Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target and Trustwave Sued Over Credit Card Breach

Posted by Unknown on from the kill-the-auditor dept.

jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

55 of 87 comments (clear)

  1. Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 4, Insightful

    ... for companies to get their shit together about their lax security policies.

    It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.

    1. Re:Sad to see it takes a lawsuit ... by sconeu · · Score: 4, Informative

      AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    2. Re:Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 1

      The context is a little different in that case though. If no one is around, and you can visibly see that, no one gets hurt if you blow through the stop.

      In Target's case, vulnerabilities were found, were reported, were ignored, and then thousands of people's personal financial information are open to be abused.

    3. Re:Sad to see it takes a lawsuit ... by lgw · · Score: 2

      In Target's case, vulnerabilities were found, were reported, were ignored,

      In Target's case the intrusion was found, automatically reported, and ignored, weeks before the actual theft of CC numbers.

      This has all the makings of a "gross negligence" tort, which is the criminal justice system for corporations.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:Sad to see it takes a lawsuit ... by hermitdev · · Score: 1

      Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.

      Middle of nowhere? I see it in the middle of town all the time. Worse yet, it's pretty frequent to see the cops do it, too (lights/siren off).

    5. Re:Sad to see it takes a lawsuit ... by gstoddart · · Score: 1

      Middle of nowhere? I see it in the middle of town all the time.

      No kidding. I can't count how many times I've been proceeding through a green light on a road and the idiot coming to the red light is half way into the intersection to turn right before he turns to look to see if there's any oncoming traffic.

      I can't even begin to understand how "I'll decide if I should stop 20 feet past the stop line when I'm already in the intersection and then look" becomes the way people drive.

      They half run the light to turn right on red before they have any idea if there isn't already a bus in the lane they're entering.

      --
      Lost at C:>. Found at C.
    6. Re: Sad to see it takes a lawsuit ... by valdezjuan · · Score: 1

      It is sad but hopefully companies (and others) will realize that compliance with things like PCI doesn't really mean all that much, though I think it will take a few more.

    7. Re:Sad to see it takes a lawsuit ... by UnknownSoldier · · Score: 1

      Thanks for the clarification.

  2. Banks are responsible too by hawguy · · Score: 4, Insightful

    Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

    1. Re:Banks are responsible too by brunes69 · · Score: 3

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.

      It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.

    2. Re:Banks are responsible too by gewalker · · Score: 1

      Unfortunately, the way the credit card companies work, most of the damage is externalized onto the merchants (via reversed charges) and ultimately the consumers -- via higher prices & fees. Of course, this is hardly accidental. Target is certainly guilty of lots of stupidity, but the real players won't change their ways until they really feel the pain -- the whole system is far too easy for the black players to game. Some much business is depending on CC transactions, most businesses have little choice but to play the game.

      This pain could be regulatory, financial losses, etc. But, no pain, no improvement.

    3. Re:Banks are responsible too by EvilSS · · Score: 1

      Banks hold some of the responsibility too...

      Ethically, yes, they do. Legally? Well, they made sure the laws didn't work that way. As for merchants not wanting to ditch magstipes, the national retailers have wanted to ditch them for a while (oddly, around the same time PCI came into existence). It's the banks dragging their feet over it. The cards cost more and there are questions about how Chip and PIN transactions costs will work (as a swipe transaction or a PIN transaction) and what networks they will use.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    4. Re:Banks are responsible too by way2trivial · · Score: 4, Interesting

      Not precisely correct.

      Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

      Liability shift, will now be on one of two entities.
      The merchant, for not having the terminal, or the consumer, for not protecting their pin.

      the liability also shifts almost 100% OFF the card issuing bank....
      (the real reason)

      --
      every day http://en.wikipedia.org/wiki/Special:Random
    5. Re:Banks are responsible too by brunes69 · · Score: 2

      .. and all customers will have chipped cards by October.

    6. Re:Banks are responsible too by Misch · · Score: 1

      Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

      See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.

      Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

      --

      --You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
    7. Re:Banks are responsible too by hawguy · · Score: 2

      Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

      See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.

      Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

      If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".

      It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.

    8. Re:Banks are responsible too by rsborg · · Score: 2

      Not precisely correct.

      Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

      Liability shift, will now be on one of two entities.
      The merchant, for not having the terminal, or the consumer, for not protecting their pin.

      the liability also shifts almost 100% OFF the card issuing bank....
      (the real reason)

      I wonder how this will impact online payments - how will chip/pin be supported there?
      Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

      --
      Make sure everyone's vote counts: Verified Voting
    9. Re:Banks are responsible too by Anonymous Coward · · Score: 1

      Chip & pin is not the answer. The answer is a new system that has the pin pad on the card itself and only releases an authorization number that is valid for the merchant in which they are paying for the amount in which the customer has agreed to. Such a system should work regardless of if the merchant is online or off. The responsibility should fall on the purchaser to protect there pin. There is no good reason that stores should have to accept liability for fraudulent purchases when the financial institutions haven't built a system that allows for merchants to protect themselves.

    10. Re:Banks are responsible too by Anonymous Coward · · Score: 2, Interesting

      All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

      Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:

      The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not upheld to their satisfaction, it's the bank's job to arbitrate, judge, and carry out a decision about the transaction. Thus all onus must be on the bank. And if the bank made a bad call by doing business with a crook (either by issuing them a card or by allowing a fraudulent transaction to pass as valid), then the bank must be on the hook for the transaction. Chip+pin is the banks' way of dodging their responsibility. I refuse to let them off with that free pass without as much of a fight as I can muster.

    11. Re:Banks are responsible too by Anonymous Coward · · Score: 2, Insightful

      Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.

      You key your credit card number in 1 field
      You key your 3 digit "security code" (printed on the back of the card) in a different field.

      You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.

    12. Re:Banks are responsible too by whoever57 · · Score: 1

      .. and all customers will have chipped cards by October.

      This simply isn't true. I just looked at a newly issued card and it doesn't have a chip. Furthermore, the one US card in my wallet that does have a chip is a chip and signature card. Not chip and PIN

      --
      The real "Libtards" are the Libertarians!
    13. Re:Banks are responsible too by Fnord666 · · Score: 1

      I wonder how this will impact online payments - how will chip/pin be supported there? Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

      The impact will be that the majority of CC fraud will move to online merchants.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    14. Re:Banks are responsible too by Fnord666 · · Score: 1

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it.

      The banks are not mandating anything. The credit card networks dictate the conditions by which a merchant or a bank can participate in their system.

      One issue that hampers the conversion is the replacement of the card accepting terminals. The US has retailers that have more terminals in a single region than most OECD nations. That's a lot of hardware to replace for merchants who have not been held responsible for anything that happens when they don't.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    15. Re:Banks are responsible too by Trogre · · Score: 1

      Erm, banks are issuing cards with 2010's era paywave right now, and it's a major step backwards in security. We've gone from two-factor (swipe and PIN) to single-factor wave. Nothing safe about it.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    16. Re:Banks are responsible too by mjwx · · Score: 1

      Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

      I hate to break it to you, but brand new cards are coming out with NFC technology (Paywave and Paypass) that is even easier to steal your card details from than from the magstripe.

      Magstripes aren't a huge security flaw because they require physical access to the card (and yes, the card holder should be responsible for the cards physical security), but NFC allows card details to be stolen wirelessly so even if the user is taking all due care to physically protect the card, the details can still be stolen without the users knowledge.

      And yes, Paywave/Pass gives out your card number, name and expiry date (everything on the front of the card) to any NFC transmitter asking for it. Even an Android phone with an NFC chip.

      Magstripes on the other hand are still on cards because they are practically guaranteed to work and are considerably less vulnerable to damage.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    17. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

      Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

    18. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center

      Actually no. The new chip+pin cards are actually smartcards that do their own processing on the card itself. I recommend doing some research before spouting false information about the chips being glorified memory cards.

    19. Re:Banks are responsible too by Trogre · · Score: 1

      why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen?

      Do you have shares in a card-chipping business?

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    20. Re:Banks are responsible too by Trogre · · Score: 1

      You're joking, right? As another poster has said, anyone with an NFC chip can read those cards.

