Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target and Trustwave Sued Over Credit Card Breach

Posted by Unknown on from the kill-the-auditor dept.

jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

87 comments

  1. Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 4, Insightful

    ... for companies to get their shit together about their lax security policies.

    It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.

    1. Re:Sad to see it takes a lawsuit ... by sconeu · · Score: 4, Informative

      AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    2. Re:Sad to see it takes a lawsuit ... by Anonymous Coward · · Score: 0

      That's reality - human nature.

      Get away with what you can. It ain't limited to "doze evul korporashuns".

      Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.

    3. Re:Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 1

      The context is a little different in that case though. If no one is around, and you can visibly see that, no one gets hurt if you blow through the stop.

      In Target's case, vulnerabilities were found, were reported, were ignored, and then thousands of people's personal financial information are open to be abused.

    4. Re:Sad to see it takes a lawsuit ... by lgw · · Score: 2

      In Target's case, vulnerabilities were found, were reported, were ignored,

      In Target's case the intrusion was found, automatically reported, and ignored, weeks before the actual theft of CC numbers.

      This has all the makings of a "gross negligence" tort, which is the criminal justice system for corporations.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    5. Re:Sad to see it takes a lawsuit ... by hermitdev · · Score: 1

      Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.

      Middle of nowhere? I see it in the middle of town all the time. Worse yet, it's pretty frequent to see the cops do it, too (lights/siren off).

    6. Re:Sad to see it takes a lawsuit ... by gstoddart · · Score: 1

      Middle of nowhere? I see it in the middle of town all the time.

      No kidding. I can't count how many times I've been proceeding through a green light on a road and the idiot coming to the red light is half way into the intersection to turn right before he turns to look to see if there's any oncoming traffic.

      I can't even begin to understand how "I'll decide if I should stop 20 feet past the stop line when I'm already in the intersection and then look" becomes the way people drive.

      They half run the light to turn right on red before they have any idea if there isn't already a bus in the lane they're entering.

      --
      Lost at C:>. Found at C.
    7. Re: Sad to see it takes a lawsuit ... by valdezjuan · · Score: 1

      It is sad but hopefully companies (and others) will realize that compliance with things like PCI doesn't really mean all that much, though I think it will take a few more.

    8. Re:Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 1

      Thanks for the clarification.

  2. Banks are responsible too by hawguy · · Score: 4, Insightful

    Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

    1. Re:Banks are responsible too by brunes69 · · Score: 3

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.

      It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.

    2. Re:Banks are responsible too by gewalker · · Score: 1

      Unfortunately, the way the credit card companies work, most of the damage is externalized onto the merchants (via reversed charges) and ultimately the consumers -- via higher prices & fees. Of course, this is hardly accidental. Target is certainly guilty of lots of stupidity, but the real players won't change their ways until they really feel the pain -- the whole system is far too easy for the black players to game. Some much business is depending on CC transactions, most businesses have little choice but to play the game.

      This pain could be regulatory, financial losses, etc. But, no pain, no improvement.

    3. Re:Banks are responsible too by EvilSS · · Score: 1

      Banks hold some of the responsibility too...

      Ethically, yes, they do. Legally? Well, they made sure the laws didn't work that way. As for merchants not wanting to ditch magstipes, the national retailers have wanted to ditch them for a while (oddly, around the same time PCI came into existence). It's the banks dragging their feet over it. The cards cost more and there are questions about how Chip and PIN transactions costs will work (as a swipe transaction or a PIN transaction) and what networks they will use.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    4. Re:Banks are responsible too by way2trivial · · Score: 4, Interesting

      Not precisely correct.

      Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

      Liability shift, will now be on one of two entities.
      The merchant, for not having the terminal, or the consumer, for not protecting their pin.

      the liability also shifts almost 100% OFF the card issuing bank....
      (the real reason)

      --
      every day http://en.wikipedia.org/wiki/Special:Random
    5. Re:Banks are responsible too by brunes69 · · Score: 2

      .. and all customers will have chipped cards by October.

