BrahMos Engineer Arrested on Charges of Spying for Pakistan’s Intelligence Agency ISI





Nishant Agrawal, an engineer from the BrahMos Aerospace Private Limited in Nagpur was arrested in a joint operation by the Military Intelligence and the Uttar Pradesh and Maharashtra police, following a tip.

Arrested on Monday on charges of spying for Pakistan's intelligence agency ISI and various other countries, Nishant was accused of passing on classified and secret information to the Inter-Services Intelligence of Pakistan in addition to other countries as well. Experts, in any state, clarified that he worked at the integration facility and were uncertain whether he had access to any classified information or not.

Nonetheless he will be charged under the Official Secrets Act, following which his home and office computers have already been seized. The police are still investigating whether he was "honey-trapped" by Facebook IDs in the name of women, which have been traced to Pakistan.

"Very sensitive information was found on his personal computer. We found evidence of him chatting on Facebook with Pakistan-based IDs," said Aseem Arun, the chief of the anti-terror squad of Uttar Pradesh.

Nishant has worked in the technical research section of the missile centre for four years, studied at the National Institute of Technology in Kurukshetra, and was also a gold medallist, described as a very bright engineer.

Presently there are two other scientists working in a Defence Research and Development Organisation (DRDO) lab in Kanpur who are being monitored for more suspicious activity and the situation is being monitored as this is occurrence is the first spy scandal to hit the Brahmos Aerospace, considered the world's fastest cruise missile.



42 Million Emails And Passwords Uploaded To A Free, Public Hosting Service

 

A database comprising of a collection of a total number of 42 million records was uploaded on an anonymous file hosting service kayo.moe. recently. The collection included unique email addresses and plain text passwords alongside partial credit card data.

Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, was requested to analyze and check whether it was the aftereffect of an obscure data breach. He could determine that more than 91% of the passwords in the dataset were at that point already accessible in the Have I Been Pwned collection and that the filenames in the said collection don't point to a specific source in light of the fact that there is no single example for the breaches they showed up in.

In light of the format of the data, the list are in all probability expected for credential stuffing attacks, which consolidate into a single list cracked passwords and email addresses and run them consequently against different online services to hijack the user accounts that match them.

Sample of data from lists sent to Hunt

The reason for the utilization of the credential stuffing attacks lies behind the fact that these attacks, while exploiting the users, for convenience are probably going to reuse those credentials on various other sites.

"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before.” Hunter wrote on a blog post.

The database contained an overall of 755 documents totalling 1.8GB.

Users are constantly encouraged though to utilize solid as well as diverse passwords for various accounts. Continuously empower multifaceted validation.


Two financial institutions investigating hacks, customer data may have been leaked


Bank of Montreal (BMO) and CIBC-owned Simplii Financial on Monday revealed that data of thousands of customers may have been breached in recent hacks on Canada’s two of the largest financial institutions.

The banks warned that “fraudsters” may have accessed some customer accounts.

Simplii Financial, which is CIBC’s direct banking brand, revealed that data from 40,000 client accounts may have been electronically accessed by fraudsters. BMO similarly said that it received a tip on Sunday that claimed the confidential information of “a limited number of customers” had been accessed.

Simplii said that it has “implemented additional online security measures”, which include online fraud monitoring and online banking security measures.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice president of Simplii Financial, in a statement. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

BMO said the hack appeared to have originated outside Canada. The tipsters, in BMO’s case, were reportedly the hackers themselves.

"We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO said. "We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them."

"If a client is a victim of fraud because of this issue, we will return 100 per cent of the money lost from the affected bank account," a press release by Simplii said, adding that there is no indication that clients who bank through CIBC have been affected.

The bank also told customers to send any suspicious correspondence to fraud@simplii.com.


Data Breach leads to leak of personal details of cryptocurrency users

Researchers at Kromtech Security have discovered a MongoDB database that contains the personal details of over 25,000 users who have invested in the John McAffee-backed bezop (BEZ) cryptocurrency.

The leak exposed confidential information of investors such as full names, home addresses, email addresses, encrypted passwords, wallet information, and even scanned passports, driver's licenses, or IDs.

The leak reportedly occurred while the firm’s dev team was dealing with a DDoS attack on January 8, according to an announcement on Bezop’s Medium account.

The information stored on the database is related to a “bounty programme” that was run earlier this year where Bezop handed out tokens (about 4,045,343 Bez) to users promoting their cryptocurrency on social media.

