
them once service to CVSPhoto.com is restored. Our in-store photo centers are
not affected and remain in service. Film and disposable camera orders are
being processed and your CVS/pharmacy will contact you when they are received.

Customers who provided credit card information for transactions on
CVSPhoto.com are advised to check their credit card statements for any
fraudulent or suspicious activity and to call their bank or financial
institution to report anything of concern.

Customer registrations related to online photo processing and CVSPhoto.com are
completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on
line bill pay and our pharmacies. Financial transactions on CVS.com,
optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.

Nothing is more central to us than protecting the privacy and security of our
customer information, including financial information. We are working closely
with the vendor and our financial partners and will share updates as we know
more.

For more information, call 1-800-SHOP-CVS.

====

~~~
mahouse
Thank you, this is a very valuable and useful comment.

~~~
akerl_
My sarcasm detector is admittedly permanently broken thanks to years on IRC
and forums, but just in case:

It's useful because the steps a reader would need to take before being secure
clicking through to a site identified in the submission title as "hacked" (I
notice the title has been clarified since then) are non-trivial. I figured
since I'd done them once, I might as well save additional folks the steps if
they were just looking for the page contents.

~~~
minot
I don't think grand parent was being sarcastic. In case they were, I'd like to
add that I am sincerely thankful for the copy paste.

~~~
anu_gupta
Looking at his comment history, it's very likely he was being sarcastic

------
kejaed
Like others have said about this happening to Costco too, this is all because
CVS, Costco, Sam’s Club, Walmart Canada, and Rite Aid use PNI Media as a
backend for their photo services and PNI seems to have been hacked:

[http://krebsonsecurity.com/2015/07/cvs-probes-card-breach-
at...](http://krebsonsecurity.com/2015/07/cvs-probes-card-breach-at-online-
photo-unit/)

~~~
chockablock
This article should replace the current article link (to cvsphoto.com)

------
TobbenTM
My plugin made it even worse:
[http://i.imgur.com/uSnzzHC.png](http://i.imgur.com/uSnzzHC.png)

~~~
klinskyc
Hey, I'm actually the creator of the plugin. I'm amazed to see a picture of it
on HN. Thanks for using it and let me know if you have any questions. If
anyone else wants to use it, it's called Plain Text Offenders Alert and
available in the chrome web store.

~~~
carbocation
Great plugin. Link here: [https://chrome.google.com/webstore/detail/plain-
text-offende...](https://chrome.google.com/webstore/detail/plain-text-
offenders-aler/ggndaknbenjhnkddgjnjjcmomgaidhmd?hl=en-US)

~~~
level09
Interesting. how does this work? based on statistics/reports I guess ?

~~~
captn3m0
From the chrome webstore page:

>Disclaimer 1: Plain Text Offenders Alert is not associated with
plaintextoffenders.com, it uses their publicly available database.

------
jamra
My credit card was ripped off 4 times in the last year. Recently, I had a
credit card for less than a week.

Since then, I started to use Virtual numbers. It's a feature that generates a
virtual credit card number that I am opting to use per vendor. Hopefully, this
will expose the vendors that are leaking this sensitive information.

~~~
hallman76
Good idea. Which bank or credit card are you getting this service through?

~~~
arfrank
The only two live US banks with this on the consumer side are Citi and BoA.
The unfortunate thing is that the functionality is all accessed via old flash
applications.

~~~
ikeboy
Citi has a Windows program also.

~~~
arfrank
You are correct. Forgot about that one since it's just their flash app wrapped
to work on Windows with a bit of extra copy & paste functionality.

~~~
ikeboy
Would it be vulnerable to flash exploits, then?

------
noenzyme
Same thing happened to Costco a few weeks ago. Maybe the same company behind
both. From
[http://www.costcophotocenter.com/](http://www.costcophotocenter.com/)

===

As a result of recent reports suggesting that there may have been a security
compromise of the third party vendor that hosts Costcophotocenter.com, we are
temporarily suspending access to the site. We take the security of our
members’ data seriously, which is why we are taking this precautionary step.
This decision does not affect any other Costco website or our in-store
operations, including in-store photo centers.

This situation is affecting multiple online photo sites. We are diligently
working to determine when we can re-enable the site, but in all likelihood
that will not occur until the middle of August. We will update this statement
when we have more information.

~~~
vermontdevil
Hate when they say "We take security of our members' data seriously".

How do I know the hack was due to their incompetence? PR people need to come
up with a better approach.

