Target Admits Data Breach May Have Up To 110 Million Victims

Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."

I have to get better sources apparently...

...because I thought I read somewhere that they only grabbed PINs. So they *DID* get hold of actual credit card numbers? If so, yes, that's pretty bad... I always thought that if they ONLY had PINs, then it wasn't too terrible, at least not as bad as having the actual credit card numbers.

Re:I have to get better sources apparently...

They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.

The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.

We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.

Re:I have to get better sources apparently...

[Z00L00K]

In a proper solution the dealer like Target shall not even have access to the unencrypted identification data, that shall be passed between the terminal and the bank or payment handler encrypted and the dealer shall only need to get "approved" or "denied" back for the request.

In addition to this - magnetic stripes are obsolete, they were introduced during the 70's. Modern cards has a chip which is harder to duplicate. Not impossible, but a lot harder. Almost all terminals in Europe handles chips, and all major European banks provides cards with chips these days.

Of course - credit card identification data should be considered an ID theft and that should be a capital crime. It would sure deter at least some criminals when they know that they will face Madame Guillotine.

Re:I have to get better sources apparently...

[Joce640k]

The PINs were supposedly encrypted with 3DES (which isn't exactly robust)

Stop repeating those crappy news sites. There's nothing wrong with 3DES.

DES is one of the few cyphers which has never shown a weakness in the algorithm. Yes, it has a small key size, hence 3DES. The only real reason not to use it is software performance (DES was designed for hardware implementation, not software).

https://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms

Re:I have to get better sources apparently...

[DarkOx]

That "encrypted with 3DES" thing has bothered me too, it does not make much sense unless they mean the filesystem the database is on or something. Otherwise how do you effectively cipher a 4 digit pin with 3DES?

Yes some databases can cipher tables, but that isn't really helpful against an online attack where the table is already unlocked.

Ideally you would store the ciphered values and the application layer would have the key, which leaves you with needing to make sure you select unique IVs for every PIN otherwise you will have lots of repeated cipher texts with some known plain texts and lots of pins will be exposed quickly and easily.

All in all without more detail and given this appears to have been an online attack, I don't have much confidence that those PINs are secure against even the most amateur crypto analysis ( if they did not actually get them in the clear to start with, again possible even likely given the access vectors ) for longer than hours.

Re:I have to get better sources apparently...

"DES is one of the few cyphers which has never shown a weakness in the algorithm."

You should stop reading wikipedia for your info. DES is woefully weak, hence triple DES, which is 168 bits long and has yet to be cracked.

I am not even going to bother to post links since there are so many. Google "DES cracked" and take your pick.

Re:I have to get better sources apparently...

[LifesABeach]

Why doesn't everyone just admit the painfully obvious, "Someone has blown the doors off of the Target Cyber Security Walls." Ignoring that this affects 45% of the U.S.; this personal wet dream called, "Target" should be facing criminal charges.

Personally, I am hoping that those responsible for this theft never sleep in the same bed twice.

Re:I have to get better sources apparently...

[Joce640k]

You should stop reading wikipedia for your info. DES is woefully weak, hence triple DES, which is 168 bits long and has yet to be cracked.

Short key != weakness in algorithm.

DES has never been "broken".

Re:I have to get better sources apparently...

The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.

It could be worse than that.

Companies routinely purchase name/address/email information.

You could be a victim of this data theft without ever having any sort of "relationship" with Target whatsoever.

Re:I have to get better sources apparently...

They got mag stripe data which allows them to print copies of the cards.

I think the big problem for Target would be if their stored value (gift) card data was also compromised. Since the data flows through the same systems, it is likely.

Credit card issuers know how to get to cardholders, so they can replace cards. Target has no way that I can think of to track down gift card holders to send them a replacement card.

The people stealing the data can use the gift cards online or actually print cards to use in-store, depleting the value to zero.

Imagine the PR nightmare of your grandkid being told they cannot buy that iDevice because there is no value remaining on their shiny new gift card.

Target needs to be sued

By the major credit card companies for gross negligence and conspiracy for fraud.

Re:Target needs to be sued

[Mashiki]

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Re:Target needs to be sued

I think the fraud outrage is driven by the storage of that much personal financial information. I can't see any reason why they would store that information at all once the charge clears your account... unless the theft happened in real time.

Re:Target needs to be sued

[Waffle+Iron]

By the major credit card companies for gross negligence and conspiracy for fraud.

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.

Re:Target needs to be sued

[bloodhawk]

Stupidity does not equal fraud

Re:Target needs to be sued

[pcwhalen]

In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.

Oh, wait. that was when they claimed it was 40 million names.

No way this was real time. Target must have been data mining.

Re:Target needs to be sued

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.

Re:Target needs to be sued

and the stupidity isn't entirely target corp's either.. what about all the vendors and contractors that supplied the hardware and much of the software that they use?

Re:Target needs to be sued

[aviators99]

They don't need to be sued. Their merchant agreements make them liable for fraudulent charges and a fee for each card that has to be reissued. It will be in the billions, for sure.

Re:Target needs to be sued

No way this was real time. Target must have been data mining.

Target stores the CC#/DC# - presumably as a hash - to track return customers. If I use my DC at Target I often get coupons at the register for items I've purchased in the past but have not purchased with my DC recently.

In order for Target to generate a hash of my DC they need to have it in plain text at some point, which would mean the exposure was in real time. If they stored it but didn't bother hashing it all they probably would have exposed more than 40 million cards.

This is all speculation based on trusting what Target has claimed (which may or may not be worth the RedCard it's printed on).

Re:Target needs to be sued

[LordKronos]

Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably closer to an average of 14 hours a day for the holiday season. So that's 78 per hour, or one transaction every 46 seconds. Somehow I think they can manage a bit more than that. Even if you factor in that not every transaction is a credit/debit transaction, I think it's still very believable.

Re:Target needs to be sued

If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Only 5 years? Are you new to IT?

Re:Target needs to be sued

[BringsApples]

Credit and debt go hand in hand. It's the American dream, in reality. You have a card where you are able to spend money that not only do you not have, but doesn't exist at all. Once enough people are in debt to that system, then money (debt) prints itself. It's the American dreamers that make this possible. Hell, the credit card companies don't even give a shit about theft anymore. They're doing to you, what you originally tried to do to them - have money that doesn't even exist. Except, for them, there are legal benefits to being on their side of the game. And rather than money, they live/exist off of debt.

Don't forget that all money that's printed, represents a debt. In this way, the credit card companies (basically the elite) live off of debt, not money.

Re:Target needs to be sued

[nwf]

This is probably the only way it will happen. Well, more realistically congress will pass a law requiring some poorly thought-up "fixes" and after several iterations of failure, we'll end up with Europe does. You can't secure a completely insecure system with bandaids, duct tape and PCI (which is nothing more than a liability deferral instrument.) This is going to become more and more common. Frankly, I'm surprised we don't have a report like this every other month.

Bank routing number and account numbers printed on checks is even worse, though. Writing a check with an amount isn't much more secure than leaving the amount field blank.

Re:Target needs to be sued

[Mashiki]

Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.

That much is obvious, so again where is Target the benefactor in the said breech? Where did they *give* something that facilitated the theft of the data that contributed to fraud.

Re:Target needs to be sued

[beanpoppa]

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

Re:Target needs to be sued

[Mashiki]

Only 5 years? Are you new to IT?

Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.

Re:Target needs to be sued

[beanpoppa]

Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.

Re:Target needs to be sued

A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards. I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back. Its the credit card companies that have weighed the cost/benefit analysis on the security of credit cards not the individuals.

Re:Target needs to be sued

[mysidia]

Stupidity does not equal fraud

No, but the above poster may be attempting to make an argument for shared guilt. That Target's negligence was so severe that it facilitated frauds which other actors will be committing, to the point of "aiding and abetting" the criminals who stole the numbers and other data and are in the process of hoc'ing them for fraudulent use.