      The PayWave system is also being pushed as a single factor payment system. Did you get that? Single. Factor. Wave your card at a cash register and you've paid for your meal. Or your colleagues.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    21. Re:Banks are responsible too by Kalriath · · Score: 1

      The readers cost $1000 in NZ. Probably $500 in the US. If your small business can't afford that, it probably cant afford the stock to sell either, making the whole point moot.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    22. Re:Banks are responsible too by DarwinSurvivor · · Score: 1

      Chip+pin is NOT tap-to-pay. Chip+pin is the system where you have to physically insert your card into the machine (where metal contacts talk to the chip) and then enter a pin that is verified by the chip.

      Tap-to-pay is a whole other system whichI personally do not like and am disapointed that it is impossible to get a card without it in Canada (I've checked with multiple places).

    23. Re:Banks are responsible too by Trogre · · Score: 1

      Okay, fair call. My bad - I was targeting the ludicrous tap-to-pay system.

      I'm fine with chip+pin, so long as it preserves two-factor authentication.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  3. SSDD by Wookact · · Score: 3, Insightful

    I am surprised it took this long for the lawyers to get geared up

  4. Mandatory arbitration? by schwit1 · · Score: 1

    I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

    SCOTUS has consistently ruled that these mandates are legal and binding.

    1. Re:Mandatory arbitration? by MightyMartian · · Score: 1

      "We're so sorry we allowed your credit card to be used to facilitate theft. Fortunately the arbitrator has come up with an equitable payment; a Jelly of the Month Club membership. It's the gift that keeps on giving."

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Mandatory arbitration? by DougOtto · · Score: 1

      Don't spread that around....

      --
      Solving Unix problems since 1989...
    3. Re:Mandatory arbitration? by NoNonAlphaCharsHere · · Score: 1

      Nah. It's only CONSUMERS who are forced into these binding arbitration contracts, i.e. the card holders. There's zero probability that the card issuing bankers will be forced to put up with what they inflict on the public.

    4. Re:Mandatory arbitration? by Overzeetop · · Score: 3, Insightful

      I would have thought a coupon for a free pizza a drink would have been enough. It's not like Target blew up a town, they just lost some CC#s. On second thought, maybe just a free drink with your next purchase.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    5. Re:Mandatory arbitration? by devman · · Score: 1

      The article indicates that the plaintiffs are card issuing banks, which probably have no direct agreements with Target at all, thus no opportunity to cover ass with a binding arbitration clause.

    6. Re:Mandatory arbitration? by Sloppy · · Score: 1

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      That sounds like something Target's customers might have agreed(*) to. But the banks? If they didn't sign(*) the agreement, then I don't know how they'd be bound to it.

      (*) I am trying to use technical jargon versions of "agreed" and "sign," not the layman's, and I might not be up-to-date on the jargon definitions. Yet if it looks like I'm saying the exact opposite of what I appear to be saying, then I think that means I used the words correctly(**) so I hope that's the case.

      (**) Oh no, not again. I'd explain what I meant by "correctly" but whenever I try, I get some kind of error message about a stack. What, a stack of credit cards? I don't understand.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    7. Re:Mandatory arbitration? by gstoddart · · Score: 1

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      Is that even something they could do? When I use a CC in a brick and mortar store, I don't think you can claim there's a click-through agreement in place.

      Though, I wouldn't put it past the lawyers to have done something like this.

      However, since it's the banks filing the class action suit, and storing that stuff the way they did violated both state and federal laws .... good luck with the EULA/arbitration method.

      This is just wholesale incompetence, allowing widespread malfeasance.

      --
      Lost at C:>. Found at C.
    8. Re:Mandatory arbitration? by the_skywise · · Score: 1

      Groan...

  5. Sad that it might take a lawsuit... by thestudio_bob · · Score: 1

    I wish there were better ways of reporting broken sites. I just tried to inform quicksilver.com that there SSL was messed up, but the told me to reset my cookies. Lol.

    How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

    --
    The real Sig captains the Northwestern. This one captains /.
    1. Re:Sad that it might take a lawsuit... by gstoddart · · Score: 1

      How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues.

      If you're a customer, you call up and cancel and tell them that since they seem to be unqualified to do security, you are no longer willing to use them.

      If you're not a customer, make sure you can't be brought up on charges of "hacking" their stuff which was secured by chimps and move on.

