Michaels Stores Investigating Possible Data Breach

← Back to Stories (view on slashdot.org)

Michaels Stores Investigating Possible Data Breach

Posted by timothy on Saturday January 25, 2014 @01:44PM from the switching-targets dept.

tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."

106 comments

Min score:

Reason:

Sort:

This is because CONservatives... by Anonymous Coward · 2014-01-25 13:48 · Score: -1

don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.
1. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 14:13 · Score: -1
  
  This is because DEMONcrats don't give a fuck about freedom. They want to force shit on us (obamacare, welfare,etc.) Why should I have to pay for the fact that you live a risky life and have high medical costs or that you're a lasy ass bum who makes no sort to find a job. And don't even get me stated on the welfare queens popping out spawn left and right to get "govmint cheese"
2. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 15:12 · Score: -1
  
  Why shouldn't people that have more than they need pay for everyone else's healthcare? To not do so is selfish, and by some accounts, murder.
3. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 15:46 · Score: 1
  
  Because I worked damn hard for that money? Whose right is it for you to tell me what to spend it on?
4. Re: This is because CONservatives... by maharvey · 2014-01-25 18:26 · Score: 0
  
  You have more than you need. I know because you have a computer and free time to post on Slashdot. Why aren't you donating 90% of your pay to hunger relief? Why don't you donate it to the Federal Government for healthcare? After all, failure to do so is murder. I guarantee they'll take your check! Don't know where to send it because you're too lazy to ask? Still murder. You could at least donate it to a local shelter. You don't need more than one set of clothes either. Or a car. You don't need the computer you're staring at right now. Liquidate and donate! Or are you selfish?
5. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 21:25 · Score: 2, Insightful
  
  CONservatives vs LIEberals or REPTILEcans vs DEMONcrats; you make the call.
6. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 21:43 · Score: 0
  
  Same to you, hypocrite. Sell your computer so we never have to read your shit ever again
7. Re: This is because CONservatives... by Anonymous Coward · 2014-01-25 23:41 · Score: 2, Insightful
  
  Turning a Russian mafia crime scheme into an American political party debate. Do you both have any idea of how stupid you sound? This would not even be relevant if there was an actual difference between party A or party B, which time has shown there is none. Fine, go at each other's throats while your house burns down.
8. Re: This is because CONservatives... by CohibaVancouver · 2014-01-26 03:22 · Score: 1
  
  Because social and infrastructure programs create an environment where capitalism can thrive - When you have a healthy, educated workface along with roads, airports, telecommunications and all the trappings of a modern society you create a scenario that, at its most basic level, creates a culture of people who can actually buy your stuff and at a more advanced level creates a place that fosters entrepreneurship.
  
  There's a reason Germany has a surging economy and Somalia doesn't...
9. Re: This is because CONservatives... by Anonymous Coward · 2014-01-26 04:19 · Score: 0
  
  Tu quoque. Hypocrisy is not an argument.
  Furthermore, your reply did not make sense, since he doesn't actually believe what he was suggesting. That is, he was using sarcasm!
Credit cards by Anonymous Coward · 2014-01-25 13:50 · Score: 2, Insightful

Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing
1. Re:Credit cards by Nerdfest · 2014-01-25 16:06 · Score: 3, Funny
  
  I'm not even sure that will help. These guys have proven that they're quite ... crafty.
2. Re:Credit cards by Anonymous Coward · 2014-01-25 16:46 · Score: 0
  
  Why is the credit card information being stored after the transaction is processed? The data should be short-lived and immediately scrubbed once the payment processing system indicates a successful debit transaction.
3. Re:Credit cards by pspahn · 2014-01-25 17:55 · Score: 1
  
  The main reasons for storing CC information is to handle recurring payment services (subscriptions) or to have a method for refunding a customer without requiring them to enter all their information again.
  