Re:Target needs to be sued

[BringsApples]

Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.

To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.

Re:Target needs to be sued

[Waffle+Iron]

Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards.

Fixing the problem involves time and stress on the part of the customer. Time and stress are money to me.

I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back.

The magnetic strip is just as idiotic as the embossed number. A non-idiotic system would only use tamper-resistent chips and encryption, as I originally stated. While probably not impossible to hack, it would be orders of magnitude harder than current US cards. More importantly, two-bit merchants like Target would no longer be able siphon of transaction-enabling cleartext data throught their vulnerable systems.

Its the credit card companies that have weighed the cost/benefit analysis on the security of credit cards not the individuals.

Hence, as I mentioned, the need for them to get soundly sued by everyone who has been affected by this breach. The credit companies are in sore need of a major attitude adjustment.

Re:Target needs to be sued

[EvilSS]

PCI compliance is involved, so no lawsuit is required. The PCI fines (levied by the PCI Scurity Standards Council, and Target is contractually obligated to pay) are $90 per account. Do the math on that for a second.

Now I'm sure there will be some negotiating going on but still, it's probably going to be a really big check they end up writing.

Re:Target needs to be sued

that qualifies as negligence not fraud or aiding and abetting

Re:Target needs to be sued

[Artifakt]

Some 'tiny little portion' of my taxes were spent recently in bailing out some banks. Enough credit card fraud, and I'm totally confident the 'too big to fail' bunch will be back at the public trough asking for more of my taxes soon. At least a good chunk of the money these banks are risking now is tax money they got in the bailout, not their own money. It doesn't matter if I trust the card system, or even have a credit card at all. So, do you pay taxes? If so, why don't you care?

Re:Target needs to be sued

[Charliemopps]

They saved money by telling their customers that they were PCI compliant and they really weren't. Fraud.

Re:Target needs to be sued

[The+Grim+Reefer]

Stupidity does not equal fraud

Unless it's Sony. We still hate them, right? ;-)

Re:Target needs to be sued

[gweihir]

It is not a benefactor of the breach. But it is a benefactor of lowering investment into IT security far below what was reasonable. (Or it was rather. Not they are paying for that stupidity...)

Re:Target needs to be sued

[Fnord666]

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

I got one when they first came out. It even came with a card interface to hook it up to your computer. They were trying their own thing if I recall, not EMV. They had a lot of grand plans for it, but they never actually did anything with it.

Re:Target needs to be sued

[JLennox]

Have the police at the station asking to see the name on the credit card people are swiping?

I'm not sure we allow that, for good reason.

Re:Target needs to be sued

[Fnord666]

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

Exactly right. Until those responsible for designing/implementing the system are held liable for its failure, nothing is going to change. Unfortunately the CC companies have very deep pockets and can stash a lot of legislators in them so don't expect any legislative shift in liability any time soon. Any significant change will have to come from the Judicial branch through civil suits or from the people themselves.

I wonder what would happen if everyone cut up their credit cards and just started paying cash for things? Maybe we could start with a campaign to get people to pay cash on Tuesdays? Just one day a week to get things rolling.

Re:Target needs to be sued

[Z00L00K]

The CC companies are equally guilty - they should remove the magnetic strip and at least use an already implemented technical solution with chips on the cards.

Re:Target needs to be sued

[DigiShaman]

I won't debate the math on that, but from my own personal experience shopping at Target, each transaction takes about 3 minutes on average. Sometimes you have that person that's only buying one or two things; typically 1 minute from being greeted by the clerk to being handed the receipt and goods. Other times, I've been stuck behind someone with a cart of 30+ items. That person then proceeds to fumble paying with cash and putting the rest of credit cards. That lasted about 6 minutes.

Re:Target needs to be sued

[stoploss]

Only 5 years? Are you new to IT?

Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.

I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder. As in "prove these charges on your account weren't you". Right now in the states, the burden of proof does not lie with the account holder, so if this reversal of liability with chip & pin is true then I would not consider chip & pin an "upgrade"/improvement.

Right now, I give not a fuck about credit card fraud because I am charged nothing if it happens (I'm only slightly inconvenienced by having to wait for the issuance of a new card). If I am potentially liable for fraud when someone defeats the security of the chip & pin point of sale device, but I can't prove it, then no thanks.

Re:Target needs to be sued

FYI: Assume an average of 6 lanes open (my local Target has well over a dozen lanes open during peak hours; I think it's 20 actually) at 4.5 minutes per transaction (averaging your 3 and 6), that works you to an average throughput of 45 seconds per customer (270 seconds / 6 customers in parallel).

(Yeah, 6 lanes is probably a bit optimistic for an average, but 4.5 minutes per transaction is likely equally pessimistic.)

Re:Target needs to be sued

They would have to change the law first. The law as it stands says account holders are only liable for the first $50 of fraud.

Re:Target needs to be sued

I get your point and I share your frustration on this but the problem is that the bank doesn't have an incentive to do anything about it. The bank isn't ultimately out the money when this happens (granted, I do believe they have to cover the costs of issuing a new card, but that's probably noise to them), it's going to be the gas station. The bank will instruct Visa/MC/etc. to chargeback the fraudulent charges to the merchant.

I'd be curious about this gas station though.. The only plausible way that the card is not going to be denied in that situation is if they're doing offline transactions. Otherwise, an online transaction with a cancelled card should be immediately declined.

Re:Target needs to be sued

[Mashiki]

RFID and Chip & Pin are two different beasts. Chip & Pin is the same as smartcard chips, RFID hasn't really caught on in Canada either.

Re:Target needs to be sued

Putting rootkits onto CDs is fraud, not stupidity.

Re:Target needs to be sued

[BringsApples]

That wouldn't have been necessary. It looked like some person got off work (around 5pm), and went and filled up their vehicle, and a boat, or some other large-capacity vehicle.

And I'm not sure if you've ever noticed, but cashiers are supposed to match the name on your license with the name on whatever credit card you're purchasing with. What would be different here?

Re:Target needs to be sued

[gl4ss]

well, ignoring the security standards actually is fraud.

that's the whole point...

Re:Target needs to be sued

[Mashiki]

I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder.

Perhaps in the states, but in Canada and the rest of the world, my cardholder agreement(TD Canada Trust, CIBC, and Presidents Choice) openly states that the burden of proof falls on bank. This is doubly true with the new cards that are backed by visa, not only are you not held accountable under the protection of the fraud agreement on the card with that, but you're also not held accountable by the bank at all.

Re:Target needs to be sued

I won't debate the math on that, but from my own personal experience shopping at Target, each transaction takes about 3 minutes on average. Sometimes you have that person that's only buying one or two things

So... if each Target only had one cash register, your point might be valid.

Re:Target needs to be sued

[foniksonik]

And which Target do you go to where there's only one checkout line? I'll be sure to avoid that one.

Btw 6 min / 6 lanes = 1 min (keeping it easy for the math challenged).

The Targets I go to have at least 20 lanes plus several POS in electronics. That still seems like I'm under estimating.

Re:Target needs to be sued

[JoeMerchant]

I interviewed at a "secure credit card transaction software" company, they were struggling to find competent programmers, no surprise since they pay their top guy 1/2 of what I make as a medical device software engineer. I doubt they are all such shoe-string operations, but as it is, they struggle to do things like validate billing zip codes. Have you ever miskeyed your zip code at a POS? I have a few times, sometimes it rejects the transaction, sometimes not.

Upgrade of the infrastructure to work on secure keys kept in tamper _resistant_ chips on the cards, while entirely possible, even simple, from a technical perspective, would involve the creation of thousands of new jobs, and destruction of thousands more. it becomes a political issue, and is unlikely to move forward without national level political (legislative) backing / mandate. That will take time - decades, unless real harm comes to enough people who matter to the legislators. It doesn't help that the legislators can understand how the current system works, and probably don't understand how a secure key is actually better.

