Slashdot Mirror
Target Has Major Credit Card Breach
JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.
Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.
You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.
Will they ever learn?
Be seeing you...
You would think that these breaches would get the US to update it's security practices.
1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.
Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.
IT admins at Target are probably getting grilled by FBI as we speak.
I only paid cash because it was such a trivial amount - under ten dollars - but I should make a point of doing it more often. I've been a victim of this before, when they targeted Office Max several years ago. Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.
Occasionally living proof of the Ballmer peak.
so has Walmart, etc. no cash-register software is secure.
the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.
This must mean something, or not.
The determined Real Programmer can write Fortran programs in any language.
The problem with chip and pin is that it still isn't impervious to hacking, yet the customer is now responsible for preventing fraud. At least with the US system systemic fraud is a problem for the banks, even if transactional risk is placed on the merchant.
You have to establish where the endpoint of trust is for the user, and where that point is for the merchant. Everything in between is untrusted. One approach is escrow, and the other extreme is mutual authentication and authorization.
But security is hard. {sigh}
Serious? Seriousness is well above my pay grade.
Hello AC. It is extremely noticeable you have cited nothing to support your inflammatory anecdote.
You can't be ahead of the curve, if you're stuck in a loop.
one time pad is far more secure, the information gathered would have been useless, as it only applies to a transaction target would have already processed.
how is this comment rated 4, whereas the correct information, the parent, is currently only rated 2?
Recent? Target has put it's eggs in the offshore and "prevailing wage" H1-B workers years ago. They have a bit of a reputation in the market as a result. Their divorce from Amazon onto their own web platform turned out pretty poorly and it resulted in the CIO abruptly exiting the company.
It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.
Help Brendan pay off his student loans
I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)
Target Hit by Credit Card Breach
Target appears to be a massive H1B user, at least based on the people I see streaming in and out of their office buildings. So I'm not sure that paying for proper IT admins is part of their business plan.
I stopped using credit cards at retail a long time ago because I was sick and tired of having my credit card numbers stolen every few months. And, these days there are always the privacy implications, knowing that government is collecting every transaction you make with a credit card.
National Public Radio (http://www.npr.org/blogs/thetwo-way/2013/12/19/255415230/breach-at-target-stores-may-affect-40-million-card-accounts) says that the story was first reported by Brian Krebs, who writes the "Krebs on Security" blog. (http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/)
NPR and other news outlets are only reporting the story because Target put out a press release (http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores) that confirmed that the breech happened.
of private industry doing it better than the government.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If the story does have the details correct meaning their POS terminals were somehow compromised, then Target must have some type of central server that the terminals call into to see if there are software updates because don't see any physical way so many terminals could be compromised. With that, the terminals could be reprogrammed to first send the authorization request, but then send a second message out with all the needed information which indicates an inside job.
USA is exceptional, and has been so since at least 1776.
http://en.m.wikipedia.org/wiki/American_exceptionalism
Nothing is new about this, it's the same scam or identical to what hit home depot in 2012
Slashdot is an American website. Might as well get used to it.
I see in many of the comments that the probable method of attack was sniffing the outbound traffic... but w hat if the hack was embedded in a firmware update on all the cash registers? The cash register gets the CC number from the POS keypad, right?
Bingo.... when I buy gas and pay at the pump, I *always* use credit option. If a skimmer got my PIN code I'm on the hook for all charges. With a credit card, the skimmer can still nab me, but I'm not on the hook. Funny thing is, if someone stole my wallet, they'd have the zip code that the CC auth wants. Not secure at all.
We mean the Target based in the nation with 314 million people, not 23 million. It's the same one with a $16 trillion GDP, not $1.6 trillion.
Gamingmuseum.com: Give your 3D accelerator a rest.
For non US citizens... WTF is Target, apart from ungoogleable?