  --
  Someone flopped a steamer in the gene pool.
4. Re:Credit cards by cusco · 2014-01-25 18:10 · Score: 3, Informative
  
  In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.
  Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
metafraud purpose traitors dark maters too by Anonymous Coward · 2014-01-25 13:52 · Score: -1

some still calling this 'weather'? http://www.globalresearch.ca/weather-warfare-beware-the-us-military-s-experiments-with-climatic-warfare/7561
accounting problems still http://rt.com/business/us-unemployment-economy-crisis-assistance-006/
our preferences; mlk http://www.youtube.com/results?search_query=mlk%20sppech&sm=3
jfk http://www.youtube.com/results?search_query=jfk%20sppech&sm=3
world's local hero http://www.youtube.com/results?search_query=scott%20olsen&sm=3
Chip & Pin by beelsebob · 2014-01-25 13:53 · Score: 4, Insightful

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
1. Re:Chip & Pin by Anonymous Coward · 2014-01-25 14:10 · Score: 0
  
  The NSA is busy "hacking" with great fanfare public American institutions because they want us to believe we need them to keep America safe. In fact, a mass-hacking is exactly the kind of thing they previously warned about. What a coincidence!
  Despite all the FUD, not a single fraudulent charge was made. That proves that they're scrupulous enough not to rip us off more than they already have for the sake of continuing their propaganda.
  Take the NSA, CIA, DHS, FBI, and ATF out, American people -- they fear you.
  -- Ethanol-fueled
2. Re:Chip & Pin by khasim · 2014-01-25 14:15 · Score: 1
  
  This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
  Maybe, maybe not. Criminals usually take the easiest way into a system. So replacing one flawed system may be sufficient. Or there might be more flawed implementations at their data center.
  I think the real issue here is how the companies seem to have no idea how to do computer security.
3. Re:Chip & Pin by fuzzyfuzzyfungus · 2014-01-25 14:23 · Score: 2
  
  Are you saying that passing your PCI compliance testing isn't all the computer security you need to do?
4. Re:Chip & Pin by binarylarry · 2014-01-25 14:48 · Score: 3, Funny
  
  Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(
  
  --
  Mod me down, my New Earth Global Warmingist friends!
5. Re:Chip & Pin by TheGratefulNet · 2014-01-25 14:58 · Score: 1
  
  and the IRQ jumpers are all wrong, too!
  
  --
  
  --
  "It is now safe to switch off your computer."
6. Re:Chip & Pin by Bite+The+Pillow · 2014-01-25 15:16 · Score: 0
  
  If Chip & Pin were the answer, the financial incentives of having it in place would make it the obvious choice.
  Clearly externalizing loss to the merchants and consumers is financially more attractive. And there's your answer to "Why?" No need for useless rhetoric because there is a simple answer.
  If you want a more complicated answer, the merchants basically have no say and the consumers don't care, so the issue rarely gets pushed.
  Re-wiring all of the point-of-sale machines would be a major expense, even if it were just software updates and testing. Even if only .01% of the POS machines have issues, that's downtime and labor expense that is far outweighed by not changing.
  Sounds like you're not really aware of how credit and debit card transactions that are declared fraudulent affect the parties involved, compared to the cost of upgrading. Because that's the magic number.
7. Re: Chip & Pin by Anonymous Coward · 2014-01-25 15:29 · Score: 0
  
  "Re-wiring all of the point-of-sale machines would be a major expense ..." I hate the whiny "Doing it better would be expensive" argument. Eg, "We can't make cars mare fuel efficient, it would make them cost more." What has happened to risk taking in America? We could have Hyperloop, instead we get "high speed rail" that is slower than slow speed rail in other countries. Etc, etc. America has become soft.
8. Re:Chip & Pin by Anonymous Coward · 2014-01-25 15:53 · Score: 0
  
  I worked for an online retailer and home shopping network. The PCI standards were amateurish and would not stop anyone who was determined. The PCI program was rolled out slowly. My employer was really slow and always asking the VISA/MasterCard people for extensions. The extensions were always given. My employer didn't start working on a specific "module" until the second extension ran out. We completed the work by the third extension. IMHO, the PCI standard is a joke.
9. Re:Chip & Pin by Mashiki · 2014-01-25 17:28 · Score: 1
  
  The US banks have waffled on it for nearly 6 years and getting terminals upgraded. We've been fully chip & pin in Canada for that long now, and if you're wondering why it hasn't been done it's because the cost of upgrading millions of terminals is expensive.
  