The plastic number embossed on the card is a mimic of the routing and account numbers printed on the face of paper checks - it's an honor system, enforced by threat of criminal punishment. It's impressive how well it works with the massive international use of credit cards to transfer money.

There have been scofflaws since the days of hanging pickpockets, and there will continue to be even after credit cards become more technically secure.

Re:Target needs to be sued

[JoeMerchant]

Fraud is a business, billions are made annually by people who protect, prosecute and defend against fraud.

If you suddenly cut fraud by 50%, lots of honest people would be hurt.

Re:Target needs to be sued

[JoeMerchant]

Having the police stake out a gas station for several hours will cost more than the company is losing in theft.

If you really want to lose money, catch those two criminals, prosecute them and put them in jail for 5 years - now you've cost the taxpayers $1M+.

Re:Target needs to be sued

Every Target I go to has 12-20 Lanes, but they only one open register.... God I hate target. They do hire cute girls though.

Re:Target needs to be sued

[Jawnn]

The police have more important things to do than chase down credit card thieves, like chasing down mp3 and video pirates.

Re:Target needs to be sued

Show me an article that details the attack sufficiently to show that Target was actually negligent.

Obviously they were hacked, but you can still get hacked even if you follow best practices. Maybe they didn't, but that hasn't been borne out in the news at least.

Isn't perhaps part of the problem that we're still using payment card technology from the pre-Internet era?

Re:Target needs to be sued

[David_W]

And I'm not sure if you've ever noticed, but cashiers are supposed to match the name on your license with the name on whatever credit card you're purchasing with. What would be different here?

I'm pretty sure that's wrong. From what I've read, you "cannot" be required to show an ID when purchasing with a credit card, unless you haven't signed the back. This is the first link I found that seems to back that up.

Re:Target needs to be sued

[BronsCon]

They gave the gaping hole the data was sucked through.

Re:Target needs to be sued

[BronsCon]

Unless there are more people fighting fraud than there are victims of it, cutting fraud by 50% would mean the number of people now *not* hurt by fraud outweighs the number of people hurt be reduced fraud. Unless you're also counting perpetrators of fraud as parties hurt by the reduction of fraud. Reducing the occurrence of literally anything hurts someone, somewhere, in some way; it's a balancing act to determine the level at which the benefit, overall, is maximized in relation to the damage done elsewhere. Stamping out fraud altogether would get more people using the cards in more places, for more transactions; the fraud investigators would simply find new roles, fraud victims would no longer exist, and the only ones "hurt" by this would be the fraudsters, who, in reality, would simply move on to some other scam; likely one where the victim has an opportunity to stop the fraud before it happens.

Re:Target needs to be sued

[JoeMerchant]

Take a look around, what's the ratio of homeland security and related support personnel to actual terrorists?

In the 1930's we could build parks and clean up highways to get people working...

Fraud investigators, prosecution and defense attorneys, security firms, etc. don't want the disruption of having their life-long careers de-valued. They're honest, hardworking people, why should they be hurt? The defrauded are (mostly) made whole by the operation of the system, the "guilty" are punished - why should that change? /sarcasm

1 million lawyers at the bottom of the ocean is only a good start, but I doubt I'll ever see the day we even put 100,000 lawyers out of work with a piece of legislation.

Re:Target needs to be sued

[BronsCon]

Not sure what homeland security and terrorism has to do with this, and your analogy doesn't even fit; rather than considering the ratio of good-guys to victims (as in the post you're replying to), you're considering the ratio of good-guys to bad-guys, which is a fallacy, at best, even if only because it's hard to call homeland security "good-guys". But, you did manage to follow up with a good bit of sarcasm, so, there's that.

Have you not been following along? the guilty are rarely punished; just in these comments, alone, I can identify more than a handful of "I handed them the perp and they refused to prosecute" stories. If they don't bother with the ones that get handed to them, what makes you think they go after the ones they have to work for?

Totally agree with that last bit about the lawyers, though.

Re:Target needs to be sued

[BronsCon]

Oh christ... I totally acknowledged that the 3rd paragraph of GP was sarcasm, then proceeded to attack it anyway. I think I need to go back to sleep...

Re:Target needs to be sued

[JoeMerchant]

Yeah, I rarely use the /sarcasm tag, but it seemed necessary this time...

What I'm saying is that there are large portions of society that are essentially parasitic, feeding off of conflict and misery that could be avoided, but rather than fix the root cause problem, they band-aid it and profit. They have entrenched interests and will rigorously oppose anything that might fix the root cause problems, because that would put them out of a living - and for the people who say they could do something else... think, after you've built a 20+ year career in a field, if that field is suddenly made irrelevant by a structural change to society that eliminates the problem you have been salving for decades, would you really want to start over as best you can in "a related industry" - alongside all your displaced comrades who are flooding the market? You might do better starting over with "you want fries with that?"

So, in this case, sure credit card numbers could be harder to steal, but how many "honest, hardworking" people would that hurt? In a related topic, over half of credit defaults could be avoided by denying credit to the 1% least creditworthy applicants - but that will never happen because those are the people that banks make most of their profits from.

To me, a huge root cause of this crony capitalism is the creation of laws by lawyers. If we passed a law today that any person who sits for a bar exam, in any state or country, from January 1, 2015 forward shall ever-after be barred from holding public office, federal, state or local, in any legislative or executive capacity (let them be Judges), and also barred from lobbying for legislative change in any capacity - it's not as complete or perfect a solution as taking them all out and killing them tomorrow, but, I'd wager that by 2115, we would have significant structural improvements in the laws, tax codes, and many other aspects of society that have been jury-rigged by the lawyers to serve their own self-interests. Call it juris-legislative separation - the modern extension of separation of church and state.

Re:Target needs to be sued

[BronsCon]

Save for your earlier flawed analogy... I find your ideas interesting and would like to subscribe to your newsletter. I don't think our views are too far in disagreement to be reconciled; we just have different means of expressing them.

So, where to start lobbying for these new laws? I actually think we'd see changes in our own lifetimes, rather than your 100-year timeline.

Re:Target needs to be sued

[Mashiki]

Okay sure. But again, that's theft of the data. Are you saying that you're responsible if someone steals a knife from your kitchen and goes on a stabbing spree?

Re:Target needs to be sued

[JoeMerchant]

Start a movement, but for this to work it would really need to happen at least at a state level, preferably federal. The first hurdle is that you will find >50% of the lawmakers voting on the proposal will be lawyers, sons of lawyers, etc. You'll need to get some kind of explosive viral adoption of the campaign that will shock and awe the change into being before the lawyers have a chance to launch a counter-appeal for public opinion. You'll need people who are far more talented and experienced than I am to pull that off, and who also are not self-interested in keeping lawyers lives posh - the list of qualified individuals will be short, and you'll have to be careful when building it lest you tip-off the other side and give them a head start.

Best of luck, and if you fail, maybe you could re-direct your efforts toward saving the planet:

http://5050by2150.wordpress.com/

That concept, too, could be better expressed and promoted, it lacks mass appeal - but addresses a problem that is inevitable as long as positive population and economic growth continues.

Re:Target needs to be sued

[BringsApples]

You're probably correct, but who signs that back of their credit cards anymore?

Re:Target needs to be sued

Yes, because he literally said so in those exact words. Right there in between "Learn to read English" and "you yellow cunt".

Re:Target needs to be sued

[BronsCon]

No, but you're responsible if you know there are people looking for knives to go on stabbing sprees in your area and you leave one on in plain view on your front porch like Target did.

Re:Target needs to be sued

[BronsCon]

Replying twice because... what the fuck, man?

But again, that's theft of the data. Uh, yeah, and that's what you were asking about.

Where did they *give* something that facilitated the theft of the data that contributed to fraud.

Re:Target needs to be sued

it's probably going to be a really big check they end up writing.

We're talking about corporate damages here. Target will likely end up writing a very small check a decade or two from now.

