Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target Has Major Credit Card Breach

Posted by samzenpus on from the you're-the-target dept.

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

6 of 191 comments (clear)

  1. Re:don't connect everything to the internet! by Nyder · · Score: 4, Interesting

    You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

    Will they ever learn?

    Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

    Well, i guess they will still need to rethink the security of this.

    Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

    --
    Be seeing you...
  2. Chip and Pin by the+eric+conspiracy · · Score: 4, Interesting

    You would think that these breaches would get the US to update it's security practices.

    1. Chip and Pin credit cards.
    2. Separate authentication and authorization in the SS system.

    1. Re:Chip and Pin by IamTheRealMike · · Score: 4, Interesting

      AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

      Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

      Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

      The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

  3. Re:don't connect everything to the internet! by Charliemopps · · Score: 3, Interesting

    About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

  4. Re:don't connect everything to the internet! by operagost · · Score: 3, Interesting

    PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

    If Target is PCI compliant, then this is an internal breach.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  5. Re:don't connect everything to the internet! by Anonymous Coward · · Score: 2, Interesting

    I've heard from a couple sources, which I'm trying to find citations for again, the breach was due to a pushed update from the POS provider. It isn't mentioned in the majority of the reports, so I don't know if it's because there's no truth in that or the information was not in the official release to prevent potential backlash before coming to a solid finding.