  --
  Om, nomnomnom...
10. Re:Chip & Pin by EvilSS · 2014-01-25 19:08 · Score: 1
  
  October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
11. Re:Chip & Pin by Anonymous Coward · 2014-01-25 20:42 · Score: 0
  
  Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
  Because, in the 1980's, when the chip system was created and successfully implemented in Europe, the American banks (mistakenly) invested in the telcos. Reinventing the technology to alter the profits made by the telcos on every card transaction would have been a financial disaster in the minds of the bankers.(Pure capitalism, ftw.)
12. Re:Chip & Pin by pcr_teacher · 2014-01-25 21:31 · Score: 1
  
  Chip and Pin has already been comprimised in the wild:
  http://www.telegraph.co.uk/new...
13. Re:Chip & Pin by badzilla · 2014-01-25 21:54 · Score: 1
  
  Chip and PIN has seen widespread use for years now and would probably stop this kind of attack. Remember you have hardware-based encryption happening not only in the card reader but also in the card itself. An amazing amount of crypto happens at step one just so that the card can satisfy itself that it is indeed inside a valid reader. Then some more so that the reader can be confident it has a real card. Once all the authorisation and monetary amounts are complete then the reader finally dumps out an encrypted blob. Malware that had got root in the POS terminal could deny the transaction from happening but could not change the amount or snarf any of the card information. The only time I have heard of any cracks in this scheme was a murky story of collusion with employees at the card reader manufacturing facility, which is a lot less of a risk than poorly-configured POS.
  
  --
  "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
14. Re:Chip & Pin by Dunbal · 2014-01-26 00:10 · Score: 1
  
  Yeah those poor banks, only earning an up to 3% "cut" of every single transaction, billing most of their customers for regular "transaction" fees, hardly paying out interest at all to savers, getting money for free from the government (because you know, they're too big to fail) and charging their debtors usurious interest. Poor, poor banks. Changing the terminals is so EXPENSIVE.
  Seriously, they pass a regulation saying all terminals must be changed by x date and surprise, you the merchant are going to have to pay for it - didn't you read your contract? But it's ok we'll deduct the cost of the new equipment and installation directly from your account so you don't have to worry... This is how the real world works. Me big bank. You small business. Me screw you.
  
  --
  Seven puppies were harmed during the making of this post.
15. Re:Chip & Pin by rfunches · 2014-01-26 03:52 · Score: 1
  Chip and Pin has already been comprimised in the wild:
  http://www.telegraph.co.uk/new...
  Nothing in the article states that the fraudulent charges were run as Chip+[Sig/PIN] transactions, though. They were processed in a way that bypass the chip:
  
  1) Card not present transactions (mail/phone/internet)
  2) Cloned magstripe-only card on a non-chip terminal (I had a chipped Visa fraudulently used in the US with this method)
  3) Same as #2 but with a PIN at a merchant terminal for cash back or at an ATM for cash withdrawal or advance
  I've yet to hear of a case where a fraudulent chip transaction came from a cloned card.
  Forcing everything in the card present transaction chain -- cards, POS devices and ATMs, card processor networks, banks -- to require the chip, eliminating the use of the magstripe, should (at least in theory) eliminate methods 2 and 3. But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.
16. Re: Chip & Pin by Anonymous Coward · 2014-01-26 11:32 · Score: 0
  
  I correct myself. America has become _too conservarive_.
17. Re: Chip & Pin by Anonymous Coward · 2014-01-26 11:35 · Score: 0
  
  I correct myself again: _conservative_. Danged non-keyboard.
18. Re:Chip & Pin by elistan · 2014-01-26 13:59 · Score: 1
  
  Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
  It's not costing the banks anything - the costs of the refunded transactions are the responsibility of the merchants. I don't see any financial incentive for banks to do anything different. It'll have to be either a legal regulation or a consumer backlash, and I don't see either happening right away.
19. Re:Chip & Pin by plover · 2014-01-27 02:14 · Score: 1
  
  The Vasco DIGIPASS device is a small smart-card reader that resembles a pocket calculator. It allows the cardholder to insert their card, enter the transaction details, and produce a one-time authorization code that can be entered into a web page (like a CVV2 code, but cryptographically secure.) It's a sealed device that is electrically air-gapped from everything apart from the batteries and the card, so it is unhackable from on-line threats. Such devices are used to secure on-line banking transactions. The only thing it can't protect against is users being duped by fraudulent web sites: "paypa1.com" type threats, phishing, etc.
  They're cheap and simple devices that some European banks give out to their customers.
  