Exxon was penalized $5B when the Valdez spilled half a million barrels of oil in 1989. Every couple of years the penalty gets lowered.

As of 2010, Exxon had distributed a little over $500k dollars, which they contend is a significant penalty considering the monies they spent on cleanup of their oil. It should also be noted that Exxon received over $750k from the insurance company insuring the oil during transport.

Re:Target needs to be sued

They're costing the credit card company or the gas station ~400 per month for this card alone. How many others have they cloned?

Wait.... What?!

[Lukano]

Target just managed to 'Oh... our bad, a bunch of other systems and avenues were also hacked.... well before the system(s) we're talking about now were hacked.....'... and this isn't a bigger deal?

Contradict me if I'm wrong, but are they not talking out of the side of their mouths to say that they'd been breached earlier, and only knew it now / only divulged it now?

Re:Wait.... What?!

[JoeMerchant]

Sounds right to me... if you want to go all conspiracy theory on it, they may have known about the earlier breaches which would have made them look really bad and engineered the last one as a sort of shock and awe pity PR move to cover their incompetence.

That's the whole country

[TrumpetPower!]

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

Cheers,

b&

Re:That's the whole country

[rmdingler]

Well, there were significant breeches in the Canadian Targets, IIRC, so I suspect we're talking about multiple nationalities credit data.

Re:That's the whole country

[psithurism]

Snowden revelations

Hmm, have the stolen credit cards used or are they just sitting in a warehouse somewhere? Maybe the NSA is relevant to the current story?

I'm just asking questions!

Re:That's the whole country

I don't think it's reasonable to assume that one household has no more than one buyer at Target (I'm not sure what the actual conversion rate would be, though). They also have locations in Canada and India. Not sure how extensive their India operations are (and also not sure if this breach extends to Indian customers).

Still I don't doubt that it's effectively their entire database.

Re:That's the whole country

Target continues to insist that Canadian stores / customers were not affected. Given the recent disclosures I don't believe them, but cannot find any source that doesn't simply parrot the Target spokespeople. Do you know where you heard about the Canadian breeches? Thanks

Re:That's the whole country

For what it's worth, the population of the US as of 2012 is roughly 314 million. Target lost a fuckton of card information.

Re:That's the whole country

[rueger]

You're right in suggesting that Canadians almost certainly also had their data stolen.

Aside from that, one correction. This story deals with security breaches.

These are Canadian breeches.

Re:That's the whole country

[girlintraining]

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

*facepalm* A household is not the same as an individual. And most people own not one card, but an average of about 3.7. Currently, over 391 million credit card accounts exist in the United States. 115 million equals 29.4% of that. Further, I don't know what you consider "their entire database", since the census bureau tracks the number of households and other population data, not the number of valid credit card numbers Target has. But let's not quibble over details...

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place?

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those! Oh wait, they did? Umm, how about just cash transactions? Damn! Foiled again. Umm, gold? Wait, you can fake gold? How about the barter system? They got to that too? I guess I'll just have to move into the mountains, far away from any other person, and live off the land like our ancestors did, forsaking all advancements of civilization.

Or I could come up with some kind of social framework, something with a nice ring to it, like the Rule of Law. Sounds impressive. Let's go with that.

But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

You know, mentioning Snowden or the NSA in any reference to civil liberties or privacy should invoke some kind of response similar to Godwin'ing a thread. "You know who else liked data breaches..." Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people. It's like saying Microsoft develops software is a revelation. And no, the NSA didn't just implode because some cheeky twenty-something dropped drawers and mooned them, anymore than Target's going to simply shutter up and crawl into a corner to die quietly in retail exile.

It may be exceedingly inconvenient that people can say and do stupid things with such regularity and suffer no long-term effects but that's about it. If you're expressing surprise or admonishment over this state of affairs, you clearly need to get out more.

Re:That's the whole country

[TheGratefulNet]

Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people.

I normally like and agree with your posts, but here you are pretty far off-base.

what snowden taught us is that the nsa is totally out of control and going WAY beyond their charter.

yes, that is information we did not have before and its powerful information.

Re:That's the whole country

[goodmanj]

Meh. Canada is, in this as in most other things, negligible. (Sorry, guys. You know I love you but there's just not enough of you to make a difference.) Target really just opened in Canada this year, and their retail sales there amount to less than 1% of their total business.

Re:That's the whole country

[Jeremi]

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those!

I like a reductio ad absurdum as much as the next guy, but I think a better response would be to forward to something more secure. I'm sure you or any other Slashdotter could think of something clever, but at the very least we could do what every other country does and put security chips in the credit cards.

Re:That's the whole country

[girlintraining]

I normally like and agree with your posts, but here you are pretty far off-base.

This just in: If somebody who you normally agree with disagrees with you, you should consider not reflexively assuming they're "pretty far off-base"... they may in fact have an equally valid position that simply isn't the same as yours.

I know everyone on slashdot wants to have Snowden's babies... but there are other opinions of him out there that are defensible. I don't think the NSA is out of control, I think Congress is.

Re:That's the whole country

Also saying that everyone knew they were doing this stuff already are missing the point that it's still illegal.

Re:That's the whole country

[rossdee]

Canadians have been know to come south to buy stuff eg Grand Forks and Fargo

Re:That's the whole country

GIT is hands-down the very worst authoritarian apologist on these boards. The amount of time she has to spend on it makes me think of astroturfing. Consider altering your opinion.

Re:That's the whole country

[TubeSteak]

I find it interesting that the wiki page on chip and pin vulnerabilities http://en.wikipedia.org/wiki/EMV#Vulnerabilities only goes up to 2011
The last news report on security vulnerabilities in chip and pin schemes (that i can find) seems to be late 2012
http://www.nbcnews.com/id/49020916/ns/technology_and_science-security/t/criminals-crack-european-chip-and-pin-cash-card-security/

I found this quote to be the opposite of comforting

In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

"Denied refunds" seems to have been the main benefit from banks switching over to chip and pin.

Re:That's the whole country

GIT is hands-down the very worst authoritarian apologist on these boards. The amount of time she has to spend on it makes me think of astroturfing. Consider altering your opinion.

What?! "Worst authoritarian apologist", really?

"Her" posts are full of sophistry and specious reasoning, but really only reaches 2.7 on the Cold Fjord scale of pro-authoritarianism (which, FYI, is like the Richter scale and is logarithmic).

GIT is more of the "iron fist with a velvet glove" coercive, meddling statism/collectivism type: the "my ideas of how you should live your life are so good that we should enforce them with the threat of institutional violence under color of law", vs. the red, white, and blue fascism of Cold Fjord.

GIT is just a karma whore.

Cold Fjord gave his soul to the government.

Re:That's the whole country

[evilviper]

No, the Snowden leaks weren't any new information. If you think so, you're utterly ignorant of the world around you. EFF.org has a timeline of all the revelations, back to 2003.

I was stunned the leaks got the traction in the press that they did, when it was public knowedge already. The one good thing they accomplished was to un-stall the years-old EFF court case against the fed, since they couldn't claim state secrets, anymore.

Re:That's the whole country

Of course, if they got Canadian customers as well, then that shows that a more "secure" card (which I'm assuming the enlightened Canadian banks are using) won't do a bit of good when it's the store's database that is hacked.

Re:That's the whole country

[JoeMerchant]

I don't actually think the NSA was "off base" but I do think they were/are "out of control" - meaning: I don't necessarily disagree with what they did, but I do disagree with them doing it without the oversight and control that is supposed to be in place.

If the NSA was transparent with the American people about what they are doing, and the American people could get behind the idea that it is a necessary and good thing to protect their self interests, then I support them going forward and collect all the data they can and using it to stop the real bad things from happening.