The database reportedly contained personal and confidential details of over 6,500 ICO investors, while the rest were from users who were given tokens as part of the bounty programme.

The server has been secured, according to Bezop.


"That database has since been closed and secured," the Bezop team said this week. "Investor identity cards were also not stored on the database rather a URL link to them. This is also offline now."

Bezop also said that the team had already notified users of the breach in January.

The data was supposedly exposed online until March 30, when Kromtech researchers found the MongoDB database on a google cloud server without any authentication system in place, allowing easy access to anyone who was able to connect to it.

150 million MyFitnessPal users affected in Under Armour data breach

Under Armour on Thursday announced that over 150 million customers using MyFitnessPal, its nutrition tracking app, were hit by a data breach in late February, earlier this year.

According to Under Armour, they discovered the breach earlier this week and said that an “unauthorised party” had acquired this data. Once they were aware of the breach, they took steps to alert the users using in-app messages as well as email.

They are currently working with data security firms and coordinating with law enforcement authorities to get to the bottom of the breach.

"The investigation indicates that the affected information included usernames, email addresses, and hashed passwords—the majority with the hashing function called bcrypt used to secure passwords," the company said in a statement.

Under Armour said that the attackers would not have been able to access information such as users' Social Security numbers and driver's license numbers, or payment information, in the breach but usernames, email addresses, and password data were taken.

The company is now urging MyFitnessPal users to change their passwords immediately, along with reviewing any suspicious activity in their account. It has also warned its users to be cautious of any emails or unsolicited messages in light of the breach, and to not give away personal data.

The app lets people track their calorie intake, diet, and exercise routines, and was acquired by Under Armour in 2015 for $475 million.

Hacker Group threatens students and schools

According to a warning issued by the Cyber Division of the FBI and the Department of Education's Office of the Inspector General on 31 January, a hacker group called “TheDarkOverlord” (TDO) has tried to sell over 100 million private records and as for January, is responsible for over 69 attacks on schools and other businesses.

TDO is also allegedly responsible for the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.

The warning describes the group as “a loosely affiliated group of highly trained hackers” who, since April 2016, have “conducted various extortion schemes with a recent focus on the public school system.”

The warning says that TDO uses remote access tools to breach school district networks and steal sensitive data, which they then use to extort money from its victims, including students.

According to the report, TDO has also threatened violence in case of failure to meet demands.

Initially, TDO communicated their demands via email with threats of publicly releasing stolen data, but the warning notes that in September 2017, “TDO escalated its tactics by threatening school shootings through text messages and emails directed at students, staff, and local law enforcement officials.”

This caused several schools to shut down for few days as a precaution.

TDO was allegedly connected to multiple threats of violence on school campuses, however, the report says that while these threats caused panic, they “provided TDO with no apparent monetary gain.”

In a recent incident, TDO threatened to publicize the sensitive behavioral reports and private health information of students.

The FBI also recommends that victims do not give in to the ransom demands, as it does not guarantee regaining access to sensitive data. Rather, they advice to contact law enforcement, retain the original emails as evidence, and maintain a timeline of the attack, if possible.

Hacker sold Comcast's customers account information online

If we had to believe news reports, one hacker had sold , Comcast Corporation, formerly registered as Comcast Holdings is an American multinational mass media company and the largest broadcasting and largest cable company in the world by revenue, customers’ account information.

A news published in Chicago Tribune confirms that the concerned company has notified its 200,000 customers to change their email passwords after discovering their account information had been sold online via one website named “the dark web”, which is a collection of websites using anonymity tools to evade surveillance.

The spokesperson of Comcast confirmed that some 590,000 customers’ email accounts, including their names and passwords were put online for selling.

"The vast majority of the information that's out there was not accurate," Comcast spokeswoman said. "We discovered that about a third of the 590,000 were accurate.”

The hacker, who sold the account information, dubbed Orion said that he obtained the credentials when he popped a Comcast mail server in December 2013.

He told Vulture South that the breach yielded 800,000 Comcast credentials of which 590,000 contained cleartext passwords.

"So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ," Orion says. "NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords."

However, the company said it had "no evidence" of the December breach in which the then Zimbra directory traversal vulnerability (CVE-2013-7091) was exploited to gain access to the credentials.

The Recent TalkTalk security breach affects 157,000

Cyber attack on TalkTalk website has affected nearly 157,000 of its customers’, revealing  their personal details, company wrote on their website.

 The company said that customers should continue to reject any phone calls, text messages and emails. More than 15,600 bank account numbers and sort codes have been accessed.