    6. Re:Banks are responsible too by Misch · · Score: 1

      Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

      See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.

      Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

      --

      --You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
    7. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it..

      We've had chip and PIN since at least 2011 in Canada. Why is the US waiting until 2015? Do the "too big too fail" investment banks need more time to figure out how to profit?

    8. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      In the United States, the customer will still be protected against liability as mandated by law, having a chipped card does not shift the liability onto them.

    9. Re:Banks are responsible too by hawguy · · Score: 2

      Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

      See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.

      Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

      If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".

      It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.

    10. Re:Banks are responsible too by rsborg · · Score: 2

      Not precisely correct.

      Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

      Liability shift, will now be on one of two entities.
      The merchant, for not having the terminal, or the consumer, for not protecting their pin.

      the liability also shifts almost 100% OFF the card issuing bank....
      (the real reason)

      I wonder how this will impact online payments - how will chip/pin be supported there?
      Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

      --
      Make sure everyone's vote counts: Verified Voting
    11. Re:Banks are responsible too by Anonymous Coward · · Score: 1

      Chip & pin is not the answer. The answer is a new system that has the pin pad on the card itself and only releases an authorization number that is valid for the merchant in which they are paying for the amount in which the customer has agreed to. Such a system should work regardless of if the merchant is online or off. The responsibility should fall on the purchaser to protect there pin. There is no good reason that stores should have to accept liability for fraudulent purchases when the financial institutions haven't built a system that allows for merchants to protect themselves.

    12. Re:Banks are responsible too by Anonymous Coward · · Score: 2, Interesting

      All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

      Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:

      The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not upheld to their satisfaction, it's the bank's job to arbitrate, judge, and carry out a decision about the transaction. Thus all onus must be on the bank. And if the bank made a bad call by doing business with a crook (either by issuing them a card or by allowing a fraudulent transaction to pass as valid), then the bank must be on the hook for the transaction. Chip+pin is the banks' way of dodging their responsibility. I refuse to let them off with that free pass without as much of a fight as I can muster.

    13. Re:Banks are responsible too by Anonymous Coward · · Score: 2, Insightful

      Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.

      You key your credit card number in 1 field
      You key your 3 digit "security code" (printed on the back of the card) in a different field.

      You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.

    14. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      1970's era magstripe technology

      Wow, you Republicans are always trying to fuck us over by throwing-up smoke screens. The mag stripes were not what was attacked in this case. It was the right-wing IT department at that right-wing corporation that decided to fuck the poor and minorities over by giving-out the numbers. No amount of trying to put small businesses out of business by not allowing them to accept credit cards by making the readers cost more than they can afford will help with what they did. Please top being so anti-small business. You Republicans are disgusting.

    15. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      Wow, you Democrats are always trying to fuck us over by throwing-up smoke screens. The mag stripes were not what was attacked in this case. It was the left-wing IT department at that left-wing corporation that decided to fuck the poor and minorities over by giving-out the numbers. No amount of trying to put small businesses out of business by not allowing them to accept credit cards by making the readers cost more than they can afford will help with what they did. Please top being so anti-small business. You Democrats are disgusting.

    16. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      I'm sorry, I must have missed something here: how does Chip & PIN improve security again? It (and Paywave) has been broken in Europe for how long now?

    17. Re:Banks are responsible too by IamTheRealMike · · Score: 0

      It improves security by preventing card cloning, which is one of the key ways the US card system is defrauded. It is not "broken" in Europe, so your latter question is irrelevant. You are probably thinking of academic papers which did what academics do: probe the system for weaknesses and published their research, which often led to fixes (except when their attacks were so convoluted nobody actually does them in practice). This is common to all security systems everywhere and is one way they get better. However magstripe cards don't incrementally improve this way because they're so fundamentally broken there's no point researching them.

