I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.
As for Target, here's my take: This is the only information in the press release:
The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.
That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.
I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.
As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.
To my knowledge. I'd be happy/interested if someone could prove me wrong here.
set it to a collision that's double the actual speed they were driving while caught texting. (In other words, head-on collision with another vehicle doing the same speed
Actually, that is false. A head on collision with a vehicle of the same mass would be no different than the indestructible brick wall. Yes, when you add a second vehicle to the mix, you are doubling the amount of moving mass, but the absolute speed remains constant. In the end, the delta V is the same in both scenarios: X to 0. Now that we know that the delta V is the same, we just have to account for the deceleration rate, which is basically the same as the duration of the impact (crumple zones and all that). Since we have identical cars, they will deform at the same rate, acting as each others' brick wall. Once they collide, they would be exerting identical force on each other, so the front bumpers would remain in the same location, just like the brick wall. Since the front of your car can no longer move forward, the collision happens, and the body of your car absorbs the energy required to decelerate to 0. The energy released when two cars collide is doubled, but it is also spread over twice the area (ie, now you have 2 wrecked cars).
I had teksavvy for a couple weeks, but ended up having to cancel because Telus has old rickety phone lines in my area and so I could only get a high latency interleaved DSL connection. The ten savvy help desk is/was staffed by high quality personnel. It's really too bad the Telus has such shit lines...
My question would be: WC3 introduced heros and creep camps that encouraged roaming around outside the base. SC2 remained pure units (no heros). Do you think that blizzard may resurrect the hero/creep style in the future?
-h? Next time, use all three of these: -?, -help, --help. I'm probably not going to try throwing -h at a program without having a clue what it might do.
One problem I encounter all the time is what level of competence should be assumed? If I write "try ping host xyz" should I assume they can successfully pingtest something and interpret the results? For ping, yes maybe I should assume that, but what about grep? Grep isn't officially supported by the organization so...
I feel like I'm wasting my time writing instructions for simple tasks, but I also feel that I have to write as I though a monkey is the intended audience. I hate to say it, but it's the godawful truth, that there are too many people in IT that can only read-and-do.
Get some computers with Notepad++ installed on them and a file that has some various lines of text. Teach them about pattern matching and regular expressions. It doesn't really require any previous knowledge, and it makes you kind of think like a programmer. It's very useful even if you only have a basic knowledge of it, especially when tearing through log files with grep. Some of the students might not find it interesting at all, but I think you'll find that regardless of what you do.
How would an alien decode the.jpeg,.bmp, or whatever else we send them.
I think we should send a message like in contact. Groups of pulses arranged in prime number sequences. It's distinct, it's easy to decode, and it would be near impossible to be natural.
Hmm... That is rather interesting. Can you illegally circumvent a digital lock through inaction? By not running this script, or if we remember back to the Sony fiasco, by not running the autoplay root-kit, is that criminal?
Are you supposed to wrap yourself in the chains that bind you?
Slashdot Mirror
Slashdot - What's up with the no-download-necessary hentai porn sidebar ad?
Because it's not part of ISO8583?
Bah, I'm sorry...
[*ThereShouldBeAnAsteriskHere*]To my knowledge. I'd be happy/interested if someone could prove me wrong here.
As for Target, here's my take: This is the only information in the press release:
The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.
That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.
I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.
As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.
To my knowledge. I'd be happy/interested if someone could prove me wrong here.
Did you remember to correct for air resistance?
FYI - While DEF does contain urea, it it the artificial kind, not the frosty piss kind. Also, cold temperatures ruin DEF.
set it to a collision that's double the actual speed they were driving while caught texting. (In other words, head-on collision with another vehicle doing the same speed
Actually, that is false. A head on collision with a vehicle of the same mass would be no different than the indestructible brick wall. Yes, when you add a second vehicle to the mix, you are doubling the amount of moving mass, but the absolute speed remains constant. In the end, the delta V is the same in both scenarios: X to 0. Now that we know that the delta V is the same, we just have to account for the deceleration rate, which is basically the same as the duration of the impact (crumple zones and all that). Since we have identical cars, they will deform at the same rate, acting as each others' brick wall. Once they collide, they would be exerting identical force on each other, so the front bumpers would remain in the same location, just like the brick wall. Since the front of your car can no longer move forward, the collision happens, and the body of your car absorbs the energy required to decelerate to 0. The energy released when two cars collide is doubled, but it is also spread over twice the area (ie, now you have 2 wrecked cars).
I'm intrigued... so does friction play no part at all then? It must have some impact.
Careful now... last time you declared war on Canada, your White House was burned to the ground.
I had teksavvy for a couple weeks, but ended up having to cancel because Telus has old rickety phone lines in my area and so I could only get a high latency interleaved DSL connection. The ten savvy help desk is/was staffed by high quality personnel. It's really too bad the Telus has such shit lines...
I really like that question!
My question would be: WC3 introduced heros and creep camps that encouraged roaming around outside the base. SC2 remained pure units (no heros). Do you think that blizzard may resurrect the hero/creep style in the future?
Next time, you should just buy a ups or power inverter for your car...
Warewolfs
The point is that of 4 safeguards in place, 3 failed to properly work. That's not concerning?
Stephen Harper and the Harper government...
He demanded it, and it should be used in all articles, not just positive ones.
You actually have to do it three times to be secure - like 3DES
Sometimes when you are out of ideas, even a wrong idea can be a help.
Hate to reply to myself, but I forgot /?
-h? Next time, use all three of these: -?, -help, --help. I'm probably not going to try throwing -h at a program without having a clue what it might do.
One problem I encounter all the time is what level of competence should be assumed? If I write "try ping host xyz" should I assume they can successfully pingtest something and interpret the results? For ping, yes maybe I should assume that, but what about grep? Grep isn't officially supported by the organization so...
I feel like I'm wasting my time writing instructions for simple tasks, but I also feel that I have to write as I though a monkey is the intended audience. I hate to say it, but it's the godawful truth, that there are too many people in IT that can only read-and-do.
Get some computers with Notepad++ installed on them and a file that has some various lines of text. Teach them about pattern matching and regular expressions. It doesn't really require any previous knowledge, and it makes you kind of think like a programmer. It's very useful even if you only have a basic knowledge of it, especially when tearing through log files with grep. Some of the students might not find it interesting at all, but I think you'll find that regardless of what you do.
We are calling out every day with both omnidirectional broadcasts and high intensity beams that are aimed at satellites.
How would an alien decode the .jpeg, .bmp, or whatever else we send them.
I think we should send a message like in contact. Groups of pulses arranged in prime number sequences. It's distinct, it's easy to decode, and it would be near impossible to be natural.
100 octane. If I ever had a rally car (modified AWD turbo) avgas would be perfect!
Hmm... That is rather interesting. Can you illegally circumvent a digital lock through inaction? By not running this script, or if we remember back to the Sony fiasco, by not running the autoplay root-kit, is that criminal?
Are you supposed to wrap yourself in the chains that bind you?