TalkTalk have lost about a third of their share value since the news of the cyber-attack.

According to the firm  4% of their customers data are at risk. TalkTalk said: “Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected. It was a difficult decision to notify all our customers of the risk before we could establish the real extent of any data loss. We believe we had a responsibility to warn customers ahead of having the clarity we are finally able to give today.”

TalkTalk issued an updated statement stating:

  • In The total number of customers whose personal details were accessed is 156,959;
  • Of these customers, 15,656 bank account numbers and sort codes were accessed;
  • The 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were ‘orphaned’, meaning that customers cannot be identified by the stolen data.

The company said that they have contacted the customers whose financial details were stolen, and will contact other affected customers “within the coming days”.

The cyber attack on TalkTalk's website happened on 21 October. Initially the firm described attack as "significant and sustained",  and stolen data includes names, addresses, dates of birth, telephone numbers and email addresses.

A 16-year-old  has been released this week, who was fourth accused in this case.

Till today four people have been arrested, includes three teenagers: a boy of 15 in Northern Ireland, a 16-year-old boy from west London, a 20-year-old Staffordshire, and a 16-year-old boy in Norwich. All four have been released on bail.


Cyber Attack on America’s Thrift Stores exposes credit card numbers

A charity store chain, America’s Thrift Stores discovered on Friday (October 09), that it had been become the victim of a malware-driven security breach which originated from a third-party service provider’s software to process credit card payments in Alabama, Georgia, Louisiana, Mississippi and Tennessee.

America’s Thrift Stores is a for-profit organization which operates 18 donations-based thrift stores throughout the southeast United States that collects used clothing and household items from local communities and sells them for a profit, which it shares with Christian charities.

The Birmingham-based company’s CEO, Kenneth Sobaski declared ina statement released that no customer names, phone numbers, addresses or emails were exposed, but credit card numbers were revealed.

The hack appears to have affected transactions between September 01 and September 27.
The organization cautioned the customers who feared for their data to be compromised to contact their card issuer or bank immediately, and to report any suspicious activity was discovered.

The malware has been removed from the stores’ computers, and purchases outside of those dates should not be at risk.

Security journalist, Brian Krebs stated in his blog that there were indications that data stolen from America's Thrift Store was already being used to create new counterfeit cards with details obtained from several banking sources who confirm a pattern of fraud on cards used at America’s Thrift Stores.

The company assured that U.S. Secret Service is investigating the breach.

The store chain employs over 1,000 employees and turns donated items into revenue to its non-profit partners for their causes. The store chain is estimated to pay out over $ 4 million annually toward its partners.

This store chain is not the only charity organization whose systems have been targeted by cyber criminals.

Last year, Goodwill Industries International’s system was breached which processed payments for twenty Goodwill members, representing roughly 10 percent of all stores.

Its investigation revealed that the attackers had access to the third party vendor’s systems for a year and a half, and leveraged point-of-sale (PoS) malware to steal data which they used for fraudulent purchases.

In these breaches, the problem does not arrive with the Operating system but the biggest problems have to do with various levels of access being given to third party businesses. The organizations fail miserably in protecting their level of access that makes these breaches possible and damaging.

The breach of America’s Thrift stores may be the repetition of Target breach that took place recently. Using easy passwords across the gamut of critical systems lead to such hacks. The Target’s security breach should have been a huge wake-up call for businesses everywhere to adapt and evolve their IT security practices.

Huge card breach at Hilton Hotel properties


Hilton Worldwide Holdings, Inc., an American global hospitality company formerly known as Hilton Worldwide and Hilton Hotels Corporation, has started its investigation after a security researcher Brian Krebs claimed that some hackers had compromised credit card data in gift shops and restaurants at a “large number” of Hilton Hotel and franchise properties across the United States.
   
The researcher said that the hackers broke into point-of-sale machines.

However, it is not clear that how many Hilton properties might get affected by the incident, that might have happened date back to November 2014, and may still be ongoing.

“In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity,” the researcher added.

He said that other five different banks had said that the common point-of-purchase for cards included in that alert had only one commonality. They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said in a statement. “We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously, and we are looking into this matter.”

Hover reset its users’ password due to a possible Security Breach

Hover, Canada-based Internet services and telecommunications company Tucows, one of the world’s largest ICANN-accredited domain registrars, has reset its user passwords after discovering that one of its systems might have been breached.

