What is it with all the security breaches these days! Do you remember Harvard hacked or the two popular card readers vulnerable to attacks we’ve told you about last month? These are not fake stories and what I am about to tell you is even scarier. On Monday, Hannaford Bros. grocery chain announced that a security breach in they systems and exposed 4.2 million credit/debit cards that have been used during the authorization process.

The security breach affected 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. Until now the company is aware of 1,800 cases of fraud.

The funny thing is that we all heard about it (the official statement) on Monday, March 17 while the company has been aware of these problems from February 27. More to it, the investigators went a little deeper and found out that the breach started on December 7. The math is simple: took them more than three months to find it out. The U.S. Secret Services are working on it, but declined to comment about the crime.

“We have taken aggressive steps to augment our network security capabilities. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.” Hannaford president and CEO Ronald C. Hodge said in the official statement on Monday. (AP reported)

If you live in the area you’ve purchased or you know someone that did from these guys go ahead and check up your statements or alert others.

Cambridge University’s computer security lab have discovered vulnerabilities for two popular card readers Ingenico i3300 and Dione Xtreme, that make them an easy pray to attackers, because they fail to protect the card details and the PIN number.

This means that fraudsters with common technical skills could easily use a data-tapping circuit that could be placed between the inserted card and the reading circuit, allowing to record the account number or the PIN. With these details an attacker would have everything need to clone the card and then withdraw cash from an ATM machine abroad.

The three researchers that worked on the case Saar Drimer, Steven J Murdoch and Ross Anderson are not in very good relations with the banks, mainly because they are trying to demonstrate that chip and PIN systems have security issues. The big issue is that the data that is transmitted between the PED and the card are not encrypted.

“The attacks that we’ve shown have demonstrated that it’s easy to get the PIN as well as the card data out of chip and PIN terminal - and this means that simply holding your hand over the terminal is no good, in other words the customer cannot defend himself or herself no matter how astute and careful they are - therefore surely the banks need to take responsibility.” said Professor Ross Anderson in an interview to NewsNight.

Though the findings are real, the Scottish PED maker Ingenico assured customers that the products the Cambridge University researchers talk about are among the most secure on the market and that they helped reducing credit-card fraud by 47% year-by-year. They also mentioned that the way Anderson and his team hacked the PEDs is not as basic as they suggested and the “method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry.”

I think Ingenico is running from responsibility and here’s the “How secure is Chip and PIN?” video from NewsNight that demonstrates what Professor Anderson and his staff found out.