      --
      Lost at C:>. Found at C.
  6. Best quote I read about this by Gothmolly · · Score: 1

    âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Best quote I read about this by Mr.+Flibble · · Score: 1

      âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

      What is missing from quote this is not that Bangalore sent them a flagged alert, but how many alerts had Bangalore sent in the past, and how high of a priority were they? How much did Bangalore cry wolf in the past?

      I am with teams from Bangalore that sent me reams and reams of "alerts". Most of these high-priority alerts were garbage. I spent 4 hours the other day tracing down a "critical" alert because a router on the other side of the world from me had not sent logs in the last 8 hours. Turns out that this router is on a section of dark fiber, and it is not supposed to log unless it comes online during a system failover.

      Bangalore has repeatedly created critical alerts on this for the past 3 days like clockwork.

      Most of the stuff they send us is noise. What we need to be sent is real actionable data, not a billion "alerts" that are actually systems-normal.

      --
      Try to hack my 31337 firewall!
    2. Re:Best quote I read about this by khasim · · Score: 1

      I've worked for a company that used Trustwave.

      I hate them.

      They did NOTHING except forward
      EVERY
      SINGLE
      ALERT
      FOR
      EVERY
      SINGLE
      SERVICE
      ON
      EVERY
      SINGLE
      SERVER
      that was in scope.

      I understand WHY Trustwave did that. It is so that they cannot be blamed for when YOU miss something. So you are buried in their reports.

      But you do get to check off the box labelled "24/7 monitoring of all systems".

      Which is why "compliance" is NOT the same thing as "security".

      I don't care if it is the same fucking dictionary attack as yesterday. Root and Admin are NOT valid names. They can throw 10,000 attempts and they will still not get in. But Trustwave will send you 10,000 notifications AGAIN. Just like yesterday.

      Per service. Per server.

  7. credit cards? by Anonymous Coward · · Score: 1

    so, only credit cards were affected? not debit cards or American Express cards? Cool.

  8. Wonder if TW techs read marketing's whitepaper? by xxxJonBoyxxx · · Score: 1

    Retailers a Top Target for Attackers in 2012, Trustwave Says
    http://www.securityweek.com/re...

  9. Re:This is such a bizarre case... by Ziggitz · · Score: 1

    Most organizations see PCI compliance as a huge annoyance. It's generally too technical for an executive to have eyes on so it falls to a technical person to enforce it. Once you get big enough merchants tend to go easier on you because it's a huge cost to be PCI compliant and they really want your business. Then shit like this happens.

    --
    There is no memory shortage. yes I have heard of XFCE. Go away.
  10. You don't. by khasim · · Score: 1

    How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

    You don't.

    And you don't leave ANY trails showing that you knew about it.

    It's too easy for them to drag YOU into court on "hacking" charges.

    They'll be looking for ways to cover their incompetency later. Do not be their victim.

  11. Re:The Republicans will never allow this to happen by JackieBrown · · Score: 1

    We are going to be seeing (and have been seeing), more and more posts like this the closer we get to midterms. They know it's ludicrous, but the more people read something (in this case the same general theme,) the less crazy it sounds and eventually some people will believe it.

    As shown during the last elections, Democrats are very good at social engineering/conditioning. Look at most of the "hot" topics on this site this month and you will see a post like this.

  12. Re:The Republicans will never allow this to happen by david_thornley · · Score: 1

    You do realize, don't you, that Target associates itself more with the left wing, and that lots of their customers got upset when they found Target donated money to Republicans?

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  13. Re:Trustwave monthly scans of my ecommerce site by Kalriath · · Score: 1

    I'm assuming your volume is small, and you don't actually get PAN details right? Because if you did, then you wouldn't be able to get away with SAQ-A and would have to submit to actual audits, which is a whole lot harder. Target, undoubtedly, was the much stricter PCI-DSS probably at level 2 or above. Major auditing. Theoretically.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  14. Re:Apparently the banks need to sue the banks by Kalriath · · Score: 1

    Banks are bound by a very different set of rules - they have to stick to PCI-DSS sure, but since they literally have to store credit card data...

    The problem would be that Target failed to comply with PCI-DSS correctly, Trustwave verified that they were in compliance (when they were not), and many states now have laws on the books mandating PCI-DSS compliance.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".