One thing though: your direct financial liability is $0, but that doesn't help much when you need to use your card and a crook's run it over-limit with a fraudulent charge. Take a real example from my life: I'm a full day's drive from home, I had to have several hundred dollars of repairs done to the coolant system on my car, if I can't pay for them the dealership won't release my car to me so I can get home and since it's at the tail end of the trip I don't have nearly that much in emergency cash in my wallet. I may not be liable for the fraudulent charge, but the credit-card company isn't going to front me money for hotel or food or lost time at work since I won't be making it back on time or any of the other costs I'll incur because of the fraud. If it's a debit card and the money came out of your checking account it can be even worse: bounced rent checks, bounced utility-bill payments, the hassles of clearing all that up and it's going to have consequences regardless (the landlord doesn't have to care why the check bounced, just that it bounced).
Naughty, naughty, Amazon
You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.
Because you need to connect the card reader to the credit card company network which is no internal to Target or any other retailer. If you don't have a real time connection to the merchant service provider you cannot authorize the purchase. You can do it over a phone line but that is much slower. Storing credit card data locally with a merchant is generally a REALLY bad idea if it isn't actually necessary. Merchants generally have little to no expertise in data security and there are plenty of examples to prove it.
If anyone who knows this stuff is interested, this sounds exactly lot like recent problems at a bunch of the local grocery stores. URM stores (most all local grocery stores that aren't national chain) in Spokane had the same problem. It sounded like some terminals were compromised there also and you can't just drop a skimmer on top of those. Serious enough they stopped taking cards on normal cash registers and only used a single dial-up in each store for most of a week....
Well, Wachovia was eventually eaten by Wells Fargo. They did return my money after about two weeks - it just took going through their fraud investigation stuff.
But that is the problem. With a credit card you don't have to recover anything. While in most cases you will get the money back from debit card fraud you still are out the cash in the mean time and there is some chance you won't get it back at all.
Card everyone makes it much simpler than having to make a guess.
Doesn't make it a good policy. Simple one-size-fits-all policies that do not allow for common sense are rarely a good idea. I would never anyone to scan my driver's license to buy a game. That is simply none of their business. I might show it to them for security purposes for my credit card but they only get to look, nothing more.
A credit card number is a reusable password. It gives access to money. Thanks to the payment card industry (PCI) we're supposed to trust this reusable password at all the vendors where we shop? And trust that each of those vendors will keep their card processing devices and back end systems secure from external and internal intrusion?
Meanwhile, instead of eliminating the reusable passwords, PCI passes the risk on to card accepting companies by imposing hundreds of security standards on each card accepting company (see www.pcisecuritystandards.org). Failure to comply means increased credit card transaction fees or prohibition from processing credit cards.
As a customer, I prefer using credit cards to cash for the convenience and record keeping value. As an IT guy, I've spent many evenings and weekends working to comply with PCI standards to protect these static reusable passwords from compromise.
A better solution would be to eliminate the static reusable credit-card passwords from existence.
Indeed, and it's why I traded my debit card for a couple of credit cards. Quite a few years back a woman watched me drunkenly punch my PIN into an ATM. She later stole the card and a book of checks and emptied my bank account -- and I had just bought my car and the $1000 down payment bounced, leading me to a bit of legal trouble.
The forged checks the bank made good, but if someone has your PIN, even if they stole it, they're authorized to use the card even if they stole that as well.
When I use my credit card, the most I can lose is fifty bucks. I can take that kind of loss (hell, I just paid the veterenarian $277 for a sixteen year old cat).
Free Martian Whores!
You've missed the actual core problem, which is a deeper matter of client-customer relations in the banking industry.
I didn't miss the core problem because I didn't address it at all. I merely compared the relative merits of debit cards versus credit cards when it comes to recovering from fraudulent transactions the way things stand now. You will get no argument from me that the current fraud "prevention" setup is more than a little absurd.
Personally I don't really understand why anyone would use a debit card if they do not have to. I'm not saying they don't have their uses but I think the risk versus reward for them is not favorable. Use a credit card, pay cash, or even write a check. With my bank I don't even have a debit card. I just have a card that lets me get cash from an ATM and I use a credit card for everything else. For me there is really no upside to a debit card.