Once it reset passwords, the company started sending emails to the customers on Tuesday.

“We are writing to let you know that we reset your password today. If you are unable to log into your Hover account, you will need to use the “I forgot my password” option on the sign in page to change your password,” the email read.

“We did this as a precautionary measure because there appears to have been a brief period of time when unauthorized access to one of our systems could have occurred. We have no evidence at all that any Hover accounts have been accessed, but even the possibility that this could have happened moved us to err on the side of extreme caution,” the company explained to its customers.

According to a post in SecurityWeek, unfortunately, as it often happens, the emails sent out by Hover have been mistaken for phishing attempts due to the URLs they contain.

However, the company confirmed it in twitter that the password reset emails are legitimate and clarified that the links have likely been changed by MailChimp, the email marketing product that was used to send out the notifications.

“That email was indeed from us. The links were changed when sending out through MailChimp. Sorry for the confusion,” Hover replied one of its followers in Twitter.


The company told SecurityWeek on Monday that it had not been able to determine the exact attack vector used by the hackers. However, it suspected that they may have leveraged a zero-day exploit since the breached server was fully patched.

Database breach occurs at Hanesbrands Inc.

Hanesbrands Inc. has reported that a database of their's containing 900 thousand contact details about their carious customers has been breached.

The hacker gained access to the database by posing as a guest on the brands website while checking out something.

The hacker got access to addresses, phone numbers and last four digits of a credit or debit card of customers according to Hanesbrands Inc.

The breach happened in the last month of June according to Hanesbrands spokesman Matt Hall and does not affect the retail stores of the brand.

The brand had themselves been contacted by the hacker to inform them of the breach.

PagerDuty hacked, update your password by Monday

After almost a month, PagerDuty, which provides alerting, on-call scheduling, escalation policies and incident tracking to increase uptime of your apps, servers, websites and databases, has confirmed that it detected an unauthorized intrusion on July 9 by an attacker who gained access to some information about their customers.

The PagerDuty has asked its users to set new strong passwords at this time. The users that do not reset their password by Monday, August 3rd at 12:00pm Pacific Time will be automatically logged out of the website and will receive an email prompting them to reset their password. At no time will alert delivery be affected by this process.

It posted on July 30 that within a few hours of the intrusion, its team stopped the attack. A leading cyber security forensics firm has been hired to investigate the attack.

“We immediately took steps to mitigate the issue, including enhancing our monitoring and detection capabilities, and further hardening our environment,” the blog read.

According to the company concerned, it has not found any evidence that corporate, technical, financial, or sensitive end user information, including phone numbers, was exposed by this incident.

“We do not collect customers’ social security numbers and we do not store or have access to customer credit card numbers. This incident also had no impact on our ability to provide services to our customers. We also notified law enforcement and are cooperating fully with their investigation into this matter,” the company added.

The company said that as per its investigation, the attacker bypassed multiple layers of authentication and gained unauthorized access to an administrative panel provided by one of our infrastructure providers. With this access, they were able to log into a replica of one of PagerDuty’s databases. The evidence indicates that the attacker gained access to users’ names, email addresses, hashed passwords and public calendar feed URLs.

The company has recommend that its customers to reset calendar feed URLs and revoke and re-add access to any mobile devices linked to their PagerDuty account.

“PagerDuty will never ask for your password or other sensitive information via email,” the company said.

Moonpig hacked, Emial IDs, passwords compromised


The online personalized card company, Moonpig, has blocked an unspecified number of accounts of customers after users’ details were published online.

According to the company’s website, customers’ email addresses, passwords and account balance had been made public. However, they stress that the source of passwords was not their site, but from other online sites where users use similar passwords.

“As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue. Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com."

"This data was then used to access the account balances of some of our Moonpig.com customers. As a reminder, we do not store full credit card information ourselves so this data was not accessible in any event.”

Moonpig  has contacted affected customers, and advised  them to  reset their passwords and ensure that they are not reusing the same passwords anywhere else on the net

Do Organizations Fail to Care about your Medical data? UCLA Hacked



Hospital network of the University of California, Los Angeles was broke out by a team of hackers resulting in access of sensitive records of 4.5 million people.

According to the university, the data stolen includes names, Medical information, Medicare numbers, health plan IDs, Social Security numbers, birthdays and physical addresses.

This breach could have affected  people’s who has visited, or worked at the university's medical network, UCLA Health, that includes its four hospitals and 150 offices across Southern California.