      If you need further encouragement, consider that America has 5% of the worlds population, 25% of the worlds credit cards and over 50% of the worlds credit card fraud.

    18. Re:Banks are responsible too by melting_clock · · Score: 0

      I realise that this is a US based issue but I've spent a lot of time in the US in recent years. I first needed chip and pin for trips to Europe where it was rapidly becoming the only option available. Australia (home) shifted to chip and pin being preferred a few years ago. Now my bank is saying that only my PIN can be used for in store purchases. A signature will not work... On my last trip to the US, there were still many stores asking for a signatures with credit cards so my next trip might be really painful.

    19. Re:Banks are responsible too by whoever57 · · Score: 1

      .. and all customers will have chipped cards by October.

      This simply isn't true. I just looked at a newly issued card and it doesn't have a chip. Furthermore, the one US card in my wallet that does have a chip is a chip and signature card. Not chip and PIN

      --
      The real "Libtards" are the Libertarians!
    20. Re:Banks are responsible too by Fnord666 · · Score: 1

      I wonder how this will impact online payments - how will chip/pin be supported there? Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

      The impact will be that the majority of CC fraud will move to online merchants.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    21. Re:Banks are responsible too by Fnord666 · · Score: 1

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it.

      The banks are not mandating anything. The credit card networks dictate the conditions by which a merchant or a bank can participate in their system.

      One issue that hampers the conversion is the replacement of the card accepting terminals. The US has retailers that have more terminals in a single region than most OECD nations. That's a lot of hardware to replace for merchants who have not been held responsible for anything that happens when they don't.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    22. Re:Banks are responsible too by Trogre · · Score: 1

      Erm, banks are issuing cards with 2010's era paywave right now, and it's a major step backwards in security. We've gone from two-factor (swipe and PIN) to single-factor wave. Nothing safe about it.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    23. Re:Banks are responsible too by mjwx · · Score: 1

      Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

      I hate to break it to you, but brand new cards are coming out with NFC technology (Paywave and Paypass) that is even easier to steal your card details from than from the magstripe.

      Magstripes aren't a huge security flaw because they require physical access to the card (and yes, the card holder should be responsible for the cards physical security), but NFC allows card details to be stolen wirelessly so even if the user is taking all due care to physically protect the card, the details can still be stolen without the users knowledge.

      And yes, Paywave/Pass gives out your card number, name and expiry date (everything on the front of the card) to any NFC transmitter asking for it. Even an Android phone with an NFC chip.

      Magstripes on the other hand are still on cards because they are practically guaranteed to work and are considerably less vulnerable to damage.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    24. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

      Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

    25. Re:Banks are responsible too by Anonymous Coward · · Score: 0

      All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

      Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

      Who cares how you can read it, it will be read by the cash register ... so in this case for example how would it help at all to have a chip + pin, both pieces of data are in the cash register at the same time and could have been read from memory just as easy.

      What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center

    26. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center

      Actually no. The new chip+pin cards are actually smartcards that do their own processing on the card itself. I recommend doing some research before spouting false information about the chips being glorified memory cards.

    27. Re:Banks are responsible too by Trogre · · Score: 1

      why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen?

      Do you have shares in a card-chipping business?

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    28. Re:Banks are responsible too by Trogre · · Score: 1

      You're joking, right? As another poster has said, anyone with an NFC chip can read those cards.

      The PayWave system is also being pushed as a single factor payment system. Did you get that? Single. Factor. Wave your card at a cash register and you've paid for your meal. Or your colleagues.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    29. Re:Banks are responsible too by Kalriath · · Score: 1

      The readers cost $1000 in NZ. Probably $500 in the US. If your small business can't afford that, it probably cant afford the stock to sell either, making the whole point moot.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    30. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      Chip+pin is NOT tap-to-pay. Chip+pin is the system where you have to physically insert your card into the machine (where metal contacts talk to the chip) and then enter a pin that is verified by the chip.