  --
  John
20. Re:Chip & Pin by Rich0 · 2014-01-28 08:08 · Score: 1
  
  October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.
  Mastercard and Visa get paid by the transaction I imagine. They really don't care if they're legit or not - if they aren't then the members of the national retailer association pay the bill. I can't imagine why there is a difference of opinion... :)
21. Re:Chip & Pin by Rich0 · 2014-01-28 08:10 · Score: 1
  
  But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.
  I'd put the console on the card itself (keypad and small LCD display). Then I'd include USB and acoustic modem interfaces. Now you can handle card not present just fine. The "card" would cost more, but it would make sense to make it a generic device that can support any number of payment accounts. It could still be easily pocket sized - probably smaller than a PCMCIA card.
thank god by Anonymous Coward · 2014-01-25 14:09 · Score: -1

Thank god these are all stores i don't shop at.
1. Re: thank god by Anonymous Coward · 2014-01-25 14:25 · Score: -1
  
  Thank God no one here gives a fuck
2. Re:thank god by pspahn · 2014-01-25 18:05 · Score: 2
  
  You might not, but the rest of us have mothers, aunts, sister-in-laws, girlfriends, wives, daughters (and all their male counterparts in some cases) that require us to shop at Michael's at least once a year. Typically around either the first week or two of May, or in the few days running up to Dec. 25.
  There was a time, though, that Michael's was a fun place to shop. If you didn't have a Hobby Lobby or the like, it was the best place to buy model rockets and the like.
  
  --
  Someone flopped a steamer in the gene pool.
Point of Sale Network Access by Luthair · 2014-01-25 14:22 · Score: 2

There is an easy solution to this problem - don't put point of sale systems on a network with external access. At the minimum one should limit the network addresses these systems are allowed to access.
1. Re:Point of Sale Network Access by beelsebob · 2014-01-25 14:25 · Score: 1
  
  Who says external access was required?
2. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 14:38 · Score: 0, Insightful
  
  There's an even easier solution: don't store cardholder information in a database
  There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.
  Getting an auth code means you're getting your money. You don't need to store my entire credit card number.
3. Re:Point of Sale Network Access by Luthair · 2014-01-25 14:38 · Score: 1
  
  If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.
4. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 14:42 · Score: 0
  
  easy returns?
5. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 14:50 · Score: 0
  
  That's it, really. They are careless with *your* private information. They collect it, not because they need it, but because they want it. Are they held responsible for any problems and costs associated with their carelessness?
6. Re:Point of Sale Network Access by NonSequor · 2014-01-25 15:16 · Score: 1
  
  Target has a system where you can return anything without a receipt if you can show the credit card the item was purchased with. Plus Target makes heavy use of data to track customers. Not that that's a good thing.
  I would have to guess that Target views these things as strategic advantages over their competitors and they may have a culture which views IT infrastructure only as a means to further develop these advantages. In that kind of environment, "what we can do if we hold onto this data" is going to trump security concerns.
  It's kind of interesting that a concept of user data being innately dangerous to hold onto hasn't taken hold in the same way that the concept of raw chicken being innately dangerous to hold onto. Most industries where users can get hurt have some sort of "hygiene" practices that ensure segregation of dangerous materials if followed rigorously. Continuing on the raw chicken metaphor, the current state of things seems to be as if the health inspector had to analyze the design of every machine and process in the meat packing plant to determine whether it's safe.
  PCI seems to be intended to tackle this, but it doesn't seem to be stringent enough to do the job.
  
  --
  My only political goal is to see to it that no political party achieves its goals.
7. Re:Point of Sale Network Access by penix1 · 2014-01-25 15:17 · Score: 2
  
  Are they held responsible for any problems and costs with their carelessness?
  They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
8. Re:Point of Sale Network Access by TheGratefulNet · 2014-01-25 15:25 · Score: 1
  
  I've had the receipt for the few times I've had to return things at target.
  I was amazed how fast it can be done. from when you get to the counter with your item to the time you leave, its often less than 1 minute, sometimes as short as 10 seconds. I kid you not! I've never seen anything like that before. walk in, 10 seconds and you're out.
  gotta give them credit for how fast they can process returns, assuming you have the receipt and your credit card or license (the magstrip does speed things along).
  
