Slashdot Mirror
Neiman Marcus and Other Retailers Breached, Credit Card Details Stolen
Fnord666 writes "Another day, another data breach. Apparently high end retailer Neiman Marcus has also suffered a breach of credit card data. Brian Krebs has the report: 'Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards. Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus. Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.'"
The Chicago Tribune reports that "at least three other well-known U.S. retailers" suffered breaches this holiday season as well.
For the companies not breached to just come forward.
Will be busy shopping soon
That's the thing about CREDIT cards, the customer generally doesn't take the financial fall for fraud.
If you want news from today, you have to come back tomorrow.
i didn't read it as "as". I read it pronounced 'eyes', like a contraction of 'I is'.
The primary justification for not overhauling the inherently weak credit card system in the US has been the cost to the retailers, banks and credit card processors. And there's some validity to this, upgrading the system would have a major impact everyone from the banks and large retailers on down the the mom and pops and the card holders themselves. However, the cost of continually cleaning up these messes is going to start adding up. It's time to accept the fact that the current system is horribly outdated and fix it (most retailers in Europe won't even accept chip-less us cards anymore).
The "fix" is to hold the breaches responsible for every fraudulent charge and re-issued card. The stores store the numbers, often in violation of their agreements, and nobody cares. They should get sued for their negligence. When that happens some, nobody will want to store the card numbers (like they are supposed to), and breaches will net nothing more than customer names and addresses, at most.
Learn to love Alaska
...I never give my real card number to internet shops, or offline shops for that matter. On the internet I use virtual debit cards generated by my bank with a low limit and short validity, separate ones for each purchase. Off the internet I use cash which I get from my bank's dispensers using my real debit card, for which they already have the number.
The "fix" is to hold the breaches responsible for every fraudulent charge and re-issued card.
Not just the card itself, the bank's time and to send a letter, reissue all the cards, mail them.
And then, I read earlier today, 140 million Americans are affected by the Target breach. Each of them with a current card that's getting cancelled has to go set up new automatic payments on their various autopay services, etc.
Target should be giving them a concession, say $100 or so per person for all the time they'll waste.
Now then, given acutal liability for their actions, Target would never assume such risk without getting an insurance policy to cover it. And the insurance company would have a squad of auditors in their IT center to scour the thing before they issued the policy.
In the end, we'd wind up with the secure solution we're actual looking for. So the actual problem here is that corporations aren't held responsible for their negligence. Which is exactly why they form these big corporations in the first place.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
off the fucking grid. duh.
it is possible to deply an isolated network and secure critical point-of-sale systems, but the companies are too fucking lazy and cheap to do it... all those stupid fucks in suits care about is current stock price, how big a bonus they're getting because of it, and where they're gonna go when they've milked the current job for all they can.
While I'm not arguing that they should not be held accountable, what you're proposing is not a "fix". The system should be designed so that they can't be negligent in the first place.
More online retailers are accepting it. Overstock.com being the most recent example.
New Economic Perspectives
This video explains everything => https://www.youtube.com/watch?v=TELH3PE9REo
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
The inherently weak system is manufactured product of the NSA.
Now with the Snowden leaks... the hackers know more about those weaknesses.
Expect things to get much worse.
In Australia stores accept chip, swipe, and wireless (you wave it over a pad, it doesn't even ask for a pin number). Unless you specifically mention the security level of each during a transaction, the majority of customers prefer the less secure methods - wireless PayPass and swipe. This is because those two are slightly faster, and they can put the card back in their wallet while it processes. They groan and make a fuss at stores where smart chips are set as the mandatory first attempt. Paying with cash is secure AND remains the fastest transaction, but people find carrying notes and coins to be inconvenient. Every time I see the Secret Service working on these cases, I remember Albert Gonzalez from the major TJ Maxx credit card theft incident. He was on the secret service payroll at the time, in a Frank Abagnale type prison-work release.
Krebs is a fucking national treasure.
Is this the next false flag? We've already got just about everyone convinced that magic card numbers are "identity" And we've already convinced the public that breech of this "identity" somehow hurts the person identified (not the banks or retailers) and that the banks and retailers are being generous by helping us out of this mess when it happens. And on top of that? When it happens, we get "free credit monitoring services!"
We're now seeing an avalanche of these types of breeches. What are they planning? A National ID to prevent "identity theft"? Biometric tracking?