      Tap-to-pay is a whole other system whichI personally do not like and am disapointed that it is impossible to get a card without it in Canada (I've checked with multiple places).

    31. Re:Banks are responsible too by Trogre · · Score: 1

      Okay, fair call. My bad - I was targeting the ludicrous tap-to-pay system.

      I'm fine with chip+pin, so long as it preserves two-factor authentication.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  3. SSDD by Wookact · · Score: 3, Insightful

    I am surprised it took this long for the lawyers to get geared up

    1. Re:SSDD by Anonymous Coward · · Score: 0

      Hey, Morgan & Morgan, the ex/next-govenor of Florida works for them.

  4. Mandatory arbitration? by schwit1 · · Score: 1

    I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

    SCOTUS has consistently ruled that these mandates are legal and binding.

    1. Re:Mandatory arbitration? by MightyMartian · · Score: 1

      "We're so sorry we allowed your credit card to be used to facilitate theft. Fortunately the arbitrator has come up with an equitable payment; a Jelly of the Month Club membership. It's the gift that keeps on giving."

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Mandatory arbitration? by DougOtto · · Score: 1

      Don't spread that around....

      --
      Solving Unix problems since 1989...
    3. Re:Mandatory arbitration? by NoNonAlphaCharsHere · · Score: 1

      Nah. It's only CONSUMERS who are forced into these binding arbitration contracts, i.e. the card holders. There's zero probability that the card issuing bankers will be forced to put up with what they inflict on the public.

    4. Re:Mandatory arbitration? by Overzeetop · · Score: 3, Insightful

      I would have thought a coupon for a free pizza a drink would have been enough. It's not like Target blew up a town, they just lost some CC#s. On second thought, maybe just a free drink with your next purchase.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    5. Re:Mandatory arbitration? by Anonymous Coward · · Score: 0

      Then they would get sued by all the sugar addicts who drank their sugary soda and got diabetes

    6. Re:Mandatory arbitration? by devman · · Score: 1

      The article indicates that the plaintiffs are card issuing banks, which probably have no direct agreements with Target at all, thus no opportunity to cover ass with a binding arbitration clause.

    7. Re:Mandatory arbitration? by Sloppy · · Score: 1

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      That sounds like something Target's customers might have agreed(*) to. But the banks? If they didn't sign(*) the agreement, then I don't know how they'd be bound to it.

      (*) I am trying to use technical jargon versions of "agreed" and "sign," not the layman's, and I might not be up-to-date on the jargon definitions. Yet if it looks like I'm saying the exact opposite of what I appear to be saying, then I think that means I used the words correctly(**) so I hope that's the case.

      (**) Oh no, not again. I'd explain what I meant by "correctly" but whenever I try, I get some kind of error message about a stack. What, a stack of credit cards? I don't understand.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    8. Re:Mandatory arbitration? by gstoddart · · Score: 1

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      Is that even something they could do? When I use a CC in a brick and mortar store, I don't think you can claim there's a click-through agreement in place.

      Though, I wouldn't put it past the lawyers to have done something like this.

      However, since it's the banks filing the class action suit, and storing that stuff the way they did violated both state and federal laws .... good luck with the EULA/arbitration method.

      This is just wholesale incompetence, allowing widespread malfeasance.

      --
      Lost at C:>. Found at C.
    9. Re:Mandatory arbitration? by the_skywise · · Score: 1

      Groan...

  5. RIP Target. by Anonymous Coward · · Score: 0

    Only McJobs and WallyJobs to be had.

  6. It's about damn time by Anonymous Coward · · Score: 0

    I had to get two new cards last year while the Bank grilled me on my browsing habits ect thinking it's always the customers fault. Finally they are going to the source!