What everybody is worried about is "losing their privacy" so that all the laws that they break on a regular basis might get enforced on them. Right now I'm thinking of a particular gentleman who has never been arrested, has all his concealed carry permits and has weaponized all his vehicles and home as permitted by law, and also happens to drive while drinking from open containers that often contain alcohol. He's never been written up for anything worse than speeding, but if his privacy were breached, he might be prosecuted, jailed, and even lose his right to bear arms (which might bother him more than jail, to hear him talk about it.) With his privacy in-place, he can continue to be respectable and "never arrested" and look down his nose at those who have been arrested and jailed. There are many, many other ways people break the law every day that could be exposed by a shift in "privacy" and significantly change their future liberty.

The problem with the NSA doing what they did out of the chain of command is that they will come into possession of information that is potentially very valuable in the form of blackmail. I'm not saying that this did happen, but if it goes on long enough, it will, eventually, be determined, by the agency "out of control," that - in the name of national security - some people might need to be coerced to do something they might not do without the threat of releasing certain information. That kind of protection, I do not want.

Re:That's the whole country

I don't think the NSA is out of control, I think Congress is.
 
Hmmmm... One obeys the constitution while the other one has billions of violations of the civil rights of American citizens. Which is out of control again?
 
Stupid fat fucking goth cunt, you have no vision.

Re:That's the whole country

[Hognoxious]

Well, there were significant breeches in the Canadian Targets

It's cold up there, so heavy trousers would be a popular item.

Re:That's the whole country

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

It's fairly clear that Target's entire database was compromised. Unless you assume the crackers ran a query to select only the "best" addresses.

To assume the data theft effected almost every single household in the US makes 2 assumptions not in evidence: (1) Target has a relationship with 95% of all households, and (2) Target keeps only one record for every household which highly unlikely, and counter-productive to highly targeted marketing.

The most likely scenario is that Target has multiple records for most households (husband, wife, 7 teenage children, elderly parent).

The sad part is that there are likely many people with compromised data that never had any real relationship with Target (neither cardholder, nor registered website users). For decades companies have been purchasing name/address information from all sorts of people trying to make a quick dime. Target would be no different.

Re:That's the whole country

[girlintraining]

What everybody is worried about is "losing their privacy" so that all the laws that they break on a regular basis might get enforced on them.

Close but no cigar. This has been a problem since the 1950s when the FBI engaged in numerous high-profile attacks against political undesireables, setting up constant surveillance. The simple truth is, everyone's a criminal. We always have been. The laws don't exist to promote fairness and justice, but order, and that's a very different thing than the first two. Order is essentially subservience to authority. Anyone who is different, atypical, abnormal, politically undesireable, a minority, poor, etc., is considered a blight upon the landscape of the perfectly ordered society and should be informed and then manipulated, exploited, or otherwise forced into ceasing to be visible in public. Law enforcement is not fair, or impartial, or anything else. It is highly biased, racist, and generally filled with first rate assholes... because frankly, that's what society wants.

The problem with the NSA is not the NSA. The problem with the NSA is our cultural attitudes, which the NSA is an institutionalized abstract of. We are, in a fashion, the reason for the NSA's existance and at the same time the target of its operations. If you look at it in terms of creating order (irrespective of the morality and ethics of said activity) then everything that's happening makes sense in a clear and straightforward fashion.

There's no need for conspiracies, no need to discuss liberty, no need for martyrs or heroes, no finger pointing about who is out of control, and who's not doing their job, etc., etc. It's all very simple: We created the problem. We just don't like the consequences. It's like this -- watch someone you don't like suffer, and you don't generally ask if it's fair. It's that feeling, motivation, and aspect of humanity, that has created all the problems referenced within.

"The bigs hit me, so I hit the littles. That's fair."
-- Every bully. Ever.

Re:That's the whole country

It's only logical that the backlash comes now, after everyone feels "safe again." Self-regulation via the political (read: popularity / popular vote) system. Blow up a few more big buildings and they will get turned loose again.

As long as there is public scrutiny, the political system can work - with some inertia and response time, but it can respond. If these things are permitted to operate in secret, it lengthens the response time and increases the magnitude of "shock" when correction finally does come. I prefer the U.S. society we live in today to pretty much any other that I have learned about via history, travel, etc. some of that could be a successful propaganda system at work, but regardless of that, I'd like us to avoid "large shocks" to the system if we can.

JFC

[rmdingler]

Are you kidding me.?.?. it's like a five-year-old lying about something he did, letting the truth slip out a little bit at a time.

Re:JFC

Just like the NSA lying about the scale of it's spying until they were forced, time after time, to admit the truth.

It's easy to see what role model Target are using...

(After all, if it's good enough for Government, it's good enough for them.) :-(

Credit cards need overhaul

Validating a purchase with a single number is an outdated concept.

It's an inside job.

I worked on these systems and they are are all internal: POS to store server to regional server. If it was exposed to the internet, someone went out of their way to be stupid or to steal.

Any malware on the system was brought to it by key drive or by the Internet connection that nobody knew about.

This is NOT some dipshit script kiddie - this is an employee who wanted to do harm and get rich.

Re:It's an inside job.

[mysidia]

If it was exposed to the internet, someone went out of their way to be stupid or to steal.

Must apply Hanlon's razor here. Someone probably did something stupid. Without evidence to the contrary; it could just as easily be a UIT (Unintentional Insider Threat), as an Intended Insider Attack.

Re:It's an inside job.

yes cause broadcasting data on a public network instantly means inside job

shut up retard

Lots of class actions

[pcwhalen]

I'm a plaintiff's attorney and I filed before Christmas. Lots of other firms out there with lots of other cases.

Target should have had at least had one sys admin to see that kind of data bump crossing their network while the breach occurred. They advertise for techs that can use Hadoop. They have to understand something about data and bandwidth with 100 million names in a database.

With that amount of data crossing the servers, shouldn't someone seen something?

There's more. Write me if you want info about mine or other cases. target at paulwhalen dot com

[nothing within this post shall be considered a legal opinion, solicitation or attorney advertising]

Re:Lots of class actions

[msmonroe]

Paul you should probably spend some money to update your web site. ; )
That comment being out of the way.
It had to have taken some time to transfer the data, it would seem like there would be plenty of time to catch what was going on.
All seems pretty negligent. Are the banks going to sue them, after all don't the banks become liable for Targets actions at the end of the day, correct?

Re:Lots of class actions

[bloodhawk]

that isn't actually a lot of data size wise, especially if stolen over a period of time, and no it would be unusual to spot it leaving the network. The data has to be properly secured, trying to detect data leaving your network would be a near impossible task. Don't get me wrong Target have majorly fucked up but your expectations of where this should have been detected are dead wrong.

Re:Lots of class actions

[pcwhalen]

Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].

Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.

Negligent? Er, uh, yup.

But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.

It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs.

[See? Lousy HTML skills. Sorry.]

Re:Lots of class actions

[pcwhalen]

You may well be correct and I should not have conjectured. Truly, I have never run Hadoop or any relational data set of any size. Maybe it's something that wouldn't make a dent in bandwidth or come up on some sys admin's radar.

It is indeed more the question that the data wasn't properly secured that allowed for the loss.

That's a lot of data, though....

Re:Lots of class actions

when dealing with huge datasets, cubes and technologies like hadoop it is easy to be dealing with network flows in the 100's of terabytes on a daily basis. actual raw data for a 100 million people is a drop in the ocean by comparison.

Re:Lots of class actions

[nwf]

That's a lot of data, though....

It's bet it's less than 1% of what traverses their network every day. If they are using hadoop for marketing purposes, I'd guess all the CC information for every account in the US is a drop in the bucket in comparison. I'd further bet it compresses well, as does most text, making it the size of a few nice digital pictures of cats.

Re:Lots of class actions

[bloodhawk]

That's a lot of data, though....

In data warehouse terms it isn't actually a lot of data at all. I would imagine their data storage would be in the multi petabyte range. a couple of hundred gig could traverse the network in a very short period of time and not even register as an unusually large amount of data.

Re:Lots of class actions

[Hamsterdan]

"It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs."