Yes, we should use government issued IDs with biometrics to prove our identity with every transaction. It's the last link in the chain they haven't quite closed yet... well that and paper cash.
The obvious fix is to prohibit the storing of credit card data. These companies are fools if they think they can aggregate that data and get away with it.
You're assuming it would have made any difference. Remember that these systems have to store the data whilst the transactions are in flight. No, the solution has been known for decades - it's EMV, and every Slashdot story on these card breaches contains exactly the same discussions about how the USA needs to upgrade. Seriously, the USA is more than 10 years behind by now. It doesn't just dick over Americans. The need to be able to travel to the USA means banks everywhere else still need to support stupid magstripe or chip'n'signature transactions. If the USA upgraded it'd become more easier to start aggressively targeting the remaining magstripe transactions with tougher risk analysis and that would cut card-present fraud everywhere.
The companies don't wanna pay good money for real security, and they want to throw you behind bars if you go vigilante white-hat on them, so give up. I agree with another /.'er who stated yesterday about the news of the Australian white-hat kid: let 'em burn. If that means going cash, too, go cash.
Keeping everything consolidated on just one card doesn't hurt, either. If it's a debit card you can coal-load it. When you need to make purchases, tally them up first and then go deposit the money you'll need. Charge it back out online and what will the thiefs steal, if anything? Next to zero.
I've always been wary of internet business. I didn't start purchasing things online until literally just a couple of years ago, and that was some music-related art imports from Italy. This year is the first year I've made purchases on Amazon or Ebay. That about marks my limit, too. I have no reason to use anything else. I haven't even activated my newer Bank of America debit card since BoA changed to another bank.
At least with one card I only have one cancellation to take care of if some site I've used it on gets hacked.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
In Australia the banks must pay after the 1st $50 dollars fraud. Not too bad considering facial recognition is already done on most ATM's and store counters. Think twice before claiming there is some mistake.
Fees: the banks dont want to stop fraud - the merchant pays for that. Lowest CC risk: Catholic / Baptist book shop ; highest risk online gadgets under $1000 - Iphones and laptops, cosmetics etc. In fact they PROFIT from it. Broadly the merchant wears the chargeback.
This is why laser stripes. magnetic puttering (unique) and ink patterns(japan) have never been adopted. Chip based cards are inferior (and expensive to issue).
Australian banks are also lazy - letting paypal eat into 5% foreign conversion fees - lets hope bitcoinn and the likes - get them going.
PayPass/PayWave is more secure than magstripe swipes since the data necessary to clone a card never leaves the card itself. It's the same sort of cryptographic authentication as the chips.
The lack of entering a PIN is a policy decision by the banking industry - they decided that it was easier to make the merchant eat amounts of up to AU$100 per transaction in fraud in exchange for faster, smoother transactions = more transactions = more revenue. Large merchants benefit too since any loss to increased card fraud is offset by reduced losses to cash theft.
That's not to say that contactless payment cards are perfect, far from it.
What impact? Mom and pops aren't in charge of how the banking system runs. The efforts required to fix the problem don't "scale down" -- it's all up at the top with the people who hate parting with their hoarded money.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
PINs are sort of stupid in a retail setting, any way. The way most pads are set up, the other customers can clearly see what digits you're inputting, and voila, now they can use your card at any ATM.
Signatures are just as pointless. They don't prove anything unless you have a meticulous signature. People in general aren't that anal and unless you're Benjamin Franklin or some shit with a degree in calligraphy, the makeup of your signature fluctuates over time.
The US appears to be using a system that's outlived its usefulness.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
I am always amazed that the cost is an excuse. The rest of the planet has already changed to the not perfect but better chip.
This includes countries that have a "little bit less" usage per machine then what you have in the US.
A basic terminal in Belgium costs 695EUR. A 99EUR solution is also available.
I am sure that for a HUGE market like the USofA prices would be easily around 50 - 100 USD, if not cheaper. (UK has a 20GBP one)
"AmEx isn't one of the big 2, and they charge the most of anyone."
However, if I chime my voice in as "just one from the average streetgoer", American Express has made its name in infamy as the card many businesses don't accept! (Because of those higher fees.)
So to be sure someone has held a few meetings over at AmEx, and decided losing those smaller accounts aren't worth whatever other clout they have among the executive set.
In contrast, I can't think of any tangible difference to me between Visa and Mastercard.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Since negligence includes failing to follow the system properly (and often does), this is not possible.