  7. Sad that it might take a lawsuit... by thestudio_bob · · Score: 1

    I wish there were better ways of reporting broken sites. I just tried to inform quicksilver.com that there SSL was messed up, but the told me to reset my cookies. Lol.

    How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

    --
    The real Sig captains the Northwestern. This one captains /.
    1. Re:Sad that it might take a lawsuit... by gstoddart · · Score: 1

      How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues.

      If you're a customer, you call up and cancel and tell them that since they seem to be unqualified to do security, you are no longer willing to use them.

      If you're not a customer, make sure you can't be brought up on charges of "hacking" their stuff which was secured by chimps and move on.

      --
      Lost at C:>. Found at C.
  8. Trustwave monthly scans of my ecommerce site by Anonymous Coward · · Score: 0

    Every month, Trustwave runs an automatic scan of my tiny e-commerce site. Wells-Fargo Bank, which handles my skimpy credit card collection, pays them to check that my Debian & Apache server is up to date and look for obvious php errors. Each month, I receive a report saying that everything is OK, and a comment that my PCI Self-Assessment Questionnaire will soon expire. (the online questionaire/class essentially says not to store credit card information in a computer) It's pretty simple stuff; I expected a more rigorous analysis.

    As a (very small) online merchant, I really don't want to see anyone's credit card information, nor do I wish to waste time on security issues. Still, I've put in several honeypots and tripwires...

    1. Re:Trustwave monthly scans of my ecommerce site by Kalriath · · Score: 1

      I'm assuming your volume is small, and you don't actually get PAN details right? Because if you did, then you wouldn't be able to get away with SAQ-A and would have to submit to actual audits, which is a whole lot harder. Target, undoubtedly, was the much stricter PCI-DSS probably at level 2 or above. Major auditing. Theoretically.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  9. So are Consumers by Anonymous Coward · · Score: 0

    Find me a consumer who wants to deal with more than swiping a mag stripe to protect themselves. Seems they only give a shit about security when it's convenient.

    The onus isn't all on the banks.

  10. Best quote I read about this by Gothmolly · · Score: 1

    âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Best quote I read about this by Mr.+Flibble · · Score: 1

      âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

      What is missing from quote this is not that Bangalore sent them a flagged alert, but how many alerts had Bangalore sent in the past, and how high of a priority were they? How much did Bangalore cry wolf in the past?

      I am with teams from Bangalore that sent me reams and reams of "alerts". Most of these high-priority alerts were garbage. I spent 4 hours the other day tracing down a "critical" alert because a router on the other side of the world from me had not sent logs in the last 8 hours. Turns out that this router is on a section of dark fiber, and it is not supposed to log unless it comes online during a system failover.

      Bangalore has repeatedly created critical alerts on this for the past 3 days like clockwork.

      Most of the stuff they send us is noise. What we need to be sent is real actionable data, not a billion "alerts" that are actually systems-normal.

      --
      Try to hack my 31337 firewall!
    2. Re:Best quote I read about this by khasim · · Score: 1

      I've worked for a company that used Trustwave.

      I hate them.

      They did NOTHING except forward
      EVERY
      SINGLE
      ALERT
      FOR
      EVERY
      SINGLE
      SERVICE
      ON
      EVERY
      SINGLE
      SERVER
      that was in scope.

      I understand WHY Trustwave did that. It is so that they cannot be blamed for when YOU miss something. So you are buried in their reports.

      But you do get to check off the box labelled "24/7 monitoring of all systems".

      Which is why "compliance" is NOT the same thing as "security".

      I don't care if it is the same fucking dictionary attack as yesterday. Root and Admin are NOT valid names. They can throw 10,000 attempts and they will still not get in. But Trustwave will send you 10,000 notifications AGAIN. Just like yesterday.

      Per service. Per server.

    3. Re:Best quote I read about this by Anonymous Coward · · Score: 0

      Its because TrustWave is a JOKE. Ever wondered why TrustWave is one of the most expensive PCI auditors, but why they seem to be one of the worst, and why so many huge retailers use them??? I'll give you a hint, its because that price isnt for quality, its buying compliance when you arent compliant.