  --
  
  --
  "It is now safe to switch off your computer."
9. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 15:51 · Score: 0
  
  The easy answer is hardware encryption on the swipers. The technology has existed for years. That way sensitive information is isolated all the way to the processor where extraordinary security measures can be focused. Take a look at Magtek, IDTech and Cashier Live. Go ahead and scape ram and get nothing but tough to crack hardware encryption.
10. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 15:53 · Score: 0
  
  There is an easy solution to this problem - don't put point of sale systems on a network with external access.
  Doesn't do a single thing to keep someone from putting a skimmer on a card reader somewhere
11. Re: Point of Sale Network Access by Anonymous Coward · 2014-01-25 15:54 · Score: 0
  
  But how else are we going to track or customers so we know who to send coupons to?? :(
12. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 16:28 · Score: 0
  
  easy returns?
  The credit card number is not required for that. All you need is the transaction confirmation number issued by the payment processor and they will issue the refund to the card. Scanning the barcode on the issued receipt should be enough to pull up the entire transaction + transaction confirmation number.
  It is literally brain-dead stupid to store card information. All integration documents from payment processors that I've worked with has had "no card information needs to be stored" stamped on it in big bold letters everywhere around the documentation and illustrative examples for processing credit card payments over the Internet.
13. Re:Point of Sale Network Access by TwoBit · 2014-01-25 16:34 · Score: 1
  
  That's not how the hack worked. The hackers had software on the POS machines that read the RAM of the machines and when the card info was briefly in RAM during the transaction the hackers grabbed it.
  A better question is one of why these POS machines don't have a more locked down OS that allows only signed processing from running. XBox, Playstation, and iPhone have been doing this successfully for years, so surely commercial POS machines could.
14. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 16:52 · Score: 0
  
  I've always wondered why Target is able to do state of the art data analytics (e.g., determining that a 16-year old customer was pregnant) without relying on either a store-branded credit card (although they have started pushing one just in the past few months) or a free 'rewards' card. What do they know that other stores don't? It turns out their 'data hygiene' is not so customer friendly. Maybe this sort of thing needs to be subject to legislation.
15. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 16:52 · Score: 0
  
  On Dec 23rd I drove to a mall containing a Target store.
  It was 10pm, and dozens of people were entering the store, and many were leaving with shopping carts filled to the brim ... /anecdote
16. Re: Point of Sale Network Access by Anonymous Coward · 2014-01-25 17:03 · Score: 1
  
  As someone who worked in one of Targets data centers, I can assure you those cash registers did not have direct internet access.
  From what I read the hackers gained access to a server which they then setup an ftp server on. A netbios share was activated at a certain time of the day and information was then sent to that ftp server.
17. Re:Point of Sale Network Access by Jah-Wren+Ryel · 2014-01-25 17:12 · Score: 1
  
  They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.
  Sounds like it was a ghost town before the breach too. In my case, I've been to the nearest store about a dozen times and it has been no different than before the news broke. I always use cash so it made no difference to me.
  
  --
  When information is power, privacy is freedom.
18. Re:Point of Sale Network Access by cusco · 2014-01-25 18:17 · Score: 1
  
  It's a RAM scraper attack on the POS machines, not a database dump off the mainframe. It's hard to believe that people don't know the difference. Oh, you're too dumb/lazy to actually figure out how to log in with an account, I guess that explains it.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
19. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-25 18:57 · Score: 0
  
  But... but... how will they track your purchases and sell your information to advertisers if they only keep the auth code?
  Obviously you haven't thought this through enough.
20. Re:Point of Sale Network Access by plover · 2014-01-27 02:20 · Score: 1
  
  There's an even easier solution: don't store cardholder information in a database
  There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.
  Getting an auth code means you're getting your money. You don't need to store my entire credit card number.
  Go read the analysis of the BlackPOS malware at Krebs. He says that the attack that hit Target was done with a RAM scraper. It wouldn't matter if Target stored the data or not, or if they used SSL or not, the malware read the card data as soon as it was in the memory of the register.
  
  --
  John
21. Re:Point of Sale Network Access by Anonymous Coward · 2014-01-27 08:41 · Score: 0
  
  If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.
  You forget social engineering as a third option. "I'm here from PoS maintenance. Need to make sure the flux capacitor is capacitating and that the streams are not crossed." It's not the most talked about attack vector for no reason.
Just wait by ArchieBunker · 2014-01-25 14:24 · Score: 4, Interesting

As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re: Just wait by Anonymous Coward · 2014-01-25 14:47 · Score: 0
  
  Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.
  Is it that the chip can distinguish between a store's reader and my reader and therefore it will lie or just keep quiet to my reader?
  Or does the chip generate one time pads for each transaction?
  I honestly don't have a clue.
2. Re:Just wait by Hamsterdan · 2014-01-25 14:52 · Score: 2
  
  The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
  (Royal Bank of Canada)
  
  --
  I've got better things to do tonight than die.
3. Re: Just wait by Anonymous Coward · 2014-01-25 15:20 · Score: 3, Informative
  
  Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.
  fuck /.
  the astrophysicists are long gone
  and you least common denominator assholes are worthless
4. Re: Just wait by TheloniousToady · 2014-01-25 15:29 · Score: 3, Informative
  
  For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:
  
  You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.
5. Re: Just wait by Anonymous Coward · 2014-01-25 16:25 · Score: -1
  
  Well now that you put it like that, fuck you. I no longer care.
6. Re:Just wait by Mashiki · 2014-01-25 17:26 · Score: 1
  
  Yeah that's not legal in Canada, just a FYI. The feds cracked down hard on them for trying that one. Doubly true since there are now chip skimmers out there that can duplicate the chip. Though they're very rare at the moment. Even with that, you'll find that most of the banks in Canada are now partnering with either Visa or MC for loss coverage on chip&pin cards.
  
  --
  Om, nomnomnom...
7. Re: Just wait by Anonymous Coward · 2014-01-25 18:04 · Score: -1
  
  BAh, I was right and you are an asshole. Those chips can be duplicated. Once again, fuck you.
8. Re: Just wait by beelsebob · 2014-01-25 19:50 · Score: 2
  
  Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.
  It can't be read. It can only be queried. You give it an input, it gives you an output.
  In the same way as you can't get from a hash (the output) to the actual stored contents, you can't get from the output of a credit card chip, to the stored contents of the chip.
9. Re:Just wait by Solandri · 2014-01-25 19:54 · Score: 1
  
  As soon as the cost of chip and pin is less than the cost of security breaches they will switch.
  That's just it. The credit card companies have shifted the cost of fraud to the merchants, so chip and pin will probably never be cheaper than the cost of a security breach to them.
  
  That's the real fundamental problem here. The credit card companies have made the merchants pay for fraud, and the merchants have no leverage to improve the security of credit card machines or networks. Heck, most merchants don't even know how the machines work, they're a magic black box to them.
  
  Any time you decouple profit from costs, you're just asking for trouble. Market solutions fail in these cases because there is no cost incentive for the person creating the problem to fix it. The classic example is pollution - the polluter reaps the profits from an activity while society bears the cost. Same thing is going on with credit cards. The credit card issuers create the card system, its network, and its (lack of) security, and reap the per-transaction profit; but the merchants pay for fraud. Consequently there is no economic incentive for the credit card issuers to improve the security of the system - doing so just increases their costs.
10. Re:Just wait by Dunbal · 2014-01-26 00:00 · Score: 1
  
  Cost of breaches? My dear sir, haven't you noticed that banks are now too big to fail? There is no cost to anything for a bank. If there is a cash flow problem simply go talk to uncle Ben and he'll hand you another few interest free billions - much easier than actually having to work (gasp) for your money. Consequences are for the little guy. When he gets in trouble we buy him up cheap. But seriously do you know how HARD it would be to actually secure the network? It's not like the card holder is responsible anyway - at least not directly. We'll just destroy the value of his currency and the solvency of his government and pretend to fix the problems while doing nothing at all. It's better for everyone trust me.
  
  --
  Seven puppies were harmed during the making of this post.
11. Re: Just wait by Dunbal · 2014-01-26 00:03 · Score: 1
  
  You are trying to secure something that is inherently insecure. Currency is not art. It is DESIGNED to be given to someone else. That's its function. Be it a coin or a cheque or a magnetic strip or a bunch of TCP/IP packets, there will always be a way to hijack currency simply because currency has to move from person A to person B. All you need to do is figure out how to stand between them. Theft is the ultimate "man in the middle".
  
  --
  Seven puppies were harmed during the making of this post.
12. Re:Just wait by ScentCone · 2014-01-26 02:30 · Score: 1
  
  The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
  And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.
  
  --
  Don't disappoint your bird dog. Go to the range.
13. Re:Just wait by Muad'Dave · 2014-01-27 04:31 · Score: 1
  
  Bank Of America is planning to support Chip & Signature, not chip & PIN.
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
14. Re:Just wait by Rich0 · 2014-01-28 08:03 · Score: 1
  
  The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
  And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.
  Well, the chip doesn't guarantee that it wasn't cloned. It just guarantees that if it was cloned it becomes the consumer's problem. It also makes it much harder to clone.
15. Re:Just wait by Hamsterdan · 2014-01-28 13:48 · Score: 1
  
  That's my point. Their argument is since the card was used with the chip, and that it can't be cloned (not entirely true), it's *my* problem, not theirs. So, as you said, it's a way to put the losses on the customer.
  