Retailers and others who accept credit cards are the ones paying for this insecure system and these breaches. It's a totally f'd up system.
What we need is a credit card that authenticates each transaction the user makes.
Credit cards should have a keypad and the customer should enter a pass code on it to authenticate the transaction at the time of sale.
This wouldn't be that hard to impliment. You simply need a credit card that can recieve an ammount / merchant name / and merchant code #. The user would then be shown the merchant name, code number, and amount. If it doesn't match the place they are buying from they'd simply abort the transaction. If it matches they could then enter a password on the credit card itself (thus thwarting devices which intercept credit card data/pins/etc) to approve the transaction. The approval would simply need to include a unique number that the bank also had on file for the card holder. There would be one of these for each transaction. This data would then be encrypted with the card holder's banks public key. The card holder's data could be transmitted via the merchant's systems without worry. Even if the systems are comprimised it would not risk the card holders money, the banks money, visa's money, or the merchants money. And it would all be obvious if the transaction did not match. If the card holder accepted an amount for $10,000 when the merchant should have only charged $1,000 it would be the card holders liability (unless they had already set restrictions, in which case the transaction would fail anyway).
Once the transaction was approved by the card holder the credit card holders bank would encrypt a message with the merchants public key that said "approved" (with a unique code to the transaction of course).
This way everybody would be guarenteed no laibility / risk.
How do I check if my card number is compromised?
Does this affect only cards used in brick-and-mortar store cashier machines?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
It is not so difficult keeping hackers out. Sound security implementations, regularly independently and competently reviewed (no, I am not talking about pen-tests, these are borderline useless and can maybe help keeping the script-kiddies out) and fixed as soon as flaws are found are quite enough to drive the attacker-effort though the roof. Unfortunately, many clueless MBAs in "management" thing this is not needed. If you take into account that we are only hearing about the tip of the iceberg, things are really bad right now, without any other root-cause than stupidity and greed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which is why, you shouldn't use pull autopay. You should use push auto pay.
If the credit card companies want to be involved in auto-pay or one-click situations, they should bring their id/authentication out of the 1950s.
Can you be Even More Awesome?!
You're assuming it would have made any difference. Remember that these systems have to store the data whilst the transactions are in flight. No, the solution has been known for decades - it's EMV.
I'm hoping it's just ignorance of how EMV actually works that makes you say that. Some people are under the mistaken belief that EMV means account details are encrypted (yes their are private keys on it), or that EMV somehow protects your account details from being used to charge your account - and they're wrong on both counts.
In this particular instance the problem only looks like it's related to Target, the common factor is the Indian card processor, the people behind it have been operating this and similar rips for almost a decade.
And no, the problem isn't (just) failure to comply with PCI - it's outsourcing responsibility (that is the problem).
Signatures aren't meant to be your password. They're meant to be a deliberate act signifying your acceptance of terms. Any deliberate mark will do, which is why old movies have (usually illiterate) characters literally signing contracts with an X.
Another problem wit trying to use a signature for ID is that your calligraphy plan won't work. It only even sort-of works as id when muscle memory kicks in - when you sign as quickly as possible.
Can you be Even More Awesome?!
It was probably just that lady trying to get her money back for the cookie recipe.
The National Security Agency has succeeded in assuring that our internet security is sufficiently weakened and back-doored that it is chronically ripe for takedown. "White hat" intrusion proceeds Black hat intrusion. Three suggestions. 1) Rename NSA as the National Insecurity Agency. 2) Explore protocols for non-backbone data transfers, i.e. a cryptographic transport layer that prefers peer-to-peer where possible. 3) Use identity-agnostic wealth transfer methods such as BitCoin to avoid future intrusions, e.g. credit cards that use BC and don't compromise client identity.
I was purchasing stock in a couple of smart card manufacturers.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
One reason that you may not hear of these breaches in places outside the US is that many use PIN and CHIP cards that make it MUCH more difficult to use or steal the credit card numbers.
Visa and MasterCard and Amex already use these outside the US... http://en.wikipedia.org/wiki/EMV and they are supposed to be mandatory for the us in the next couple of years. Maybe the deployment should be expedited? For a standard that has been in wide use for over 15 years elsewhere, its about time that the US finally catches up....