Right on. I've had a 200$ fraud in my account just before the holidays. Royal Bank Of Canada can't access the ATM cameras (they tell me it's not one of theirs). Their argument is since they can't prove it was somebody else using the card, *I* have to eat the losses. Great, and all that time I thought people were innocent until proven guilty in that country.

Re:Lots of class actions

when dealing with huge datasets, cubes and technologies like hadoop it is easy to be dealing with network flows in the 100's of terabytes on a daily basis. actual raw data for a 100 million people is a drop in the ocean by comparison.

Maybe they're seeing 100's of terabytes flow across their INTERNAL network but I'd bet the amount of data sent out to the internet from the breach caused some sort of anomalous traffic.

Re: Lots of class actions

Their DLP for DIM should have caught it unless it was encrypted leaving the network. If they had encrypted data leaving the network that they weren't monitoring they were negligent.

This reeks of an inside job. Someone targeted those POS using a mechanism, likely SCCM. They also got a second unrelated database.

Was the mag stripe data stored? That's a crime in Minnesota and Target lost that data.

Re:Lots of class actions

[queazocotal]

Name, CC number and details, ...
This will - minimally at least - compress to about 100 bytes per record.

5 or 10GB is not a lot of data any more.

Re:Lots of class actions

[DarkOx]

There is absolutely no reason to take CC data out of the transaction system and put in the data mart. None, I helped build a activity based costing system for a major retailer you create a surrogate customer id, and your store the tender type. Ids/ips sensors should spot pii and cc info leaving the PCI world in bulk going anywhere unexpected, even if it's not much data in terms of network traffic.

If the environment is properly secured and instramented ex filtration should be detected

Re:Lots of class actions

[SOOPRcow]

To play devils advocate the person whom you are accusing of fraudulently making charges on to your account is innocent until it can be proven that they are guilty. You're reporting a crime; you're not being accused of a crime and thus the state of your guilt is not in question. A more "appropriate" statement would be "I thought the customer was always right". However, I think we both know that isn't always true either :/

Re:Lots of class actions

you make the mistake of thinking its a admin, those systems are almost always dictated to the shops's bank, some doofus email admin never even see's whats going though BOA's telecom system

Re:Lots of class actions

[Osgeld]

our company produces multiple millions of units of product a year, taking way more information per unit than a credit card transaction

in the 3 years I have been there we have generated 20 gig-bytes of pure plain ascii text

get a clue

Re:Lots of class actions

[msmonroe]

I had my ATM card information stolen (apparently) and someone was using it as a debit card, charging gas all over LA before my bank froze the account; this was about a year ago btw. I only found out because they froze the account when I tried to use it, ironically it was at Target I think.
The bank gave me a pretty hard time, trying to get me to admit that I was driving around for hours in LA and buying gas on my debit card, really strange experience with them, I had never used my card that way before.
They reluctantly put the money that had been stolen back in my account and sent me a new card; I later had to document that I had not given my information to anyone and did not make the charges.
I have found out though that for a debit card when it is used with the PIN your liability, USA, is $500 but when used as a credit card it is $50. The bank technically didn't have to return the all the money. I have since stopped using my debit card as anything but a credit card.

Re:Lots of class actions

[msmonroe]

Ha your HTML skills are fine. ;)

I am pretty shocked by the revelation that Target was clueless about the breach, makes me angry enough to not want to ever shop there. The 10% off that they offered and a free credit report doesn't seem like enough. It would be nice if they would submit to a third party security audit to verify that steps have been taken to rectify their security issues.

Funny question, Do you think that it could have been a criminal conspiracy to cover it up by Target?

Re:Lots of class actions

[chittychitty!!]

5 mod points but not a one that says "CONTRITE". I guess it's so rare.... Anyway, +1 CONTRITE.

WTF Target??

OK, H U G E data breach. Who is on that 110MM customer list? Are you planning to notify EVERYONE whose data was stolen? You had better get down and funky and fast and notify EVERYONE.

I was immunized by a 3-year-old!

Early in the year I was babysitting a friend's 3-year-old when I opened my wallet and she fell in love with my Mickey Mouse debit card. This past August I had my bank change the number and give me a new card so I could give her my old card.

I rarely go to Target, and haven't been since well before August. So I was, in effect, immunized by a 3-year-old's love of Mickey Mouse.

Err, /. may now resume bashing Target...

They declined me ...

[TrollstonButterbeans]

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

Re:They declined me ...

You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit, which prevents you from getting credit history. Try American Express; they tend to be really good about accepting documentation of employment and income in lieu of credit history.

Re:They declined me ...

Except that if you filled out a credit application, they could have all of your personal information.

Re:They declined me ...

[nwf]

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

If you write to them, I'm pretty sure they are required to tell you. Plus, you can get free copies of your credit reports as a result.

No loss, though. I had one of their CCs and their customer support was so amazingly inept that I cancelled out of frustration. I've never dealt with a CC company with such pathetic customer support. It makes me mad just thinking about it. I can only imagine how well they handled a massive amount of fraud on their cards. Good thing their support is in India or people would have liked showed up with baseball bats.

Re:They declined me ...

[mysidia]

You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit

There's a circularity issue there. If you can't send in an application and get credit without credit history, then nobody should have credit....

Re: They declined me ...

I remember when i usedbe one of the bad guys, i went to an apartment complex and snatched up all of the "does not live here" mail i came across an un-activated target credit/visa. i called the activation number on the card, mashed zero to speak with an operator and told them i was having problems activating my card and i think they might have the wrong social on file. The operator asked me for my correct social(which i made up on the fly while at a had station post phone none the less) and proceeded to activate the card which had a $5000 limit.... Needless say a heroin addict can burn up $5000 pretty fast, and never once did i have to call and reactivate the card due to "irregular spending" needledd to say that this this was overt seven years ago (past the statute of limitations) from what i have seen thasn't done much to beef up security.

Re:They declined me ...

Holy shit thanks for pointing that out! I was totally unclear on the entire point of that post before you cleared it up.

Re:They declined me ...

[DigiShaman]

There are two types of credit cards: secured and unsecured. The most common credit card is unsecured (we just call them credit cards). That means the card is issued based on a persons credit history and their score. The secured credit card is like a CC with training wheels. It requires funds in the bank to be used as collateral up front. Typically you only need one for the first year to establish a credit history and then graduate to the unsecured variety.

Re:They declined me ...

[mysidia]

There are two types of credit cards: secured and unsecured.

The concept of a "secured" credit card, makes about as much sense as a mortgage loan requiring you to capitalize an extra 20% fee, and a 100% down payment of the principal being borrowed, in order to get the loan.

target messes with there employees and does not OT

[Joe_Dragon]

target messes with there employees and does not pay OT

http://www.huffingtonpost.com/2011/10/17/target-manager-fired-lunch-break_n_1016100.html

Good excuse

[bob_super]

My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.

Re: Good excuse

Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.

Re:Good excuse

I don't think you understand. This is pretty much every single credit card used at Target or on target.com over the past few months or year. Or years. They are probably still lying about how many numbers. What pisses me off is that now they've lost names, addresses and a lot of PII data. Fucking Wall Street assholes who don't take security seriously need to be shot.

Re:Good excuse

That made zero difference in this case. You're just bitching to hear yourself bitch.

Re: Good excuse

[bob_super]

And the UK porn filter is used to quash file-sharing websites, and 9/11 was used to take down Saddam, and...

I'm an evil person, and "you can trust retailers' databases security" is hopefully not going to have a better illustration anytime soon.

At least I'm not conjuring "in this economy" or "think of the children", I'm just carefully wording the truth for her own good.
No oppressed majority will be enabled to regain power and team up with my enemies in the process.

Re:Good excuse

[evilviper]

If the JC Penny breach didn't do it, why would this one? Was Target the epitome of safety and security in your eyes?

Re:Good excuse

[Shados]

This probably isn't even anything to do with Wall Street assholes.

Are you a software developer? Or do you know some? Probably since you're on slashdot.