      But one might wonder, just how the heck does TrustWave get away with this?? Doesnt the PCI Counsel see this happening and intervene? Well thats where it gets interesting boys and girls. TrustWave and The Counsel have an interesting relationship....they happen to share a very important person, making money on both sides of the deal....look into TrustWave ownership and The Counsel leadership.

      I happen to work for a retailer in security and handle PCI Compliance, and TrustWave is a well known joke of an auditor in the industry....

  11. credit cards? by Anonymous Coward · · Score: 1

    so, only credit cards were affected? not debit cards or American Express cards? Cool.

  12. Re:The Republicans will never allow this to happen by Anonymous Coward · · Score: 0

    Weak troll.

  13. With who? by Anonymous Coward · · Score: 0

    I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

    SCOTUS has consistently ruled that these mandates are legal and binding.

    With who? The customer?

    The customer (you or I who shop at Target) have a $50 maximum liability. Meaning, we don't owe anything after $50 in cases of lost or stolen cards.

    In this case, it is 100% Target's fault and your bank will back you up on this - those Russian crooks max out your cards, you owe nothing.

  14. Re:The Republicans will never allow this to happen by Anonymous Coward · · Score: 0

    Get back on your meds, troll.

  15. Wonder if TW techs read marketing's whitepaper? by xxxJonBoyxxx · · Score: 1

    Retailers a Top Target for Attackers in 2012, Trustwave Says
    http://www.securityweek.com/re...

  16. This is such a bizarre case... by buttfuckinpimpnugget · · Score: 0

    Target has one of if not the most diligent loss prevention programs in place of any retailer. They even have their own forensics lab and sometimes donate time/expertise to high profile investigations for the police, fbi, etc. You would think that mindset would be throughout.

    1. Re:This is such a bizarre case... by Ziggitz · · Score: 1

      Most organizations see PCI compliance as a huge annoyance. It's generally too technical for an executive to have eyes on so it falls to a technical person to enforce it. Once you get big enough merchants tend to go easier on you because it's a huge cost to be PCI compliant and they really want your business. Then shit like this happens.

      --
      There is no memory shortage. yes I have heard of XFCE. Go away.
  17. Wondering why it took so long... by marcgvky · · Score: 0

    Did anyone question that this was going to happen. My surprise is that it took so long to compile and file the complaint LOL This one should send the lead counsel (firm) skyrocketing i.e. houses in the Hamptons, helicopters, yachts, the whole nine!

  18. Re:The Republicans will never allow this to happen by Anonymous Coward · · Score: 0

    Learn to troll ya wanker! Target is full of gun hating democrats!

  19. usual & customary. by Anonymous Coward · · Score: 0

    all major retailers archive bank card data.

    it's usual & customary.

  20. You don't. by khasim · · Score: 1

    How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

    You don't.

    And you don't leave ANY trails showing that you knew about it.

    It's too easy for them to drag YOU into court on "hacking" charges.

    They'll be looking for ways to cover their incompetency later. Do not be their victim.

  21. Re:The Republicans will never allow this to happen by JackieBrown · · Score: 1

    We are going to be seeing (and have been seeing), more and more posts like this the closer we get to midterms. They know it's ludicrous, but the more people read something (in this case the same general theme,) the less crazy it sounds and eventually some people will believe it.

    As shown during the last elections, Democrats are very good at social engineering/conditioning. Look at most of the "hot" topics on this site this month and you will see a post like this.

  22. Just goes to show by Anonymous Coward · · Score: 0

    These Credit Cards aren't ready for mainstream adoption. Criminals can just hack into any server and take the money, and the cost is just pushed onto everyone else! The dollars they represent are good for nothing but SPECULATING that you might be able to buy goods with them in the future, and aren't even backed by anything. Your 1950's libertarian fantasy of high-speed digital commerce conflicts with reality - this hack proves is that Credit Cards would be safer with much more regulation.