--
Time is on my side
It is not so difficult keeping hackers out. Sound security implementations, regularly independently and competently reviewed
Yes. A system can be designed that is virtually impregnable when followed to the letter, but in systems involving implementation by humans, some genius will invariably skip a step that saves him 13 seconds of personal time.
Foolproof is impossible, because just as soon as that level of assurance is reached, they make a little bit better fool.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Holy meatballs, I'm going to sound like a shill. But, this is why I like making purchases online with Bitcoin. Screw all that whiny ideological crap...
Any sufficiently advanced influence is indistinguishable from control.
I remember Albert Gonzalez from the major TJ Maxx credit card theft incident. He was on the secret service payroll at the time, in a Frank Abagnale type prison-work release.
As a founder of ShadowCrew (an early credit @ Atm numbers acquisition venture of his), his site moderators forced members to provide refunds if the stolen credit card was no good.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
You should read the EMV wiki page. When used with DDA cards, which modern cards all are, it protects against cloning of the card and thus protects card-present transactions. Yes, EMV cards still have magstripe data on them which can be stolen and used for online merchants where the card is not present, but there are other systems that are working on making online transactions more secure as well (like 3D-Secure). The combination of these things is an upgrade.
...140 million Americans are affected by the Target breach.
Half of all Americans shop at Target? That may be right, but it seems wrong.
140 million Americans are affected by the Target breach.
Surely not directly? Are they saying 2 of every 3 adult Americans shopped at a brick and mortar Target in December and used a credit card? I can vouch that I was one of those that did not.
Are they saying everyone who has a Visa or Mastercard is "affected"? That number does seem pretty close to the number of adults with a visa or mastercard (estimated at well above half of the adult population but I couldn't find an exact number).
If you are not allowed to question your government then the government has answered your question.
How do I check if my card number is compromised?
Add the digits of the CC number, multiply by the CSC then divide by the expiration month. Write that number on a piece of paper and fold it in half. Then check your CC statement to see if you shopped at Target or Neimen Marcus. If so, burn the paper. If the Eye of Sauron appears in the flames, you are OK. If not, you are compromised.
But the card number does not have to be stored for it to be vulnerable. They could also capture the data in transit. If you can get access to a database, its pretty reasonable that other things on these systems can be accessed such as memory and network interfaces where data is in transit. All you need is a monitoring program that records everything passing through the system.
You should read the EMV wiki page.
Wikipedia huh?
Maybe if I get bored I'll add a link to a paper recently published by, um, some Australian researcher showing much simpler techniques. Though I expect the industry shills will just pull it off Wikipedia (again) - it's the only way they can avoid losing in the courts as EMV isn't to protect you - it's to protect banks from liability.
And math skills aren't required - EMV can also be defeated with a paper-clip. I'm sure you can do your own reseach (clicking on Wikipedia barely qualifies as research). Replacing the merchant generated nonce with one embedded by the bank would be a step forward - as will the proposed one-time-key code display for Mastercard. Emue is even more secure.
Just cut up the cards and go back to using cash. A simple solution that has a proven track record of not being able to be hacked.
Undetectable Steganography? Yep, there's an app fo
No, you missed the latest fun with target...
They lied..
The cards stolen weren't by someone intercepting CC numbers when used, They kept EVERYTHING in a linked database that was stolen. Name, address, phone number, multiple CC numbers etc. (they haven't said a db, but they said a source containing historic information. Maybe it was a flat file, but I'd hope not)
The fact they lied repeatedly and that they kept this info makes it a LOT worse than the Sony breach in my mind.
They should be very liable.
I am 31337 or something.
Upgrading and improving is one thing, but I'd like penalties to be far more damaging on both sides of the transaction. If these companies don't want to take security seriously, perhaps they shouldn't be in business, or should be cash only.
Example:
1st breach and exposure of card, cardholder, and any other identifiable information: $100 per card for that instance
2nd breach within 1 year of the 1st breach, and exposure of card, cardholder, and any other identifiable information: $10000 per card
Stipulations:
Make it legally binding without appeal, and vastly more transparent.
All persons who information is released, get automatic 50 point bump in their credit score. For EACH Instance.
The only way this is gonna get fixed if it hits them where it hurts, and that's the wallet.
Impossible I know, but a man can dream....
So how/why was the Tribune sworn to secrecy regarding the names of the other three companies that were hacked? They were ``well-known''. Well, gosh, thanks a pile for narrowing it down for us consumers. Now your readers have to wait until they discover themselves that they're a victim of these hacks.