  --
  I've got better things to do tonight than die.
16. Re:Just wait by Hamsterdan · 2014-01-28 13:50 · Score: 1
  
  Not legal to have the customer eat the losses? I'll have to look further into it, I already contacted the ombudsman about that. Does it apply to ATM cards or just credit cards?
  
  --
  I've got better things to do tonight than die.
Re:SCADA is next by Billly+Gates · 2014-01-25 14:54 · Score: 0

Sadly until breaches like this occur the more MBAs will listen to those annoying cost centers and view them with value and listen. Reason they are on internet is because the suits said so and the accountants whined about having real time access.
Maybe if congress is involved they can make regulation requiring secure operating systems with ASLR which scramble ram. Windows 7 and MacOSX have it and I think can support it via a patch with 3.0 or higher. Crosses fingers for redhat 7.Also POS equipment is SUPPOSED to be upgraded every 2 to 3 years just like browsers. Guess who says NO? The MBAs who feel if it ain't broke don't fix it. Here here for insurance companies forcing them to follow manufacture requirements

--
http://saveie6.com/
Easy one to catch by formfeed · 2014-01-25 15:03 · Score: 4, Funny

Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.
1. Re:Easy one to catch by rueger · 2014-01-25 18:31 · Score: 1
  
  Damn. You had me right up to "boxed."
  
  --
  Three Squirrels
nsa by issicus · 2014-01-25 15:23 · Score: 0

to bad all those nsa snooping computer can't find a hacker...
1. Re:nsa by Anonymous Coward · 2014-01-25 15:45 · Score: -1
  
  Or these activities are a part of its black budget.
2. Re:nsa by Anonymous Coward · 2014-01-26 04:47 · Score: 0
  
  hard to do when it is an inside job and you are looking for SPIES and terrorism, and spying only on a small number of the population.
  What I find interesting is that so many think that NSA SHOULD be looking for this, when in fact, it would require spying on EVERYBODY. Yet, so many will then scream about the spying.
Would Chip and Pin Have Prevented This? by raftpeople · 2014-01-25 16:44 · Score: 1

The data was stolen from the POS device's ram during the brief amount of time it was there. Would Chip and Pin prevent using any of that data later on? Seems like the pin would have to be in mem at some point also, but I don't really know.
1. Re:Would Chip and Pin Have Prevented This? by beelsebob · 2014-01-25 19:54 · Score: 1
  
  Yes, it would. The pin is given to the chip without it ever interacting with firmware or RAM (it's transmitted from keypad to chip).
  Even if that weren't so though, the terminal never knows what account is processing the transaction. It simply sends the transaction details to the chip, which produces a signed transaction (with the pin, and some secured data stored on it). The signed transaction is sent to the bank, who can then use it to extract money from the correct account.
2. Re:Would Chip and Pin Have Prevented This? by Rich0 · 2014-01-28 08:07 · Score: 1
  
  Yeah, I'd think they could steal the PIN, or tamper with the amount of the current transaction, but they couldn't actually create new transactions without having the chip present.
  I think a better design would be putting the keypad and display on the card itself as that eliminates just about every way to tamper with a transaction I can think of, but as long as each transaction is individually signed and the chip throttles signature requests (one per insertion/removal) then the potential for abuse is pretty limited.
Only the US? by Anonymous Coward · 2014-01-25 16:49 · Score: 0

Because they have a few stores in Canada as well, so I'm worried.
Been there, seen it already by c0lo · 2014-01-25 17:08 · Score: 1

This is because CONservatives... don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.
... and ...

the U.S. Secret Service has confirmed it is investigating
I know where this is leading. The attack will be likened to "9/11 on retail", and:
* the "Providing Appropriate Tools Required to Intercept and Obstruct Tampering of POS bill of 2014" - also know as "the PATRIOT-POS v2014 act";
* it will be required those POS-es be operated from behind reinforced doors, but since the retail industry will complain about the cost...
* ... the "Retail Security Agency" will be created under the DHS; it will buy and operate (on public funds, of course), "nude scanners" at the entry of each retail shop (after all, those POS-es were physically tampered... a nude scanner will certainly help detecting... ummm... POS tampering devices);
* after a while, the customers will be required to take off their shoes before enter a retail shop
* the stores will no longer allow entry while carrying bottle of liquids more than 3.4 ounces, etc and ...;
* ... to help the above, those stores will no longer sell liquids in bottles larger than 3.4 ounces - (yay, packaging industry and mayor Bloomberg... no longer sugary soda drinks in large cans);
...
* NSA will intercept and store the transactions recorded at each POS (the Utah stae will need extra energy capacity for the three new secretd NSA data centers). Now, mind you, this will be strictly legal (after all, it's only metadata... not like NSA would intercept any of the money or merchandise exchanged during the shopping), with safeguards implemented by FISA-courts and congressional supervision; you can trust them on that.
(what? you point to my tin-foil hat? Well... you asked to be taken care of, as a peon and average Joe that is their customer).
(grin)