~~~
friendzis
Hate on "We take security of your data" is a new hype, but grandparent and OP
actually contained blame shift:

> security compromise of the third party vendor > collected by the independent
> vendor <...> may have been compromised

This is the case of "sorry for my friends, I'm doing the best I can", which is
_entirely_ different situation than "I accidentally slept with your best
friend, but I value our relationship" kind of PR.

~~~
ryandrake
If they "took security seriously" they would work with vendors who take
security seriously. Wonder if they'll drop these guys as vendors now that they
are proven to not take security seriously...

------
leni536
Credit card security is a joke. I shouldn't have to worry every time I give my
credit card information to a website that they may leak it due to whatever
reason. The information that I give out should be considered public
information. They should require to always authenticate myself with the
physical card (which is a smart card by the way). What's the point of the card
otherwise?

It's not like I want to cover up for cvsphoto.com. I just find it ridiculous
that if I give my credit card info to N website than the risk that my credit
card info get stolen and abused is O(N) instead of O(1).

~~~
eli
You shouldn't be worried now. You don't pay for any fraudulent charges.

~~~
zippergz
It's still a major hassle when our cards get compromised and subsequently
canceled by the bank.

I've had it happen when I'm traveling, and my primary card suddenly stops
working. I always carry backups for this reason, but it's still disruptive and
potentially embarrassing.

Also if I have a card on file for recurring payments or repeat orders, I have
to go find all of those places and update it every time the card gets
replaced. When it happens once, it's not so bad. When it happens two or three
times a year, it's a headache. I finally took to having a single card that is
used for ONLY recurring payments, with the hopes that it wouldn't get
compromised and when the others do I wouldn't have to go through this whole
exercise again. So far so good.

The bottom line is yeah, it doesn't cost me money, but it does cost me stress
and time. I have better things to do with my time and energy than cleaning up
after yet another compromise that happened through no fault of my own.

~~~
simoncion
> I finally took to having a single card that is used for ONLY recurring
> payments...

This is a sound plan. Kudos!

For non-recurring payments, I've taken this a step further: I use a debit card
for online purchases backed by an account with just a few dollars in it. When
I wish to make a purchase, I move the funds for that purchase into that
account.

I would rather have a fraudulent purchase be declined than to deal with the
hassle -however small- of disputing a charge.

~~~
jrockway
Are you sure it works that way? By default, the bank is more than happy to let
the transaction go through, then charge you $20 for loaning you the money,
plus much more interest than you'd pay with a credit card.

~~~
simoncion
I'm 100% certain. I checked it intentionally once, and accidentally another
time. As I understand it the trick was to decline the "Overdraft Protection"
shit that every bank was pushing many, many years ago.

------
hubbins
I saw this page two weeks ago, so it's not a new event. Don't know how long
this page was up before that.

~~~
tonybaroneee
Since July 16th. Hilarious that their site is still down...

------
switch007
Weird. Carphone Warehouse (UK) has some news too: "Personal details of up to
2.4 million Carphone Warehouse customers may have been accessed in a cyber-
attack, the mobile phone retailer says."

------
asdrty
I'm ok, because since the last time I used it there, I probably had to change
my CC# 4-5 times because of other hacks or other issues detected by BoA.

------
Havoc
This is why I use a 2nd account for online use (and paypal / virtual card for
the extra sketchy looking sites).

~~~
yc1010
If only there was some secure & magical internet money thingie which works on
a push not pull basis /sarcasm

~~~
Havoc
Not sure I'm following? Bitcoin reference?

~~~
asdrty
Seems like it, but a Bitcoin insurance would be nice.

------
chockablock
Was access to stored photos also compromised? The linked message from CVS
doesn't say one way or the other.

~~~
dexterdog
From the page: "We apologize for the inconvenience and are working diligently
to resume service as soon as possible. Your images are saved and you will have
access to them once service to CVSPhoto.com is restored."

That being said, my understanding as somebody with 15 years of working history
in the online photo space is that PNI is the host and all of their major
customers shut off so I can't imagine that PNI is very healthy right now. If I
am mistaken and the individual sites (Rite Aid, Costco, Sam's Club, Tesco, CVS
and Walmart Canada) actually store and manage the photos then the data is
likely to be fine.

That also being said, never trust your photo storage to an online service even
if you are paying for it. Photos generally don't take up that much space. You
should have at least two copies on devices that you own if you don't want to
lose them.

~~~
pavel_lishin
Having two hard drives with my photos on them doesn't protect me against a
house fire.

~~~
sbarre
If your house burns down and your lost digital photos are your primary
concern, you're probably doing ok.

I think he meant _in addition to online storage_.

------
coldcode
Another day another hack. At least they were smart and isolated photos from
their other properties. Or lucky.

------
chris_va
Hm, why aren't credit cards stored after a per merchant one way hash?