It doesn't surprise me one bit that the business-friendly Tribune would conceal the names of the other hacked retailers. God-forbid that one of their advertisers see a drop in customers fearful that shopping at one of these three stores might result in financial headaches while they sort out the fraud with their credit card companies.
CUR ALLOC 20195.....5804M
Michelle Obama's birthday is very close at hand. No doubt the NSA went shopping for cash to buy that very special "gift" for such an important day on Earth.
That insurance company's squad of auditors would be no more and no less effective than the PCI/DSS audit system.
ahhhh I get it is funny because they don't come forward....
I shopped at Target twice in the last month, and I'm pretty sure I didn't use the same credit card both times I went. Maybe they mean 140 million cards?
Since negligence includes failing to follow the system properly (and often does), this is not possible.
Sure it is - design the system so that if you don't follow it, transactions are impossible.
It is fairly trivial to design a system such that a transaction is impossible without the card present and the card owner's authorization (two factor authentication). All data entering and leaving the card could be intercepted or recorded, and the most that could be done by an attacker would be to block the transaction (denial of service). The credentials required to authorize a transaction (one time only) would never leave the card. The card would only sign a transaction after displaying the details on its screen and obtaining a PIN on its keypad (no dependence on the security of a terminal that belongs to the retailer).
If you didn't want something quite that fancy you could just issue a OTP-generator with every card and that would be almost as good, though it would be susceptible to MITM attacks since the customer would just be blindly giving out their one-time PIN and would have no way to guarantee that it gets applied to the correct transaction.
Credit cards are inherently insecure. They rely on a shared secret that isn't kept secret.
And I urge all Slashdotters who shop at N-M to do the same!
Anybody.....?
HALL-OOOOOOOOOOOOOOOOOO
Yes, Obamacare is saving Americans sooooooooo much money that my insurance premiums *ONLY* doubled, while my copay went from $0 to $20-150 (depending on what's being done). At least my out-of-pocket limit didn't change. To add to that, my employer is no longer allowed to reimburse a portion of my health care costs as a benefit; that money now has to be added to my salary, which means the paltry $200/mo I was getting has been reduced to something closer to $160, while costing my employer something closer to $240. As someone of at-least average intelligence, I actually am outraged by this.
The only upshot is that they weren't able to deny my wife coverage this time around; so, really, my premiums quadrupled, since I'm also paying for her now.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
When it's encrypted end to end, that MITM won't do you much good. But when the systems assume secure dial-up lines, the information isn't very secure. There's no reason I need to know the number on the card to process is, so long as the bank agrees to pay the amount, based on the hash/communication with the cardholder.
Learn to love Alaska
In general:
Visa = Better benefits
MC = Better Customer Service.
That insurance company's squad of auditors would be no more and no less effective than the PCI/DSS audit system.
I've sat across the table from a PCI auditor and told him, "no, we are not going to encrypt our passwords - they're hashed for a good reason" and had him give me a blank stare. Forgive me for not putting faith in the PCI system.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The PCI council thinks a WAF is sufficient to protect a vulnerable web application. So that's PCI compliance for you...and many companies don't even meet THAT compliance. If they fail at something this obvious/small imagine a system this big and complex..?
You miss his point. The system should be set up so that the retailer CAN'T compromise it. I don't live in the US. When I make an online credit card transaction, the retailer collects the number, then redirects me to a confirmation page from the card company. There I enter a password that the retailer never sees, and so cannot abuse.
A credit card number should be useless without a second factor that is never known by anyone other than the customer and the card issuer.
How is paying with cash more secure than a wireless credit card? If you lose the credit card you can cancel it as soon as you notice. If you lose the cash, too bad.
Why would this perfectly to-the-point comment get a '-1'?
I don't feel bad about not having the money to go shopping...
You, sir, suck at math. If what you are paying doubled, and only covered you, then you could claim your premiums doubled. Since you just admitted that it now covers your wife, too, it clearly did not double (let alone quadruple), but actually stayed the same. Have a nice day, idiot.
I was paying $208/mo, now I'm paying $830/mo, so yes, what I'm paying (more than) quadrupled, and the cost per person (more than) doubled. *MY* (as in for me, alone) premiums doubled, and since I'm covering two people now (since they can no longer deny my wife coverage), my costs quadrupled. You simple suck at comprehending.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.