Did you or any of them come out of college with the aspiration: "I want to go work for Walmart, Target, or any number of high profile brick and mortar retail chain, its going to be awesome!!!" (Amazon obviously doesn't count).

No, you and they didn't. That shit is hard. Its a different kind of challenge, more around integration and dealing with a billion weird rules and laws that change all the time. Its hard and it sucks. Since it sucks, the people with the skill to handle it don't work there. PCI compliance at that tier (its more complicated the bigger you are) is batshit crazy.

So sooner or later, the massive amount of second grade IT people they end up hiring (because they end up not having a choice...no amount of money or benefit will get them top grade that they need) fuck up, and this happens.

They can give 6 monitors, free gourmet lunches, fridays off, 200k a year, top insurance plans and shuttles that pick you up at your door, and STILL no one worth their salt will work there. Greed is the least of their problem.

Re:Good excuse

[bob_super]

Because we shop at JC Penny almost as often as we shop for for Ferraris.

It's not as effective when it hits too far.

Bad Math?

[umdesch4]

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Re:Bad Math?

[nwf]

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Probably the people who wrote the obamacare web site.

Re:Bad Math?

I noticed that right away as well as I skimmed the summary and realized there's no *new* info post or linked to that says anything about 110. Someone added the numbers as if it was 40 million originally and now 70 million more for a total of 110 million, when it clearly states it's increased from 40 million to 70 million

Re:Bad Math?

No.

A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million

They are (clumsily, I'll admit), stating that the record increased from 40 million to 70 million. The previous record-holder being the 40 million credit cards breached, the new record being the 70 million emails/addresses/etc breached from a different system, totaling: 110 million records. Though there most likely is a ton of overlap so conflating 110 million records with 110 million 'victims' is still kinda dumb.

Re:Bad Math?

No, poor reporting by the media in this case. Based on the more reliable security/technology publications, it looks like the situation is really 40 million + (70 million * n) where "n" is the percentage of overlap between the Black Friday victims and what sounds like all customers in Target's marketing databases. Basically, the first event placed 40 million Target customers at risk of credit fraud. The second event placed 70 million Target customers at greater risk of identity theft attempts. If you shop online with Target and receive what looks like an official e-mail from Target - maybe even one with a subject line about the Black Friday incident - wouldn't you be more tempted to open it?

Re:Bad Math?

From TFA:

"That raises the number of compromised accounts to 110 million, not 70 million – 40 million cards and 70 million “guest” accounts from a separate system."

Fact Is

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people. Full stop. I'm sick and tired of these bourgeosie monsters getting away with everything with nothing except their pride damaged.

Re:Fact Is

[jeffb+(2.718)]

And just too bad for the 360K people they employ, nearly none of whom could have known or done anything about this, right?

Re:Fact Is

[mysidia]

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people.

If it didn't happen to the Comodo certificate authority, who had signed a bunch of rogue SSL certificates: when their whole business model is to be a cert provider of reliable verified trust, then it won't happen to Target.

Re:Fact Is

well, as a prior dabbler of the listed 'arts' , I took great pride in getting all the customers info at ALL jobs i worked at. I also know that there are a LOT of peeps in similar positions in EVERY form of business that do this all the time. You can't really stop it, because the mutherfucker in charge does not want to his job, so he pawns it off on some one under him who gets paid less, so this motivation will always continue.

ITS ALL GREED BASED... CAPITALISM AT ITS FINEST!!!!

FUCK THE MAN, man

Re:target messes with there employees and does not

[nwf]

If they are paying their IT staff $10/hr, then I'd expect nothing less. However, I doubt that. The IT staff are probably mostly salaried, which means no OT.

from the ok-this-time-try-20-percent-off dept.

[pcwhalen]

That's pretty funny. I really have to read the subtitles under the subject lines on \.

High-sterical. Literal LOL.

Target is the new Kmart

[Osgeld]

Bunch of shit I dont want, one thing I do want they dont have, simple things like brasso

anyway, I bought 1 thing from target cause the reviews were high and it was the only place I could get it local, now I am tied up in this mess

between those two its going to be a cold day in hell before I step foot back in that store

ps where is this free credit monitoring they offered me almost 3 weeks ago?

Re:Target is the new Kmart

[Kardos]

Go back to cash. There's no risk of identity theft with cash.

Re:Target is the new Kmart

But, but... just think of all the benefits you are losing by using cash instead of a card! /apologist

Re:Target is the new Kmart

[Osgeld]

no just the risk of loosing cash on the way to or from the car with no chance in hell of ever getting it back

Re:Target is the new Kmart

[evilviper]

I must reluctantly agree with you... There used to be several retailers out there where you could go and buy ANYTHING. Now, it seems they're dropping anything that isn't high enough margin, or a big enough seller. A few years ago I didn't go to Walmart for anything, ever. Then I fought with ridiculous parking to stop by Target, only to find that their 12 rows of shoes had one-half of one-isle dedicated to men, and almost entirely dress shoes.

Have you ever walked through an entire pet store and found that they didn't even have a spot, anywhere, for flea collars?

Yes, many retailers are, for all practical purposes, forcing their customers to shop at Walmart. I don't know if it's a side-effect of price matching, or bean counters insisting on all stocked merchandise meeting some silly metric, but whatever the case, they're all dropping the ball, badly.

I like KMart and Sears, but losing half a billion dollars every year just doesn't bode well for their propects of being around much longer.

Heck, maybe I should get some venture capital and open up some brick and mortar "Amazon" stores all ovr the place.

Re:Target is the new Kmart

As with all security issues, this is a matter of balancing risks (rather than completely eliminating them). Losing "all my cash" on a grocery store run is not a financially ruinous event (assuming you don't carry around far more than you need for immediate purchases). In a decade of making all local purchases with cash, I've never yet lost any. Clearing up identity theft can take much more time and effort, with potentially costly ramifications if, e.g., your credit rating gets screwed up and you need loans for a house/car/etc. If you get mugged on a near weekly basis, then carrying around grocery-money cash all the time might be a poor security choice; but that's not the case for a lot of people.

Re:Target is the new Kmart

[kaatochacha]

In the future, there ARE not stores.
Think Wal-e

Wink And A Nod To NSA

Got to give credit where credit is due. :-)

Using reverse-engineered NSA programs means I can "subvert" 110 million US pennies.

That is $1,100,000 at current US dollar currency value on world markets!

Retirement On Easy Street here I come!

Not just December, not just Target

[Snotnose]

1) The breach was discovered in December, sounds like it's been going on for months. 2) I'd be very surprised if Target is the only entity that got breached. I keep waiting to hear "Oh, hey, 'member that Target thing? It's now a Walmart, Sears, TJ-Maxx, and Nordstroms thing".

Re:Not just December, not just Target

[Z00L00K]

It's in that case every outlet in North America regardless of size.

Re:Not just December, not just Target

Neiman Marcus also, according to the NY Times.

Blame where it is due

Blaming Target for the breach is like blaming the hot chick when she gets raped because she dressed too sexy and "had it coming."

If you leave your front door unlocked and someone burglarizes your house, it is still the burglar's fault the crime happened.

Re:Blame where it is due

There are no doors in the internet, you implement code for communicating or for keeping data. Write some code and watch how it works

class action

We here in 'murica are big fans of class action lawsuits and 5 dollar gift cards. Can anyone recommend a good law firm to get this started? ..ethanol.fueled

Am I the only person who doesn't care anymore?

[rjejr]

About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.

Re:Am I the only person who doesn't care anymore?

[GodfatherofSoul]

I care, but I don't think there's anything I can do about it. Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change. Vendors are just going to roll the dice and hope nothing bad happens. I consider myself very caution and I've had 3 fraudulent uses of my card 3 times already (thankfully the bank didn't charge me).

Re:Am I the only person who doesn't care anymore?

Thankfully? WTF? *NO* "The bank did not charge me for fraud committed by another person." No thankfully.