    I'll stick with tried-and-true barter, thank you.

  23. Amount of involvement from Trustwave by Anonymous Coward · · Score: 0

    I'm not sure if I'm misreading TFA but it seems like Trustwave's involvement was solely that they did an automated vulnerability scan for Target. Can anyone confirm?

    If that is all that Trustwave had done then I imagine the amount of companies offering vulnerability scans (i.e. pointing Nessus or OpenVAS at your site and charging you for the report it produces) is about to drop sharply...

  24. Banks Sueing Corporations by Anonymous Coward · · Score: 0

    *grabs popcorn*

    And anyone personally affected by this? Maybe a $10.00 target gift card?

  25. Apparently the banks need to sue the banks by Anonymous Coward · · Score: 0

    ...it violated federal and state laws in storing the credit card data on its network.

    Can you show me a single bank that doesn't store credit card data on its network?

    1. Re:Apparently the banks need to sue the banks by Kalriath · · Score: 1

      Banks are bound by a very different set of rules - they have to stick to PCI-DSS sure, but since they literally have to store credit card data...

      The problem would be that Target failed to comply with PCI-DSS correctly, Trustwave verified that they were in compliance (when they were not), and many states now have laws on the books mandating PCI-DSS compliance.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  26. Tort Reform by Anonymous Coward · · Score: 0

    The one-sided in favor of the corporation tort reform should be reformed so we can get down and funky again with these monsters.

  27. Things that make you go Hmmmmmmmmm by Anonymous Coward · · Score: 0

    The irony, the banking industry is responsible for just about every economic collapse since the great depression. And yet no one bothered to go thru this much trouble in hopes of finally getting the industry to change.

    That doesn't excuse Target, or the idiot security firm that apparently lacks common sense when it comes to security.

    Credit Cards are on the list of 'next bubble' waiting to burst, it will be interesting to see how the bank get off the hook when that happens, while Jane/John public get f***d. The security issues you bring up should've been in place years ago, and what a shock here we are talking about another security issue in this country. No one learns there lessons, as long as the big wigs make out, while everyone who is responsible for making them there easy lifestyle suffers.

  28. Re:The Republicans will never allow this to happen by david_thornley · · Score: 1

    You do realize, don't you, that Target associates itself more with the left wing, and that lots of their customers got upset when they found Target donated money to Republicans?

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  29. Irritated by Anonymous Coward · · Score: 0

    What do you expect? Credit card companies use insecure methods for consumers to use their products, charge the consumers and the merchants for accepting their cards, and then fine everyone when data is stolen.

    It's a win win win win win win winwinwiwinwinwinwnw situation for them.

    PCI puts the burden on the merchant, so a store that sells a $1.25 sandwich needs to put in thousands of dollars in security to protect the Credit Card Company's insecurities, with the reality that they'll be liable for the insecurity. Visa/MC/Discover/Amex need to own up at some point instead of making the consumer ultimately pay the price for a) their own insecure product and b) making the consumer the risk for using their product and c) driving up the cost at a retailer because of the per-location security needed to secure an unsecure method of payment

    In short, the credit card companies have found a great way of extracting huge sums from merchants who aren't compliant, using the CC's crap technology.

    "Here's a Yugo and a NASCAR race track. If you can't get around the track in 45 seconds, we're going to fine you and the spectators for failing....and you owe us per lap, the car, and we want a piece of the admission from spectators. You have no other option to conduct your business either, other than cash and lol to that (or bit coins and good luck with that)"

  30. Running red lights in the middle of nowhere where by Anonymous Coward · · Score: 0

    Then.. not paying attention one day, because you've done it over and over again, and a car plows into you.. is pretty much EXACTLY what happened to Target.