The first attempt to hack the network was done in September 2014.  UCLA Health  announced on Friday - two months after it discovered the data breach. The university network alarm "detected suspicious activity," and UCLA Health called in the FBI for help.

"At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information," UCLA Health said in a statement.

The hospital group is now notifying staff and patients, and offering them one year of identity theft recovery services.

Dr. James Atkinson, UCLA Hospital System's president, apologized to the public in a statement. And noted that hospital group is under constant attack from all over the world.

Organizations handling such kind of sensitive information should not only have physical security but also have a proper Cyber security protection. Organizations should understand importance of Cyber security before they fall victim to cyber attacks.

Credit card data breach at Online Photo service, customers of CVS, Walmart Canada and others affected


Consumer Value Stores (CVS), which is the second largest pharmacy chain after Walgreens in the United States with more than 7,600 stores, has temporarily taken down its online photo center CVSphoto.com after a hacking attack.


 “We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” the company posted in its website’s homepage content.


Brain Krbes pointed out in his blog that other companies already reporting similar data breach and took down their webpages related to the online photo service.

Those online photo services have been maintained by a company called PNI Digital Media.

Companies including Costco, Walmart Canada, Rite Aid displayed a message in their photo site informing about the security breach.

In a noticed displayed on the Rite Ad's photo site, it is said that information including name, address, phone number, email IDs, photo account password and Credit Card data affected

However, Rite Ad said "PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information."

The Consumer Value Stores said Financial transactions done on their main website CVS.com and in-store are not affected.

Hershey to provide card monitoring service, after a data breach


Hershey, which operates The Hotel Hershey, Hersheypark Entertainment complex and other facilities, is providing a year of card monitoring service to those guests whose financial information may have exposed to its Pennsylvania hotels, amusement park and other venues.  

According to a news report published on Action News, the company is working with a security firm to resolve the issue.

The company said that those cards used at its properties within Feb. 14 to June 2 may have been compromised. It did not find evidence that information was removed from its system.

However, some of its guests have reported unauthorized charges on cards used at its properties.

The company said that a malicious program was installed in its payment system that extracted payment card data, including a cardholder's name, card number and expiration date.

Detroit Zoo victim of a data breach


Service Systems Associates,  third-party operator of the  Detroit Zoo was recently the victim of a data security breach.

The credit and debit card information’s were used for purchases at the zoo’s gift shops over a three-month period.

Patricia Janeway, zoo spokeswoman said that “In addition to credit and debit card numbers, the cyber hackers reportedly gained access to card holders’ names, card expiration dates and three-digit CVV security codes.”

After SSA learned of the data breach, they  installed a separate credit card processing system at its retail outlets.

In preliminary forensic  investigation it was revealed that there was a malicious software,  in SSA’s software.

“We are obviously concerned that the vendor’s system was compromised,” said Gerry VanAcker, chief operating officer of the zoo. “Transactions made since June 26 are not affected by the previous break and it is safe to use a credit or debit card at SSA’s retail locations.”

“The zoo’s IT systems -- including those used for ticket and membership sales -- were not affected by the data breach and are secure,” Janeway said.

Up-to-date information has been provided by the vendor at www.detroitzoo.org/Plan/shopping-in-the-zoo.

For additional information visit www.kmssa.com/creditcardbreach/

Harvard network systems breached last month

Network systems at Harvard's Faculty of Arts and Sciences and Central Administration were breached last month, according to a security report on the Harvard website.

Harvard is working with an external security investigator to figure out who breached their network, and why?

In the meantime, they have said that as of now, no data is at risk, but still recommend that users take a few precautions.

Harvard has asked members of Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study and Central Administration t change the password of their Harvard accounts.

They have also asked members of Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health to change their email passwords.

Donald Trump’s Hotels face credit card breach: Report

The Trump Hotel Collection, a chain of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, may have been the latest victim of a credit card breach, according to KrebsonSecurity.

According to a report posted on Wednesday, as per the data shared by several U.S.-based bank, the hotel collected appears to the latest victim of credit card breach.

At first when they had contacted the company regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels, it refused to comment.

However, the company later issued a brief statement from Eric Trump, executive vice president of development and acquisitions.

“Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

However, it is confirmed from various sources in the financial industry, the company has little doubt that Trump properties in several U.S. locations including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York are dealing with a card breach that appears to extend back to at least February 2015.

According to the report, the incident would be the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments.

“Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash,” the report reads.

It is said that merchants that have not yet installed card readers In October 2015 and accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.


While experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers.