Target Has Major Credit Card Breach

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

Well, with a name like that...

Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.

Re:Well, with a name like that...

[DougReed]

... and the security guards have a target logo right over their heart. .. how inviting.

don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Re:don't connect everything to the internet!

[E-Rock]

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet!

[DigiShaman]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Re:don't connect everything to the internet!

[JWSmythe]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:don't connect everything to the internet!

[mysidia]

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

There are perfectly safe ways of doing this -- it's called a VPN, and an isolated network behind the firewall whose only WAN is the VPN connection, to access approved systems; and be monitored by approved systems.

Re:don't connect everything to the internet!

[AK+Marc]

They do direct-authorization. The two common ways of doing that are having an analogue line per terminal and every terminal dial in. You remember hearing the dial in sounds for cards, right? That takes 20 seconds per card, and more if it has trouble (and is prone to trouble). Or, you have it connect to the same database, but over a VPN or private network. VPNs are cheaper, so more common. sub-5 second authorization. More reliable. The Internet wins. But that doesn't excuse lax physical security of the "trusted" authorization machines.

Re:don't connect everything to the internet!

[blincoln]

Who said anything about these devices being compromised by an attack from the internet? There are all sorts of ways to attack them indirectly:

- Compromise the system that manages them, then use that management system to push out compromised firmware or OS updates (depending on the device type - the newer payment terminals are often little Linux machines).
- Compromise the POS registers and capture the data there instead of directly on the terminals.
- Compromise the centralized back-end systems that Target uses for payment authorization. PCI-compliant retailers aren't supposed to capture full track data from the cards, but it might be possible to enable some sort of legacy mode that does just that.
- Compromise the network devices (routers, etc.) that the data is transmitted over. PCI only requires network-level encryption for transmission over untrusted networks, not internal corporate networks.

Etc. etc. Magnetic-stripe cards are a security nightmare, and everything that retailers do related to them is just a band-aid. We (the US) need to move to systems that use one-time codes - like chip-and-PIN - like the entire rest of the world is either in the process of doing or has done already.

Re:don't connect everything to the internet!

[sabri]

There are perfectly safe ways of doing this -- it's called a VPN,

Not necessarily true. Not all VPNs are the same.

For example, a simple MPLS-based Layer 3 VPN will separate traffic between network A and network B, but it will not be encrypted. The only relatively safe way of doing it is via a strongly encrypted tunnel.

Re:don't connect everything to the internet!

[girlintraining]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.

Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.

There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras i

Re:don't connect everything to the internet!

[Cramer]

It almost always takes more than 20sec. And it requires a real (circuit switched) phone line. For small retailers, this works. For a big chain store, with dozen of lanes, individually processing each CC transaction would be complete murder; no one is going to wait even 30s for a CC authorization these days. How long did your last CC purchase take? Under 5s? Now imagine standing there for 45s.

Re:don't connect everything to the internet!

[DarkOx]

IPSec would not require a tunnel and should be perfectly safe as well. That has the advantage of not requiring any separate routing, vlans, etc.

  Honestly if you are building an IP based CC scanning device why you'd support anything other than IPSec I don't know.

Re:don't connect everything to the internet!

[ruir]

IPsec is the tunnel creating mechanism and it is very unwise not to isolate sensitive equipment in their own vlans.

Re:don't connect everything to the internet!

[ruir]

You are spot on sir. And this is why at my bank, I always have refused their multiple suggestions to do Internet banking. I tell them flatly I work in the field, and know how weak the process is.

Re: don't connect everything to the internet!

*ma'm/miss

Re: don't connect everything to the internet!

what's truly unfortunate from my experience is that large companies like this often won't go for good security firms for testing. They go with big shops that basically shit out new security consultants monthly who lack real passion for the field. Even when a large company does receive a good test they lack in house personnel who can actually remediate. The best part? They're often so large with so many policies and governance that even high risk vulnerabilities (which are usually rampant and wide spread) can take the better part of a year to fix. Frustrating.

Re:don't connect everything to the internet!

[stealth_finger]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Well then how do the credit cards verify that there's enough credit available and tell the bank or whatever to transfer the credit to the shop?

Re:don't connect everything to the internet!

[DarkOx]

IPSec *can* tunnel but does not require a tunnel, I don't disagree isolation would be better but most of the time that isolation ends at the next hop router anyway. It isn't as if a retail box store is going to have a layer2 network back to HQ.

If you have some port security in place like 802.1x so you can have some at least low level of assurance that the only things on the network are supposed to be there, there isn't nearly as much value in isolation in this type of situation.

Frankly tunneled IPSec is weaker than what I am proposing, it only would authenticate the tunnel endpoints to each other, transport mode would allow the server and the swipe machines to mutually authenticate every session. If you just put them on a vlan and route the address range into an IPSec tunnel or other VPN than anyone who can get access to the network on either side can talk to the swipe machines or the server end and start banging away at the application layer for vulns. If the ip stack on the other hand is configured to just drop any packet without a valid ah header that is going to be much much harder.

Re:don't connect everything to the internet!

It's cute how you think your decision not to use an online account at your bank has any impact on the security procedures in place for your account.

Re:don't connect everything to the internet!

[ruir]

Actually it has. No activated account until I request so, not using it in any terminal at all also (in the case it was activated by default), and plausible deniability. If in any case at all, anything is ever lifted via the Internet banking mechanism, I never had access to it, nor any password. From what I have seen in projects I have been indirectly involved, I would not want this guys to design my home network, much less a bank network. And then I dont trust their choice of Internet facing operating systems too.

Re: don't connect everything to the internet!

[rickb928]

No, they can use dedicated links to their processors. Even MPLS is better than SSL.

Re:don't connect everything to the internet!

[rmdingler]

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Re:don't connect everything to the internet!

[wiredog]

Apparently you don't realize that not every network is part of the public internet.

Re:don't connect everything to the internet!

[Charliemopps]

About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

Re:don't connect everything to the internet!

[NJRoadfan]

EMV Chip cards are being issued in the US now. The major processors are pushing to move liability of charges to the retailer starting in 2015 for mag stripe transactions. The only problem is that US based processors aren't going for the full "chip and PIN", but "chip and signature". The EMV terminals will have a PIN pad, so hopefully card issuers will give the option of PIN security to those that want it.

Re:don't connect everything to the internet!

[smpoole7]

@girlintraining:

Very, very interesting. My only observation would be that the police would be likely to accept what Target told them; I wouldn't think there is active collusion between them.

But if we accept the premise that this is a coverup, I have a rather pertinent question.

I don't shop at Target stores. I don't like them. But sometimes, my wife and I *do* use their online site. During the dates in question, we may have sent a Target gift card (via said Website) to a family member.

If this is a coverup, it'd be nice to know the actual details. I'd like to know if *we* are at risk. We have a couple of those "credit protection" plans on all of our accounts, but it'd still be nice to know. :)

Re:don't connect everything to the internet!

[sunderland56]

here's the more likely scenario: They hacked their wifi

Let's say they did hack or otherwise gain access to the wifi. Shouldn't a credit card transaction be encrypted over SSL/TLS?

Re:don't connect everything to the internet!

[omnichad]

That's why you attach a cellular device to the internal network or pull out the microSD card from the skimmer before it's found.

Re:don't connect everything to the internet!

[Albanach]

NBC report that, according to Target, the data includes CVV information. Is this even stored on the magnetic strip? I thought it was kept separate for this very reason.

Re:don't connect everything to the internet!

[justthinkit]

It's a shame that we probably won't get good details about what happened.

Right. And considering Target has a rather unique "red card" of their own, I would at least like to know if THIS was also compromised during the most recent hack. Seems more secure, mainly because it is less portable to other stores.

Re:don't connect everything to the internet!

[omnichad]

The attack on the POS system would change that or cause a second transmission of data.

Re:don't connect everything to the internet!

[Jawnn]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

First of all, to GP, what makes you think that the PoS terminals are attached to the Internet? Nothing in TFA even hits at such a thing. To parent, GP is right. The Internet is not required for the things we're talking about. Private networks, including VPN's (running through the Internet) are a much better choice. That said, if properly secured, credit card transactions can be safely processed across the Internet. An entire industry has been built around just that.

No. I think we're going to find that this skimming operation was operated from within Target's private network.

Re:don't connect everything to the internet!

CVV is on the magnetic strip.

CVV2 is only printed on the card.

Do not confuse them. One of them is used to validate a swiped transaction, one is used to validate a keyed transaction. Any transaction that has both is invalid. A transaction that has neither is ripe for an audit.

Re:don't connect everything to the internet!

[Baloroth]

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public.

Where, exactly, was this story released to the public? I've read two articles on the subject, neither of them say that anyone has made any such claims whatsoever. Target's press release certainly makes no such claims. All they've said is that they've fixed the immediate problem and they're hiring a forensics company to figure out how it happened.

Re:don't connect everything to the internet!

[operagost]

Why are you assuming their plastic card system is attached to the internet?

Re:don't connect everything to the internet!

[operagost]

PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

If Target is PCI compliant, then this is an internal breach.

Re:don't connect everything to the internet!

[omnichad]

Of course - but it wouldn't have to have happened out in the open near all the cameras.

But I doubt they're fully compliant.

Re:don't connect everything to the internet!

[tibit]

MAC authorization is not even remotely sufficient in my view. 802.1x is the minimum you need.

Re:don't connect everything to the internet!

[GTRacer]

According to Target's press release on their site, REDcard was hit too. My REDcard goes to my debit account, but then again, I used my debit card there in the breach span too. Prolly also my credit card. Considering having all card providers issue new cards which should sort this nicely.

Re:don't connect everything to the internet!

[azadrozny]

It doesn't have to be an inside job. I have been to countless stores where they have a networked cash register with exposed ports within easy reach of the customer. Someone could connect a small USB device that could be used to capture data, or give that person inside access. I do not understand why these devices are not in locked enclosures. Once your physical security is compromised, there are almost no limits to what an attacker can do.

Re:don't connect everything to the internet!

[Albanach]

Thank you for that reminder. It's been a while since I worked with this stuff, and your answer makes the statement from Target clearer.

Re:don't connect everything to the internet!

[justthinkit]

My red card goes to nowhere (i.e. It is their credit card version). So unless the thieves shop at my store and fake my signature, I imagine I'm ok.

I just tried to call Target and got some amusing results. Predictable busy signal on first three tries. Then, for variety, the phone rang two or three times, then dropped into a busy signal. This would not have even been possible in the old analog phone system -- we have progressed indeed. Able to reproduce the ring-becomes-busy on my next few tries.

Oh well, back to The Best of Bill Hicks.

Re: don't connect everything to the internet!

[AvitarX]

I think the pin is a red herring. I essentially never use it if given the option.

The claim here is compromised machines, the pins would be taken too.

All the pin does is push the liability onto me. By leaving the liability on the processors/issuers, I essentially have insurance (I pay my small part of the total cost of fraud in fees), if it were to switch to an I'm on the hook type situation, I could easily be on the hook for a large, unexpected, few.

I would think merchant liability holds a similar risk too, at least for small merchants, but also, the incentive to not have fraud for them should reduce the overall cost of fraud. As long as no merchants pull out of using credit cards at all, it's a win for pretty much everyone.

Re:don't connect everything to the internet!

[torkus]

Sure but even that's not 100% secure by any means.

I wrote a whole long rant about all the holes I've personally seen and then thought better of posting it. Many of them are possible with limited technical knowledge and minimal understanding of the target (ahem).

Anyone who thinks this was a 100% outsider attack is sadly mistaken. It doesn't even need to be someone in a position of power or great access...just some basic knowledge and perhaps a few others to do some unwitting testing (mind you retail hires troves of temp workers ahead of black friday) is more than enough to allow an experienced person to pull this off.

Usually it goes one of two ways ... the culprit is obvious/stupid and caught quickly which is touted as a great investigative success ... or the news moves on, the company licks it's wounds, the FBI gives up, and life goes on. It's not like the movies

Re:don't connect everything to the internet!

[torkus]

MAC ACLs are like the TSA groping grandma. Looks good to those up top but only annoys the people who aren't doing anything wrong...while doing little to stop anyone with ill intent.

802.1x is a big improvement but still leaves a lot to be desired in most implementations.

Re:don't connect everything to the internet!

[Nethead]

I can verify that GIT is correct. I've done POS refreshes, Pharm terminal installs and general field tech work at Targets. Their helpdesk is Compucare and trouble tickets come through Telaid.

Re:don't connect everything to the internet!

[Havokmon]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

So you think they were able to access card readers, and NOT plant a 3g device on the same network?

Re:don't connect everything to the internet!

[Havokmon]

Those protocols are there to protect the vendors, not you.

Of course they are, they're meant to protect the Card Issuers. Having implemented PCI at a credit card processor, I'm not even sure it applies to debit transactions - and it surely doesn't apply to private label cards.

If you want to be protected as a card holder, use CREDIT not DEBIT. Credit card transactions are protected by Visa/MC regulations - you as the user are not liable for ANY loss. If you use debit, you are subject to your banks regulations, which aren't not in the best interests of the cardholder. Mine would limit the bank's liability to $500, anything higher I would be on the hook for.

Just as an aside - I also worked InfoSec at Kohls - we had multiple subnets in all the stores. Kohls is not built like Target.

Re:don't connect everything to the internet!

[torkus]

FBI will do the actual investigating here. The po-po are just the unwitting hacks who get face time.

Protip: your information is always at risk. Social engineering, datamining, and a myriad of other techniques make it all out in the open. What you can do is try to *limit* that risk. Credit protection or locking your credit checks is one. Unique passwords is another. A really helpful thing is watching how you answer security questions - never use REAL information. I hope everyone realizes how easy it is to figure out someone's mother's maiden name these days. Favorite food? If not pizza or lobster just check facebook. Honeymoon spot? First job? More of the same.

These attacks target the least common denominator (in this case retail POS) so try not to be that group. Use one card for retail shopping...ideally one that's NOT a debit card tied to your bank account. That way you're liable for, at most, 50 bucks. Try getting money back into your checking account...you can...but until then you're out that $.

girlintraining has a lot of interesting information...it'd be fun to pick his/her brain one day. I've similar experiences though not centered in retail.

Re:don't connect everything to the internet!

[torkus]

Retail and almost any large scale enterprise are going to have many things in common. At the end of the day it's large-scale, lowest-cost that affords security. Add in senior management having 'great ideas' or a vendor selling some 'amazing product' ... you get the idea. The store manager insists on using an XYZ tablet instead of his company issues 'portable desktop' so he gets an exclusion from half the security measures. And of course forgets the tablet almost every time he walks through the store...etc. etc. etc.

I've yet to work on a network that I couldn't bypass security or had an available means to do so. In some cases it's utterly trivial, others it takes some limited insider knowledge and a techie background.

Most managers and 'important people' assume security doesn't apply to them and that getting their job done is WAY more important. IT and InfoSec people can be the worst in that group from personal experience.

Re:don't connect everything to the internet!

I've heard from a couple sources, which I'm trying to find citations for again, the breach was due to a pushed update from the POS provider. It isn't mentioned in the majority of the reports, so I don't know if it's because there's no truth in that or the information was not in the official release to prevent potential backlash before coming to a solid finding.

Re:don't connect everything to the internet!

[mcgrew]

Not connecting them to the internet wouldn't have helped. From what I heard on TV, the card readers themselves were physically compromised. It looks to me like a large criminal organization has infiltrated Target's employee ranks.

Re:don't connect everything to the internet!

[noc007]

They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Target's communication with CC Networks (Visa, MC, Disc, Amex) don't need to go over the internet. They either connect to a Front End Processor (FEP) via a private network, function as their own FEP with direct links to the Networks, or own their own FEP as a subsidiary company. As big as they are, I'd expect it to be one of the latter two. While working for a Merchant Acquirer/Gateway that wanted to become a FEP, our expensive ($10k/mo) test connection with MC was a direct private link and obviously encrypted.

That being said, Target's servers that cache CC numbers are probably accessible by some means from the internet. Heartland Payment Systems (IIRC they are a FEP) CC data breach in 2008 was a result of a targeted attack and poor security. The head DBA received some malware on his laptop. Because the account he logged in with had full DBA privledges to the DBs, the attackers were able to leverage his compromised laptop and permissions to download millions of CCs (full card data). Beyond better anti-malware detection and layered IDS, the full card data should be difficult to get in the clear for any person and should be stored encrypted on the DBs. Encryption devices exist that stand between the DBs and the full encryption key is never accessible by one person; we had one that would literally self destruct if someone tried to physically open the box.

Re:don't connect everything to the internet!

[X0563511]

They have MSRs that cipher track data in the reader firmware. There's no excuse for them to not have it deployed.

Re:don't connect everything to the internet!

[Some_Llama]

they need to verify their own target "red cards" as well, as these are basically like instant check fund transfers so they need to guarantee funds are sufficient with the bank for which they are attached.

Re:don't connect everything to the internet!

[MachineShedFred]

I doubt they used a skimmer to get 40M credit card numbers. Or, Target has the most efficient point-of-sale solution that could ever be, as that one swipe terminal would have been processing 24 credit swipes per second in the 19 day period TFA states.

Re:don't connect everything to the internet!

[omnichad]

Cellular device to the network is likely it. I found out a bit later that the breach was through the POS software. So if it's firewalled off, it either needs another network jump-off or a manual device involved.

Re:don't connect everything to the internet!

[MachineShedFred]

Actually, it will be the Secret Service, as they are more equipped to deal with currency and wire fraud, being a part of the Department of the Treasury.

Re:don't connect everything to the internet!

[Darinbob]

But in this case all stores were compromised, which points to either an inside job or someone with a lot of mileage on their car.

Re:don't connect everything to the internet!

[Darinbob]

Maybe this could happen, but it is also easier to just be an inside job. If it was an inside job would Target admit to this? The weakest point of most company's security is indeed the employees themselves.

Re:don't connect everything to the internet!

[Darinbob]

So it could be an outside person just hacking over the wifi, or an inside person hacking as well. The inside person is much more likely to know about the machines in use and what firmware they use. The outside person has to spend extra information probing to find out all this detail, which then is much more likely to be detected by internal security audits, whereas the inside person especially if working in the IT group is less likely to be discovered.

Re:don't connect everything to the internet!

[omnichad]

And in the wifi case, the outside person could have their mole device be a wifi/cellular device plugged into any hidden, out of the way electrical outlet in the building. They could do the rest of their research work remotely. In fact, I wonder if all the store POS units at all locations are on the same VLAN - so spreading the malware could be trivial. We don't know how much time was spent planning this attack, or really much of anything.

Re: don't connect everything to the internet!

PCI as of v2 does NOT require end to end encryption of data when such is not financially feasible (aka most POS systems particularly DOS based IBM systems). This is hoped to be changed in v3 but its been in RFC like status for years. It is doubful to see all the members of PCI agree soon.

(I handled multiple PCI deployments of Tier 1 systems, over 100k cards per year, and went on to become a cerified PCI auditor)

Re:don't connect everything to the internet!

[PlusFiveTroll]

>This would not have even been possible in the old analog phone system

Um, what? You evidently never saw the problems that cropped up on overloaded telephone exchanges and PBX's back in the day.

Re:don't connect everything to the internet!

[mysidia]

For example, a simple MPLS-based Layer 3 VPN will separate traffic between network A and network B, but it will not be encrypted. The only relatively safe way of doing it is via a strongly encrypted tunnel.

If there is not encryption, then it is not a VPN.

If someone is selling a MPLS service without end-to-end encryption between the sites and selling it as a "VPN"; then they are lying.

What they are really selling is a tunneled network service, not a secure Virtual Private Network.

Re:don't connect everything to the internet!

[justthinkit]

And you evidently never worked at an analog exchange. Start your education process with a search on "stepper motors". Cliff notes: once you have a route through the exchange, you get your ring and nothing else. And it keeps ringing.

In thinking of an analogy to the old stepper system, I would say completing a call through an analog exchange would be like getting all your lemming sacrifices in place before unleashing the rest of the horde (the ringing current) through the path (connection). A busy signal would be a stationary lemming blocking your path, or using up all your specific-function lemmings before completing the pathway. Only cure in Lemmings is a level retry. Same for old analog system -- waiting out a busy signal in the old days was completely futile, by the way.

In this case, the Target-leased/owned equipment is picking up the call, realizing they don't have anyone available to handle it, and then dropping the call internally by faking a busy signal.

By picking up the call, I imagine, they can claim responsiveness. In reality they are totally swamped and unresponsiveness, at least when I called earlier today.

Re:don't connect everything to the internet!

Has it not occurred to you that maybe the attackers had free reign over the internal network? That could easily start with an insider planting some sort of malware. Hell, it could have been done remotely.

Re:don't connect everything to the internet!

It seems much more likely that they are capturing data between the POS device, or the workstation it is connected to, before any encryption occurs. Read up on the dexter malware if you want an example of how this occurs.

Re:don't connect everything to the internet!

There is simply no way they compromised the readers individually at multiple locations. Certainly not enough to net 40 MILLION CARDS over the course of a month. it is much, much more likely that they somehow gained access to the internal network and were able to infect the POS systems themselves. They may have accomplished this through physical mean at first. But these things need to be connected to a network at some level.

Re:don't connect everything to the internet!

[JWSmythe]

The card readers that I've worked with do their encoding at the reader. They should only be showing the user (the clerk) something like the last 4 digits, if anything.

From what others said, based on the vague information released, it sounds like the card readers had firmware updates that allowed this to happen.. I still see two tremendously troubling things.

1) If it was someone in-house who did that, how the hell were they allowed to do that.

2) Even if the firmware captured all the card, why was it allowed to send out to a 3rd party destination. If it's all on private circuits, they simply wouldn't have a way to talk out. Obviously, they did, or else it wouldn't have been a breech.

Re:don't connect everything to the internet!

[turning+in+circles]

Thank you! The farmer is drunk.

Re:don't connect everything to the internet!

[sabri]

If there is not encryption, then it is not a VPN.

You, sir, have no clue what you are talking about.

Just go and read RFC4026.

What they are really selling is a tunneled network service, not a secure Virtual Private Network.

The fact that you use the term "secure" in this context already shows that you are clueless. What do you mean by secure? Security can include any of the following: Availability, Reliability, Confidentiality, Authenticity...

Re:don't connect everything to the internet!

[mysidia]

Just go and read RFC4026 [ietf.org].

You have linked to a non-standard document, which is not a normative reference. No consensus required to publish. Non-standard use of the designation "Virtual Private Network".

Sample a large enough number of the population, and you are bound to find people abusing terms. Their usage is inaccurate. Informational level RFCs don't have the blessings of the IESG or the community.

The fact that you use the term "secure" in this context already shows that you are clueless. What do you mean by secure? Security can include any of the following

Are you trying to be a smart-ass?

All three are necessary conditions.

A Virtual Private Network is the combination of the concept of a Virtual IP Network with a Private Network.

All those various solutions are virtual networks. Virtual networks are networks that have been extended over the top of another physical network --- in other words, the network is tunneled or encapsulated, so the IP addressing of the network is not that of the physical network.

The important bit is Private: A private network that is physically secured to only the endpoints in the network.

A virtual private network replaces physical isolation of data links with cryptography.

If the network is not secured using cryptography, then it is not Private.

For example; in a MPLS Virtual Network; the Virtual network, would be subject to the possibility of intrusion into the network by the circuit provider, or any third party ---- there is no way to know that the network is actually Private then, so it is not.

Re:don't connect everything to the internet!

[sabri]

For example; in a MPLS Virtual Network; the Virtual network, would be subject to the possibility of intrusion into the network by the circuit provider, or any third party ---- there is no way to know that the network is actually Private then, so it is not.

So you're saying that an MPLS VPN is not a VPN? Well, good luck convincing the rest of the world that the Earth is flat.

Re:don't connect everything to the internet!

[mysidia]

So you're saying that an MPLS VPN is not a VPN? Well, good luck convincing the rest of the world that the Earth is flat.

MPLS VPN is not a correct term to begin with. It's just like saying "Spherical box", "Hexagonal circle", or "Time cube"

Or for that matter..... calling an Amazon EC2 instance with a public IP a "Virtual Private Cloud"

It's called deceptive marketing; also known as outright lying.

A network built on a MPLS VRF is not a VPN; MPLS VLLs/pseudowires are not VPNs; a MPLS "switch in the cloud" is not a VPN.

....Unless

There is encryption on the wire, at the endpoints -- to make the network as private as a physically isolated network.

Re:don't connect everything to the internet!

[fatphil]

Because some of the readers if not configured otherwise will show which IP address (and port) they are connecting to.

Re: don't connect everything to the internet!

[sunderland56]

PCI as of v2 does NOT require end to end encryption of data when such is not financially feasible (aka most POS systems particularly DOS based IBM systems).

So the body in charge of the security of credit card transactions does not require even the most basic security measure? Wow. No wonder there are so many data breaches.

Visa/MC/etc. should step up to the plate, and only have TLS ports open for transaction validation - and then advertiise that on TV.

Re:don't connect everything to the internet!

[taustin]

And everything I have described meets PCI compliance. I suppose you were expecting something more out of government regulation

Er, dude, PCI isn't a government regulation, it's a voluntary industry standard, defined and imposed by card issuers (specifically, Visa, MasterCard and Discover, though Amex uses the same standards).

Re:don't connect everything to the internet!

[Nyder]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

I game with someone who works for a major financial firm, and they get info about this sort of stuff.

From what he said, and I can't verify this is true, but some of the CC readers have a "rogue" chip inside them that calls the info to whomever has the backdoor access. Apparently someone added the chips to some of them when they were being manufactured.

Not sure anyone is going to see this post or care, since it's now sunday, but that is the info I got about this.

 

Re:don't connect everything to the internet!

[Quila]

It's done right all the time. Government classified networks often go over the public Internet, all in encrypted tunnels.

Re:don't connect everything to the internet!

[JWSmythe]

Well, I see it, because you replied to me. :) Very interesting.

It still leads back to the original problem. Why the hell were they given access to the Internet to feed the data out? Or was it a bigger inside job than they're leading us to believe?

I could believe "rogue chip" or even common access credentials. The it could go from the Internet, to somewhere in-house.

I've seen that too many times. Users have forced passwords twice a month, with no repetition, at least 12 characters, mixed upper, lower, and symbols (all required). Then you find out "Oh and every server has the root password of N01WillGuessTh1s!. We don't bother to change it because only we know. Well, the IT department, the managers, senior management. The COO keeps the list on his desk, to show others how good passwords should look." ... but ... if it were in-house, the announcement of the breech is amazingly suspicious. So you'd have to wonder who would have motive to do such a thing. I think almost anyone in the US or familiar with US "low price" retail establishments will have the same companies in the top 5 list. The order may change, but the suspects will remain the same.

Chip and Pin

[the+eric+conspiracy]

You would think that these breaches would get the US to update it's security practices.

1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.

Re:Chip and Pin

[Tanktalus]

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Re:Chip and Pin

[Tanktalus]

And my other link got squashed. Another time chip-and-pin was discussed here.

Re:Chip and Pin

[Mashiki]

Considering you need the pin for it to work, it becomes a bit more difficult. And it's either going to be 4 or 6 numbers long, so unless at every terminal they're recording the pin, you're talking about brute forcing all known pin's against the card. Most cards lock after 5 failed attempts, plus at least with the Interac system here in Canada, if the otherside doesn't authorize the pin, the chip doesn't authorize the pin you get squat.

It's massively cut down on the bank card, and CC fraud we've been dealing with up here. I'm sure it'll be an arms race again in a few years, but right now it is an improvement in security albeit a small one.

Re:Chip and Pin

[blincoln]

Chip-and-PIN isn't perfect, but it's about a thousand times better than the archaic mag-stripe cards that are still in use in the US.

Mag-stripe cards are a relic of 30-40 years or more ago - similar to social security numbers - where your identification is the same as your authentication. It's a "secret name"-type system where as soon as you tell someone what your account number is, they can do whatever they want with it.

Mag-stripe cards can be cloned easily with a ~$100 reader/encoder that you can order from China on eBay (I have one - it's pretty neat). All you need to do is swipe the card through it once (or through a cheap reader, which you save the data from and then write to a card using the bulkier encoder later). AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Also, AFAIK, with Chip-and-PIN, you can't clone the card solely by intercepting network or device-to-device traffic. You have to compromise the reader itself. If you can intercept unencrypted network traffic from a mag-stripe transaction, then at a minimum you've got everything you need to use that card fraudulently online, and depending on how bad the system is that's involved, you probably have everything you need to create a full clone of the card.

Re:Chip and Pin

[gl4ss]

it's harder to copy the chip.

certainly harder to do it whilst maintaining a normal transaction happening.

but in usa, all you need is the magstripe. then you can buy shit with it. just go to a pharmacy and load up on whatever and use the self-checkout counter and scribble something on the touchscreen joke signature area...

Re:Chip and Pin

[IamTheRealMike]

AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

Re:Chip and Pin

[makomk]

In practice, those obscure protocol attacks that could be detected by the bank weren't detected by the bank - they didn't bother looking for them and deleted the logs which would indicate if they were used. Some people in the UK had fraudulent transactions that were likely caused by this attack being used in the wild (in fact that's why researchers went looking for it in the first place), but the customers ended up liable for them because they couldn't prove it since the bank had deleted the logs.

Re:Chip and Pin

Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry).

No one knows how to clone cards except the people that do? Tautology aside, I'm sure there is at least one person in the banking industry that has more incentive to use their knowledge of EMV cards for nefarious gain than they do for staying honest.

Re:Chip and Pin

Nope, due to a design bug, the PIN is optional. No need to guess it, just bypass it. As far as I can tell, cloning a card is still difficult, so it does provide notable additional security, but it's still not remotely secure.

Re:Chip and Pin

[IamTheRealMike]

If you're thinking of the RNG thing, actually some banks did still have the logs which is why they were able to identify the problem in the first place. But yes not all banks are so careful.

Don't get me wrong. It's good that people research EMV, and the task isn't easy. I respect the Cambridge team for that reason. But when they talk to the media or about their work in general, they act as if friendly fraud doesn't exist and EMV is just one giant scam by banks. That's ridiculous. "Friendly fraud" (that's the technical term for it) where the consumer defrauds the bank/merchant is not only a thing, but a highly prevalent and measurable thing. EMV protects sellers by shifting payment security to the buyer, who is typically the one who can most affect it, by keeping their PIN safe. It's not OK that banks don't seem to be pen-testing their own systems aggressively enough, although of course as the system is closed we don't know about the mistakes their own development teams did catch. But it's not useless, and nor is the liability shift. After all, in commerce it takes two to tango.

Re:Chip and Pin

[jedidiah]

In an attack of this kind, the mag stripe is likely entirely irrelevant. So it doesn't matter what security features are embedded in the card. Sooner or later, the card is going to have to be verified against a remote system and everything you need is going to be pure information past that point.

Same goes for those stupid electronic signatures.

Perhaps the greatest aid to counterfeiting ever.

Re:Chip and Pin

[mcgrew]

Considering that (TFA didn't mention but GMA did) the readers themselves were what was compromised, a PIN wouldn't have helped at all.

Re: Chip and Pin

This doesn't sound right. If I were one of those customers I would be highlighting that the missing evidence is down to those banks deleting that data. In the States an e-discovery order would follow at the very least. In Europe the bank would be dead in the water at this point, and entering a whole new ocean of much hotter water.

Re:Chip and Pin

I would bet money it was an actualy infection of the POS system, not them snagging the data as its being sent to a remote system.

Inside job

[Spy+Handler]

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

Re:Inside job

I sure hope someone is getting grilled considering I just had to go through the trouble of cancelling a credit card which was used at Target on the other side of the damn country from me. I have no idea how someone got the card number as I have not been to Target in at least a year. But someone got the number and spent $172 at a Target in Flushing, NY. Go figure. Glad the credit card company caught it fast, but still. What a pain in the butt.

Re:Inside job

[blincoln]

I disagree. It's certainly possible that there was inside help, but I think it's a lot more likely someone compromised a system in Target's corporate offices and used it to pivot to capturing the data in question.

Re:Inside job

[ruir]

You are assuming they are not so misers as to maintain and pay proper IT admins...

Re:Inside job

I sure hope someone is getting grilled considering I just had to go through the trouble of cancelling a credit card which was used at Target on the other side of the damn country from me. I have no idea how someone got the card number as I have not been to Target in at least a year. But someone got the number and spent $172 at a Target in Flushing, NY. Go figure. Glad the credit card company caught it fast, but still. What a pain in the butt.

Your issue has nothing to do with this incident at Target on Black Friday. I had my credit card used at Kohl's in Arizona last year. I haven't been to Arizona or Kohl's in several years.

Re:Inside job

[Darinbob]

The insider has more time to prepare without detection and already knows the details of the systems and security. The outsider has to spend time to learn how the system is set up, and thus more time spent exposed to detection. Both are possible of course. There's also possibility of cooperation between an outsider with knowhow and an insider with acess to information.

EMV

Now if only there was a technology for authenticating credit cards based on a challenge response model instead of transmitting the key in plain text, we wouldn't have to deal with stuff like this. And if only Target's fancy new POS terminals had support for such a standard already built in...

Re:EMV

[aaarrrgggh]

The problem with chip and pin is that it still isn't impervious to hacking, yet the customer is now responsible for preventing fraud. At least with the US system systemic fraud is a problem for the banks, even if transactional risk is placed on the merchant.

You have to establish where the endpoint of trust is for the user, and where that point is for the merchant. Everything in between is untrusted. One approach is escrow, and the other extreme is mutual authentication and authorization.

Re:EMV

[JWSmythe]

But security is hard. {sigh}

Re:EMV

[ai4px]

Bingo.... when I buy gas and pay at the pump, I *always* use credit option. If a skimmer got my PIN code I'm on the hook for all charges. With a credit card, the skimmer can still nab me, but I'm not on the hook. Funny thing is, if someone stole my wallet, they'd have the zip code that the CC auth wants. Not secure at all.

Re:EMV

[mcgrew]

Indeed, and it's why I traded my debit card for a couple of credit cards. Quite a few years back a woman watched me drunkenly punch my PIN into an ATM. She later stole the card and a book of checks and emptied my bank account -- and I had just bought my car and the $1000 down payment bounced, leading me to a bit of legal trouble.

The forged checks the bank made good, but if someone has your PIN, even if they stole it, they're authorized to use the card even if they stole that as well.

When I use my credit card, the most I can lose is fifty bucks. I can take that kind of loss (hell, I just paid the veterenarian $277 for a sixteen year old cat).

Glad I paid cash a few days ago

[sandytaru]

I only paid cash because it was such a trivial amount - under ten dollars - but I should make a point of doing it more often. I've been a victim of this before, when they targeted Office Max several years ago. Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Re:Glad I paid cash a few days ago

[couchslug]

That's why prepaid credit cards are better than debit cards if you have no regular credit card. They reduce potential damage by not being linked to your bank account. My regular card isn't paid by automatic draft either, and my PayPal account links to a small, separate bank account I keep for that purpose.

Re:Glad I paid cash a few days ago

[whoever57]

Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Which is exactly why you should get and use a credit card if you can. I have had credit card fraud on my card of over $3k. Impact to me: nothing (well, I did have to fill in a form stating that the items on the statement were fraudulent).

Re:Glad I paid cash a few days ago

[philip.paradis]

You should have switched to a better bank, or rather a decent credit union. When this happened to me, Navy Federal Credit Union returned all the funds to my account within four hours.

Re:Glad I paid cash a few days ago

[sandytaru]

I do now - just one, a Delta AmEx that I'm using at every opportunity to get crazy amounts of frequent flier miles.

Re:Glad I paid cash a few days ago

[sandytaru]

Well, Wachovia was eventually eaten by Wells Fargo. They did return my money after about two weeks - it just took going through their fraud investigation stuff.

Re:Glad I paid cash a few days ago

Or even a bad bank that isn't Wachovia. I'm with the most cartoonishly evil bank of all time, Bank of America, and the two times I've been hit with debit card fraud (~$1k both times) they've had my money back to me by the next day. The biggest inconvenience, aside from the incomprehensible (southern?) accent of the fraud agent I spoke with, was being without my card for a couple days while I waited for the new one to arrive.

Re:Glad I paid cash a few days ago

[McKing]

This is why I have 2 checking accounts: one for paying bills and one for daily spending. I direct deposit my paycheck in the billpay account, pay all of my months bills at the beginning of the month, and then as I need to spend money I transfer the amount from billpay to spending and use my debit card. This way there is only like $20 in the spending account (for emergencies like gas or something) and if someone gets my card then they can't spend up my entire paycheck at once.

Re:Glad I paid cash a few days ago

But if your prepaid credit card is stolen you lose all your money with little chance of getting it back.

Re:Glad I paid cash a few days ago

[Darinbob]

I used a credit card on the 14th... I almost never go to Target anyway, first time in a few years. I had just enough in purchases that I decided to use the card instead of cash. D'oh...

Now part of the problem is monitoring that card for fraud now. All the purchases tend to be listed with abbreviated codes so that it's not clear what a particular transaction was for. Ie, buy something locally from company X and the transaction will listed as company Y from a different state, and the same applies for automatic bill pay services.

Re:Glad I paid cash a few days ago

[philip.paradis]

This only brings the core issue into starker contrast. I had my money back within four hours following a single phone call. You had your money back after two weeks, during which time your bank essentially treated you as a potential conspirator in a criminal act by denying you access to your rightfully owned funds. Do you see a problem here?

I'll give you another example. I once worked in New Jersey for a certain well known cloud provider. A fellow employee fell victim to card fraud and had his bank account reduced by a couple of thousand dollars. Unfortunately, this occurred right before the first day of the following month, the day his rent and most of his bills were due. His bank informed him that a "fraud investigation" would take up to 30 days, and until the investigation was concluded, he would not only not have access to the funds in question, but his account would be completely frozen. This man was unable to pay his bills as a result. I got in my car, drove down to a branch of said bank, and asked to speak with the branch manager. In her office, I related the problem that my co-worker was faced with, and was initially informed that while the story was very sad, the bank wasn't going to do anything about it. I proceeded to inform said branch manager of the fact that my employer also held the majority of its cash assets with her bank, and asked her to phone up someone in her chain of command responsible for large accounts. She was visibly upset, but made the phone call. I spoke with a gentleman for perhaps two minutes about the problem, and my co-worker's funds were back in his account within the hour.

I shouldn't have had to make that trip to the bank. I shouldn't have had to utilize the leverage I used. Again, do you see a problem here?

Re:Glad I paid cash a few days ago

[philip.paradis]

Call your card issuer on their fraud line. Order a replacement card based on suspicion of compromise from the Target issue. If they want to charge you anything to replace the card, escalate the call to a supervisor, and request a waiver of the fee. If said manager declines to waive said fee, say you'll be transferring your balance (if any) to a competing bank and closing your account. Said fee will be waived. Problem solved.

Target has always HAD a major breech

[turkeydance]

so has Walmart, etc. no cash-register software is secure.

Re:Target has always HAD a major breech

[ruir]

The problem is not the software per se, but that everyone and his dog "glues together" a network. I have seen as consultant unbelievable things, and unfortunately, not talking about pa & mom shops.

I hope no one loses money, but...

[cervesaebraciator]

the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.

Re:I hope no one loses money, but...

[Bob+The+Cowboy]

Uh huh... and how about the people who went during the other 18 days in the attack window? I've never shopped Black Friday (and sure as shit not Thanksgiving) but I'm one of the above.

From the first line of the article:

Target Corp said hackers might have stolen data from some 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season...

upset employees?

In the last few months Target has been laying off employee programmers in large numbers and moving their jobs to India with less than 8 hours notice. Target also employs India based TATA for support and programming. They do have tight controls ofter their internal systems so I would expect for them to track down the culprit or point of entry. Regardless this sucks for the retailer and is certain to affect all major retailers, not just Target.

Re:upset employees?

[SpzToid]

Hello AC. It is extremely noticeable you have cited nothing to support your inflammatory anecdote.

Re:upset employees?

[Kagato]

Recent? Target has put it's eggs in the offshore and "prevailing wage" H1-B workers years ago. They have a bit of a reputation in the market as a result. Their divorce from Amazon onto their own web platform turned out pretty poorly and it resulted in the CIO abruptly exiting the company.

Our Target just installed new card readers

[NixieBunny]

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:Our Target just installed new card readers

[SeaFox]

This must mean something, or not.

...those would be the choices

Re:Our Target just installed new card readers

no mod points but this is hilarous

Re:Our Target just installed new card readers

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

I hope they are using encrypted card readers ! It appears as though they were using plain text readers.

Re:Our Target just installed new card readers

I whole-heartedly agree.

Re:Our Target just installed new card readers

[operagost]

It's both at once, until you open the box.

Re:Our Target just installed new card readers

[SleazyRidr]

I went there on Black Friday and my card was locked out in an hour. I called the next day and they said that everyone who went to Target was locked out.

Re:Our Target just installed new card readers

It's both at once, until you open the box.

Is there a cat inside the box?

Re:Our Target just installed new card readers

[Darinbob]

It could mean something else entirely.

Re: Our Target just installed new card readers

[zevans]

No, the box contains ambiguity, and an elk.

don't give your info to the internet!

Cracks like this prove that you should limit the personal info you give out to the bare minimum. Well-meaning or not, well-funded or not, high-tech or not, adding your info to third party databases is always going to be a risk.

Re:don't give your info to the internet!

Cracks like this prove that you should limit the personal info you give out to the bare minimum. Well-meaning or not, well-funded or not, high-tech or not, adding your info to third party databases is always going to be a risk.

You need to adjust your tinfoil hat. If you have a credit card--ANY credit card--then your personal info is already in a database which is accessible via the internet. Believing otherwise is just whistling past the graveyard. OTOH, I do agree that limiting the amount of personal info you give out to the bare minimum is always a good thing. Why make it any easier than it already is for the bastards to steal your personal info?

this is wrong

[rewindustry]

one time pad is far more secure, the information gathered would have been useless, as it only applies to a transaction target would have already processed.

how is this comment rated 4, whereas the correct information, the parent, is currently only rated 2?

Re:this is wrong

[weilawei]

One time pads suffer from the problem of key sharing, which reduces their security to that of the key sharing/shared generation scheme.

Re:this is wrong

[rewindustry]

um, in shannon, et al, the word "key" refers to the pad itself. so actually i'm not sure what you're saying here. did you mean "key reuse"? this applies to block ciphers, as i read it. what i think you are saying applies, once again, to block ciphers in counter mode, pretending to be one time pads, where the entropy in the key runs out, over time, as the block repeats.

Target, not Target

[phluid61]

You mean Target Corporation (with the red all-caps title), not Target Australia Pty Ltd (with the black title-case title), right? And by extension "the country" means "the greatest gosh darned country in the world, the United States of America!" right?

Re:Target, not Target

[noh8rz10]

USA is exceptional, and has been so since at least 1776.

http://en.m.wikipedia.org/wiki/American_exceptionalism

Re:Target, not Target

[redmid17]

Slashdot is an American website. Might as well get used to it.

Re:Target, not Target

[operagost]

We mean the Target based in the nation with 314 million people, not 23 million. It's the same one with a $16 trillion GDP, not $1.6 trillion.

Re:Wouldn't be surprised if Wal-Mart was...

[DaHat]

It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.

They still have the same homophobic CEO so...

...glad I'm still boycotting.

I Stopped Shopping At Target

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

Re:I Stopped Shopping At Target

[ruir]

You were buying a terrorist training kit, what do you expect? Glad you told them to sod off, we need more people like you.

Re:I Stopped Shopping At Target

[tlhIngan]

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

It doesn't matter these days - a lot of stores end up with policies of "we card everyone" even if you're definitely old enough. It's generally used so the cashier doesn't have to make a decision if the person buy is "old enough" (there are some people who really look way older than they really are) and accidentally sell to an underage.

Card everyone makes it much simpler than having to make a guess.

Re:I Stopped Shopping At Target

That does not mean they have to scan a card to figure out your age (unless the clerks are uniformly bad at date arithmetic - oh, wait...)

I don't believe you could resist the headline

[Chrisq]

I don't believe you could resist the headline:

Target Hit by Credit Card Breach

Paying proper admins?

[swb]

Target appears to be a massive H1B user, at least based on the people I see streaming in and out of their office buildings. So I'm not sure that paying for proper IT admins is part of their business plan.

Re:Paying proper admins?

[cdrudge]

Target appears to be a massive H1B user

Please state which Fortune 100 (or even 500) doesn't hire a significant number of H1B workers. Or for that matter, why it needs to be an incompetent H1B worker and not a incompetent US citizen if it even was incompetency.

Re:Paying proper admins?

[swb]

Please explain how a desire to suppress wages and import cheap workers leads you to the conclusion that competency is the principal value of Target hiring and IT systems.

air gaps aren't useful either

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

The Iranian equipment was not connected to the Internet either, and it got hit with Stuxnet. So air gaps are not guarantee.

And card readers, or at least the central point of sale brain, does need to be connected to the Internet: it has to be able to connect to the credit card servers to be able to verify that the purchaser has enough credit. (Though they could go "old school" and use dial-up modems or leased lines.)

Use Cash

[EmagGeek]

I stopped using credit cards at retail a long time ago because I was sick and tired of having my credit card numbers stolen every few months. And, these days there are always the privacy implications, knowing that government is collecting every transaction you make with a credit card.

Re:Use Cash

[omnichad]

sick and tired of having my credit card numbers stolen every few months

You must have been doing something wrong. That's not the normal experience.

NPR: Brian Krebs broke this story

[McGruber]

National Public Radio (http://www.npr.org/blogs/thetwo-way/2013/12/19/255415230/breach-at-target-stores-may-affect-40-million-card-accounts) says that the story was first reported by Brian Krebs, who writes the "Krebs on Security" blog. (http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/)

NPR and other news outlets are only reporting the story because Target put out a press release (http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores) that confirmed that the breech happened.

Just another example. . .

[smooth+wombat]

of private industry doing it better than the government.

POS Hacked?

[deKernel]

If the story does have the details correct meaning their POS terminals were somehow compromised, then Target must have some type of central server that the terminals call into to see if there are software updates because don't see any physical way so many terminals could be compromised. With that, the terminals could be reprogrammed to first send the authorization request, but then send a second message out with all the needed information which indicates an inside job.

bitcoin user not affected

bitcoin user not affected...

bought target cards via gyft

Nothing unique about this, home depot been here

[madmatty]

Nothing is new about this, it's the same scam or identical to what hit home depot in 2012

CVV security codes in magnetic strip?

From the article: "Target told customers ...that the criminals had stolen customers ... CVV security codes.", "and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards."

Does the magnetic strip contain the CVV codes? That doesn't seem likely to me.

Re:CVV security codes in magnetic strip?

Yes. The number you're thinking of that's printed on the back of the card is the CVV2 code.

CVV is for swiped transactions.
CVV2 is for keyed transactions.

Re:CVV security codes in magnetic strip?

Thanks for the clarification. That makes more sense.

What if it wasn't the credit card auth?

[ai4px]

I see in many of the comments that the probable method of attack was sniffing the outbound traffic... but w hat if the hack was embedded in a firmware update on all the cash registers? The cash register gets the CC number from the POS keypad, right?

Re:What if it wasn't the credit card auth?

[ediron2]

From what I understand (IANA PCI Expert) POS gets the card number less and less.

Some POS magnetic heads now come with encryption literally built into the head elements. The cardswipe heads encrypt card data, then send the encrypted chunk to the card processor. The card processor sends back confirmation data. Newer systems are capable of making it so that the closest that Target gets to your data is a token that is not the card data: it can be reused by the business (adjustments, additional charges if you're at a hotel, that sort of thing), but it only makes sense to the point of sale and the processor: 'We agree that 1555-5555-5555-1515' will map to a card ending in 1515, owned by Jane Doe'.

The cardswipe system has a PKI methodology that enables the processor updating the encryption keys. So, keys are processor-specific, processor controlled. Point of Sale never touches the keys, the card data... they just get little accountant-friendly tokens.

This is pretty new stuff, so it's likely NOT in place at Target.

Please, if I misunderstand this aspect of P2PE, some PCI expert is welcome to fix my understanding.

Re:What if it wasn't the credit card auth?

This is most likely the case, IMO. Card data needs to be encrypted when being sent over the internet. It's pretty unlikely that's how the data was taken being that target is a HUGE retailer and most likely receives yearly PCI compliance audits (and quarterly assesments of some type if I'm not mistaken). My guess is that the attackers had access to the internal network and planted some type of malware on the workstations/registers or card readers themselves, before any type of encryption occurs.

Lots of misinformation

So many opinions so little facts..

1. We don't know where and how the attack took place.. anything beyond that is speculation
2. If the attack took place 'on the pin pad', that would be the ONLY time PINs are in the clear. So any article that says "ATM Pins could be compromised" is either misinformed about how security of ATM PINs work in retail environments (most likely) or they have insider information (extremely unlikely). There are some excellent standards governing how PIN security should work and where what is encrypted -- https://www.pcisecuritystandards.org/documents/pts_program_guide_2010_v1.pdf. Yes all the devices in the market (except gas stations) have this level of security
3. EMV/Chip-and-PIN is not the answer. The security of that technology is not put to test because the markets that have implemented it are pretty small, compared to the US. Even then there are a bunch of problems with EMV http://www.cl.cam.ac.uk/~rja14/
4. Connecting card terminals to the internet is a better thing to do, except sadly nobody does it. It doesn't reduce security, just the opposite.. Maybe not obvious statement, so let's think. There is a card terminal, that is connected to a cash register, which is connected to a whole bunch of other systems where card data needs to go through before getting processed. Your chances of a successful attack?: compromise 1 out of 10 systems. Connect it directly to processing centers via the internet -- your chances to be successful 1 out of 1! Far less likely. /* let's not start saying that should be SSL protected, of course; that's obvious. Don't connect to internet without SSL protection.. */
5. Encryption is the magic bullet (somewhat).. But.. most of the encryption standards governing the use of encryption in payments are really new. So if you're as big and have been in business for longer than 3-4 years, you probably need time to migrate. There is no "easy button" to enable encryption
6. Someone as big as these guys, probably had really good security in place to begin with. That doesn't stop a determined attack clearly -- but just calling them out without knowing details is ....
If you are a consumer and you don't use your credit card, you are just being silly. You have zero liability (by law it is $50). Why do you care? Not your problem. Let the system which pays for the risk of your card compromise figure out the best way to provide security. Might as well earn points.. Yes, losing card numbers is a hassle, but.. there are benefits
If you are a security guy claiming that there is some magic bullet that is so obvious that you know and folks at Target don't -- you are being silly. I am sure Target folks are pretty smart (determined attackers still pose a problem), either that or you clearly don't know implementation challenges

Re:Lots of misinformation

[Todd+Knarr]

One thing though: your direct financial liability is $0, but that doesn't help much when you need to use your card and a crook's run it over-limit with a fraudulent charge. Take a real example from my life: I'm a full day's drive from home, I had to have several hundred dollars of repairs done to the coolant system on my car, if I can't pay for them the dealership won't release my car to me so I can get home and since it's at the tail end of the trip I don't have nearly that much in emergency cash in my wallet. I may not be liable for the fraudulent charge, but the credit-card company isn't going to front me money for hotel or food or lost time at work since I won't be making it back on time or any of the other costs I'll incur because of the fraud. If it's a debit card and the money came out of your checking account it can be even worse: bounced rent checks, bounced utility-bill payments, the hassles of clearing all that up and it's going to have consequences regardless (the landlord doesn't have to care why the check bounced, just that it bounced).

shame

i like shopping at Target. I hope debit cards aren't affected.

Target has its own crime lab for Christ-sakes!

Apparently they care more about them losing money, than you losing money.

Target???

[xvan]

For non US citizens... WTF is Target, apart from ungoogleable?

Re:Target???

[ysth]

http://www.target.com/
http://en.wikipedia.org/wiki/Target_Corporation

card data on public nets

card data is allowed on public network as long as it is encrypted.

Social Secutiry has no security on purpose

If you had a REAL account at Social Security, it would have always had some sort of PIN code to go along with an account number (just like any bank box has a key... an idea NOT unknown in the 1930s). Social Security "accounts" however, are not actually accounts at all.... all the money goes into one big pool and then the executive branch spends all the money in that pool on day-to-day government operations (leaving an electronic I.O.U. in place of the money). The government is forbidden by law from investing the money into the markets where it would grow, and nothing would be gained by stuffing it into mattresses at the White house. When you retire and start drawing money from your "account", the government just gives you cash taken from younger taxpayers. What most do not realize is that the Supreme Court ruled long ago that the federal government is under absolutely NO obligation to ever give you ANY money from your "account" because it is not actually an account and you do not actually own it.

Chip and pin?

i thought the US already has chip and pin technology on their debit cards. http://en.wikipedia.org/wiki/EMV just saying.

cheers

Naughty, naughty...

[ysth]

Naughty, naughty, Amazon

Can't authorize without network connection

[sjbe]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Because you need to connect the card reader to the credit card company network which is no internal to Target or any other retailer. If you don't have a real time connection to the merchant service provider you cannot authorize the purchase. You can do it over a phone line but that is much slower. Storing credit card data locally with a merchant is generally a REALLY bad idea if it isn't actually necessary. Merchants generally have little to no expertise in data security and there are plenty of examples to prove it.

Sounds way too familiar :/

[hurfy]

If anyone who knows this stuff is interested, this sounds exactly lot like recent problems at a bunch of the local grocery stores. URM stores (most all local grocery stores that aren't national chain) in Spokane had the same problem. It sounded like some terminals were compromised there also and you can't just drop a skimmer on top of those. Serious enough they stopped taking cards on normal cash registers and only used a single dial-up in each store for most of a week....

But you are still out the cash

[sjbe]

Well, Wachovia was eventually eaten by Wells Fargo. They did return my money after about two weeks - it just took going through their fraud investigation stuff.

But that is the problem. With a credit card you don't have to recover anything. While in most cases you will get the money back from debit card fraud you still are out the cash in the mean time and there is some chance you won't get it back at all.

Re:But you are still out the cash

[philip.paradis]

You've missed the actual core problem, which is a deeper matter of client-customer relations in the banking industry. Leaning on credit card constructs for relief is a bad idea for many reasons, the most notable of which is a severe glossing over of implicit accusatory concerns on the part of financial institutions when they stand to lose a buck. Reference my other reply for more detail.

One size fits all

[sjbe]

Card everyone makes it much simpler than having to make a guess.

Doesn't make it a good policy. Simple one-size-fits-all policies that do not allow for common sense are rarely a good idea. I would never anyone to scan my driver's license to buy a game. That is simply none of their business. I might show it to them for security purposes for my credit card but they only get to look, nothing more.

A credit card is a reusable password

[impeachsarbanes]

A good security practice is to avoid reusable passwords where possible, particularly for accounts where money is involved. Another security practice is to avoid reusing the same password at multiple sites.

A credit card number is a reusable password. It gives access to money. Thanks to the payment card industry (PCI) we're supposed to trust this reusable password at all the vendors where we shop? And trust that each of those vendors will keep their card processing devices and back end systems secure from external and internal intrusion?

Meanwhile, instead of eliminating the reusable passwords, PCI passes the risk on to card accepting companies by imposing hundreds of security standards on each card accepting company (see www.pcisecuritystandards.org). Failure to comply means increased credit card transaction fees or prohibition from processing credit cards.

As a customer, I prefer using credit cards to cash for the convenience and record keeping value. As an IT guy, I've spent many evenings and weekends working to comply with PCI standards to protect these static reusable passwords from compromise.

A better solution would be to eliminate the static reusable credit-card passwords from existence.

Re:NPR: Brian Krebs broke this story

Krebs is awesome! If you are into security at all and don't read his blog, start now. Hes always one of the first on the story, and brings incredible research and inside information every time.

Just comparing

[sjbe]

You've missed the actual core problem, which is a deeper matter of client-customer relations in the banking industry.

I didn't miss the core problem because I didn't address it at all. I merely compared the relative merits of debit cards versus credit cards when it comes to recovering from fraudulent transactions the way things stand now. You will get no argument from me that the current fraud "prevention" setup is more than a little absurd.

Personally I don't really understand why anyone would use a debit card if they do not have to. I'm not saying they don't have their uses but I think the risk versus reward for them is not favorable. Use a credit card, pay cash, or even write a check. With my bank I don't even have a debit card. I just have a card that lets me get cash from an ATM and I use a credit card for everything else. For me there is really no upside to a debit card.

Letter from Target

I received my "letter" email from Target this morning that I may be one of the lucky 40 million. Pretty Standard PR stuff about my need to monitor my account and where I can go for more information.

The only issue I actually have is that they are spreading incorrect information in their FAQ at the end of the email. I qoute;

"Is the CVV code the same as the three digit code on the back of my card?
No, the CVV code is not the same as the security code on the back of your card. As of now we have no indication that the three digit code on the back of the card has been impacted."

This is not correct. The CVV code is the generic term for the 3 or 4 digit code printed on the front or back of the card depending on if it is Visa, MC, Amex etc.

This value is represented on both Track1 and Track2 of the mag stripe as "discretionary data" See http://en.wikipedia.org/wiki/Magnetic_stripe_card for more info.

This ain't my first rodeo. I am a PCI compliance officer for a retailer and both a CISSP and PCI ISA.