--
Questions raise, answers kill. Raise questions to stay alive.
1. Re:Been there, seen it already by Dunbal · 2014-01-25 23:48 · Score: 2
  
  You're in the right direction but not thinking radically enough. The US will want all financial transaction data everywhere. Cos, you know, "terrorists". Go on, let Uncle Sam into your wallet. Surely you have nothing to fear if you have nothing to hide, citizen. Oh by the way we've noticed you have too much money, more than your "fair share". Somewhere buried in the 13,000 odd pages of US tax code there's something you or your accountant missed, your money is ours now. Hand it over quietly and maybe we don't throw you in jail.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Been there, seen it already by bondsbw · 2014-01-26 03:02 · Score: 1
  
  And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.
  Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
3. Re:Been there, seen it already by Anonymous Coward · 2014-01-26 03:06 · Score: 0
  
  And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.
  Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.
  You sure? I mean, I thought each of them are wealthy enough to afford a bed on their own.
watch, going to be much worse by Anonymous Coward · 2014-01-25 17:24 · Score: 0

this so called card skin game is going to be a few billion more ... i just reported a half dozen fraud charges, made at stores near my home, with my pin. no, did not share or write pin, this is scary. have not used card at any of these admitted breached company.
Time for TECH / IT UNIONS by Joe_Dragon · 2014-01-25 18:40 · Score: 2

So the tech workers have the power to get stuff done and the MBAs take the blame for there mess ups.
Submitter by Anonymous Coward · 2014-01-25 21:11 · Score: -1

Meet Asiana Airline pilots: Captain Sum Ting Wong, Wi Tu Lo, Ho Lee Fuk and Bang Ding Ow?
1. Re:Submitter by Anonymous Coward · 2014-01-26 16:06 · Score: 0
  
  Whoosh-o-rama! Off topic? Maybe. If any one was a troll, it would be the submitter with a pseudonym phonetically misspelling his pseudonym to look like a Vietnamese name sounding like pseudonym.
Chip/PIN by Gigadafud · 2014-01-26 01:00 · Score: 1

Are there any credit cards in the US that actually offer the "newer" CHIP/PIN cards? I am also assuming that the readers have to recognize these cards as well.....
1. Re:Chip/PIN by WindBourne · 2014-01-26 04:43 · Score: 1
  
  nope. BUT, in light of the money lost on Target, I am guessing that is about to change.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
2. Re:Chip/PIN by wkk2 · 2014-01-26 09:15 · Score: 1
  
  I asked Chase and they didn't seem to know what I was talking about. Citi was able to replace my card with a chip/pin card. Get one before you travel or you might need to leave your stuff a a restaurant while going to an ATM.
3. Re:Chip/PIN by Muad'Dave · 2014-01-27 04:34 · Score: 1
  
  Bank of America is doing Chip & Signature.
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Or.... by Anonymous Coward · 2014-01-26 04:23 · Score: 0

You could put a frequency broadcaster in the loop, a physical hack. The NSA does.
Another inside job by Anonymous Coward · 2014-01-26 04:42 · Score: 0

Michael's outsourced their IT. Interestingly, this is NOT their first time for being cracked. You would think that they would learn.
Anybody a victim of Michael's, Neiman Marcus, or Target? Sue them LARGE.
No Chip & Pin? Carry Cash. by !-!appy_!!arnian · 2014-01-26 12:41 · Score: 1

Until chip and pin, I guess I'll have to carry cash. That waitress at the restaurant taking my card and coming back with it a few minutes later - has always unnerved me.

--
To serve only self is the ultimate slavery.
Not the story... by Anonymous Coward · 2014-01-26 12:46 · Score: 0

The theft of passwords is not the story.
It's the theft of real names, addresses, and such along with user names, and those questions we use to reset our passwords. That can reset Your password elsewhere after You change it.