Re:Am I the only person who doesn't care anymore?

Pfft, what can one person do, right?

Re:Am I the only person who doesn't care anymore?

[Osgeld]

what the hell do you buy at target, overprice old canned goods, or shitty paper storage cubes, I have not found much of value at target even when they were not retarded

for fucks sake it took nearly 10 min to get a half warm shitty ass hot dog on a rock hard stale bun

incompetent on every single level

Re:Am I the only person who doesn't care anymore?

[evilviper]

Paying in cash is a far cry from killing yourself, or going Amish... In fact it's often more convenient than cards. Ever tried to split a bill between 10 people, all on their cards?

I could still have my identity stolen, you say? Well since I have no credit history at all, they won't get much use out of it.

There's a few ways ID theft could incovenience me, but far less than you're exposing yourself to, and will have far less impact on me.

Re:Am I the only person who doesn't care anymore?

Do you realize it's suckers like you who cause all this trouble? It's precisely your I don't care attitude that makes it possible. If you and people like you are not going to raise a stink, this will be the default behavior. It sure already seems to be, laws and regulations be damned.

Stop being such a fucking sheep.

Re:Am I the only person who doesn't care anymore?

[cascadingstylesheet]

Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.

Because if the government "does something", there will magically be no economic tradeoffs?

Because the government has proven they are such security experts?

Re:Am I the only person who doesn't care anymore?

This shit happens all the time, every day people have their identity stolen, it sucks, but it's part of everyday life now, no getting around it. Well I suppose there's the Amish way, but that's just not for me.

I grew up near an Amish community; it was well known that local shopkeepers, when an Amish customer came in w/o wallet or purse, just said "Pay me next time you're in" without even bothering to make a note of the transaction. Maybe that wouldn't be a bad society...

Re:Am I the only person who doesn't care anymore?

[Shados]

Drop 10 credit cards on the table, tell the waiter to split the bill. Do that all the time.

Of course, in more civilized areas, restaurants give out individual checks, so its never a problem. It drives me bunker since I moved here that in most of the greater boston area they usually give 1 check per table...ugh.

Re:Am I the only person who doesn't care anymore?

[0123456]

Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.

Uh, what do credit cards have to do with the "free market"?

Hint: do you really, actually, think I can just set up a new credit card company tomorrow, without having to deal with a tsunami of government regulations around the world?

Re:Am I the only person who doesn't care anymore?

[GodfatherofSoul]

You might want to do some research into bank policies on credit cards. There are situations where the bank makes you eat the charges; I believe after about a week on debit cards.

Re:Am I the only person who doesn't care anymore?

Of course, in more civilized areas, restaurants give out individual checks, so its never a problem. It drives me bunker since I moved here that in most of the greater boston area they usually give 1 check per table...ugh.

Yeah, and the country who's wait staff refuses to split checks also expects 15%, wait, no, now it's 20%, added onto the bill in tax free money.

Re:Am I the only person who doesn't care anymore?

Switch to Bitcoin

Re:Am I the only person who doesn't care anymore?

[kaatochacha]

Cash isn't that hard, unless you're used to charging everything and living on debt.
That's the hardest (and best) part about paying cash for everything: If you don't have the money, you can't afford to buy it.
It's better for cutting spending as well. It's much harder, psychologically, to spend $100 cash than it is to swipe your card.

Re:target messes with there employees and does not

[desertfool]

Or they outsourced....

Another 10% discount

Hopefully this weekend

the PCI compliance affidavit may be fraudulent

[raymorris]

Target execs signed sworn documents affirming that they were PCI compliant. Large companies have to do an audit of their PCI compliance so that they actually know if they are compliant or not. That statement of compliance saved them millions in extra processing fees (or allowed them to get processing at all).

IF those documents were false, that's lying for material gain aka fraud. We don't yet know if a) they were PCI compliant or b) they had the required audit and thought they were compliant. It appears likely that they may not have been compliant, and they knew or should have known. That's one potential fraud.

Further, there is an implied warranty to customers that cardholder data would be handled according to best practices. If they were reckless, that COULD be construed as fraud.

Re:target messes with there employees and does not

[Mr.+Shotgun]

Or they outsourced....

You may be joking, but after the initial story broke I did look at their career website to see if they had an opening for a information security position (for the lulz) and noticed most of their IT positions were based in India. Since then they seemed to have reduced the amount of IT positions based out of India, maybe because of this, maybe they filled them. But still seems kinda odd.

100 million CCs = 800 MB = 10 seconds of data

[raymorris]

A credit card number in a decent database is 8 bytes.
Therefore, 100 million CC numbers is 800 million bytes.
That's 800 MB, which is the amount of data a gigabit Ethernet can transfer in 10 seconds.

With the name on the card, and such, it's a few GBs. Maybe one minute of data transfer or thereabouts.

If it took the thieves a few hours to download over a slow connection, that would have been less than 1% of Target's traffic during that time period.

Never would have guessed a Windows POS

[mc6809e]

Are they insane?

Agreed

[justthinkit]

Some time back I had an acquaintance of a friend abuse my credit card. Bought a round trip from Africa to England with my card. Thousands of dollars. I told the CC people I knew who did it and I wanted to prosecute the guy. They weren't interested and not a thing happened to this person.

Re:Agreed

[BringsApples]

Holy crap! Did you have to pay the bill, or did they just eat it?

Re:Agreed

[justthinkit]

The credit card company ate the charge. The CC companies must be very big businesses indeed when $2,500 or so of charges is not worth bringing criminal prosecution.

Re:Agreed

[BringsApples]

That's amazing, seeing as how they could prove it very easily (plane ticket purchase would require photo ID matching the passenger).

What credit card company was this? I may need to look into getting back into credit cards if it's this easy these days to sluff off charges.

Re:Agreed

[ahabswhale]

They don't care because the credit card company isn't the one who eats it. The merchant who accepted the fraudulent charge does. This is why the security of cards is complete shit in this country.

not mag stripe data

[dutchwhizzman]

They got full data, much more than was on the mag stripes. The whole database of customers including their address data and all that has been stolen. Mag stripes don't hold all the information described here so there must be a database that has been broken in to.

H1-B city

[swb]

Walk through the lobby of the office tower at City Center where Target has offices and its H1-B city. They are, like most corporations, looking to cut IT costs as much as possible and hire legions of H1-Bs.

It wouldn't surprise me at all if the volume of H1-Bs doesn't lead to a management arrogance towards IT staff that extends to native-born IT workers which I'm sure would do plenty create the kind of grievance which would help motivate an insider to participate in this kind of fraud.

Re:target messes with there employees and does not

Target has outsourced almost all of their IT to India for many, many years. They are a heavy user of the H1B program and do everything they can to avoid hiring Americans in IT. Their internal security controls are rotten and poor except for monitoring employees. They got the security they paid for. I have had friends that have worked their off and on for many years.

And that is why I try to use bitcoins

I know is new and controversial but I also know that using bitcoins with stores that accept it puts me out of the danger of any information breach. Nobody can reuse my bitcoin wallet address in a malicious.

Alaric303

To quote target's most recent press release regarding the incident, "PIN [data] is encrypted at the keypad with what is known as Triple DES"...."Target does not have access to nor does it store the encryption key within our system. "

I'm not an expert in crypto, but it seems to me that it is patently ESSENTIAL for both Target and its processor to have access to all three keys involved in that encryption scheme.

Am I wrong?

Bitcoin User Not Affected

Target needs to adopt Bitcoin as a payment method, just as Overstock.com has. And then they need to heavily advertise that they no longer need your sensitive financial information if you choose to pay using Bitcoin.

Visa

[justthinkit]

It was Visa. It was also 20 years ago. In Canada.

So, lawyer-up, anyone?

If it could be shown that a breach like this used vulnerabilities the NSA knew about, but kept quiet about it in order to preserve the existence of said vulnerabilities, do you suppose Target could sue over it? Or maybe a class action by those whose card info was stolen?