If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(RealClear)   Target: "Thieves got names, numbers, expiration dates, even three-digit security codes; but it happened in stores, where security codes aren't even used; and it involved swipe machine tampering, but somehow netted 40 million cards"   (realclear.com) divider line 171
    More: Followup, data breach, Target, digital security, security codes, Brian Krebs, swipes, debit, witness tampering  
•       •       •

8914 clicks; posted to Main » on 19 Dec 2013 at 11:06 AM (31 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



171 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2013-12-19 11:05:59 AM
Tuck Farget!

I refuse to shop in that shiathole!
 
2013-12-19 11:08:18 AM
As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?
 
2013-12-19 11:09:23 AM
I just checked my visa statement, and realized I went to Target the week before Thanksgiving, and then on the 16th of December, so I guess I dodged that bullet.
 
2013-12-19 11:10:50 AM

devildog123: I just checked my visa statement, and realized I went to Target the week before Thanksgiving, and then on the 16th of December, so I guess I dodged that bullet.


Nah, they retain your data. Pretty much everybody does, not that they are supposed to, but they retain your data.
 
2013-12-19 11:11:09 AM
Some idiot clicks a link they shouldn't have and gave them access. That idiot should burn.
 
2013-12-19 11:11:23 AM
I shop at Target all the time cause I ain't giving my cash to Wallymart and them Chinee.

I already called them Ccredit folks and put a fraud alert thingie on my identity so I can charge up a storm and not pay, right?!?!?!
 
2013-12-19 11:11:40 AM
Sounds like an inside job.
 
2013-12-19 11:13:31 AM
They solved it in Europe, but though some kind of Monty Python-esque logic they clam it's too expensive to do in the U.S.
www.thestar.com
 
2013-12-19 11:13:49 AM
I suspect that they had to tamper with two machines to get that many cards.
 
2013-12-19 11:13:54 AM
The good news? The credit union farked up and notified us that the WRONG account had been in a negative balance too long. I called to make sure they knew we had a deposit going in, they told me that they were only calling about Account #1, and it looked fine. Instead, they closed Account #2(Even though that was the one I was calling about), and as a result, paid off our credit card, and then canceled all of the cards for both accounts. Sure, we have to go get new cards for 2 different bank accounts now, but there is no way that we have to worry about this, as any cards from that date range are now useless...
 
2013-12-19 11:13:57 AM
"There is so much of this kind of stolen data out there that the prices are really low," he said. "The market is completely saturated."

There's your silver lining.  You have lottery-odds of your CC# being used fraudulently.
 
2013-12-19 11:14:24 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


Auditors are there to help you find problems. They don't assume responsibility for your screwups.
 
2013-12-19 11:14:59 AM

HotWingConspiracy: Sounds like an inside job.


Why do you say that?
 
2013-12-19 11:15:54 AM

tricycleracer: "There is so much of this kind of stolen data out there that the prices are really low," he said. "The market is completely saturated."

There's your silver lining.  You have lottery-odds of your CC# being used fraudulently.


Because everybody's credit card information is out there anyway. Gee, that makes me feel so much better.

Anyway, my debit card was probably caught in this. Might be worth having the bank send me a new one.
 
2013-12-19 11:16:53 AM

epyonyx: Some idiot clicks a link they shouldn't have and gave them access. That idiot should burn.


Know how I know you didn't read the TFA?

"The chain said that accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have been exposed."
 
2013-12-19 11:17:40 AM

HotWingConspiracy: Sounds like an inside job.


I don't think it could be anything else.  Anyone who knows anything about this stuff chime in?

I used my credit card a few times there during that time period but haven't seen anything on my statement.  I check usually at least twice a week.  Will be checking more often for a little while.  Not gonna do anything unless I see a fraudulent charge as I have $0 liability on my CC.  I had a PSN account when all that went down and never had any issues so I'm crossing my fingers that that happens this time.  Only time I ever use a debit card is for my cat's prescription at Costco because fark Amex.
 
2013-12-19 11:17:48 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


That is an interesting question for the future, because you know someone will try to at some point.
//Can't wait for auditor insurance.
 
2013-12-19 11:18:41 AM

The Irresponsible Captain: They solved it in Europe, but though some kind of Monty Python-esque logic they clam it's too expensive to do in the U.S.
[www.thestar.com image 545x365]


I hear from people who are from the UK all the time that they are completely puzzled about why people are allowed to use CC's and really, the only verification that the card has is some worn out signature on the back, or an easily falsified ID.

I would say I'm shocked, but the US isn't really the brightest as a country when it comes to the implementation of technology for public use.
 
2013-12-19 11:19:22 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


As someone in the industry, even the best setup can be hacked.  The auditors aren't immune, but if they did their diligence they should be fine.   What's scarier is how many eccommerce sites are not PCI compliant.  My anecdotal evidence suggests well over 50%.  Not the huge sites, but a lot of them.

/I don't care though, Visa/the merchant are responsible for all fraudulent charges
 
2013-12-19 11:19:42 AM
Violation of the merchant agreement.  The CVV2 codes are not supposed to stored longer than it takes to verify the validity of the card.     Target's got some 'splain' to do.
 
2013-12-19 11:20:00 AM
The bad guys probably didn't get the "three digit security codes" that are mostly likely associated with the phrase "three digit security codes", since those codes are not encoded on the magnetic strip.
 
2013-12-19 11:20:26 AM
CC companies know who you are, where you go, what you buy and when you buy it.  As a result auto detect for fraudulent has gotten quite accurate.  Watch your statement but likely the card company will catch it before you do if its used.
Curious how it was pulled off.  My guess is something physical/software in the stores POS, not an enterprise server hack.
 
2013-12-19 11:20:33 AM

Slaves2Darkness: devildog123: I just checked my visa statement, and realized I went to Target the week before Thanksgiving, and then on the 16th of December, so I guess I dodged that bullet.

Nah, they retain your data. Pretty much everybody does, not that they are supposed to, but they retain your data.


Well, with the Target cards, they pretty much have to retain your data, there isn't anybody else to do so.

I have one: we dig the 5% off and pharmacy rewards. It's a credit card though, so as long as we watch the statements we'll be OK. I feel for the folks using the Target debit cards; the stores have been pushing those pretty hard, and if someone gets that info they can take your money and you have to try to get it back, rather than just disputing the charges.
 
2013-12-19 11:21:05 AM
They talked about this hack at DEFCON over a year ago. Good to see nothing was done.

/please don't use debit cards. At least with credit cards it's not your money that's being stolen
 
2013-12-19 11:21:28 AM

cptjeff: tricycleracer: "There is so much of this kind of stolen data out there that the prices are really low," he said. "The market is completely saturated."

There's your silver lining.  You have lottery-odds of your CC# being used fraudulently.

Because everybody's credit card information is out there anyway. Gee, that makes me feel so much better.

Anyway, my debit card was probably caught in this. Might be worth having the bank send me a new one.


I would. I treat my debit card like a password and change it periodically just because. I'm sure for every reported case like this, three go unreported/undiscovered.
 
2013-12-19 11:21:29 AM
I can't feel bad for people who shop at target.  You sow detached giant stores, you reap the complete and utter disdain.
 
2013-12-19 11:22:35 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


They can certainly try. The QSA will argue the org was compliant as of the ROC date. The burden of proof is now on the merchant. They'll have to demonstrate they were still PCI-compliant at the time of the breach; otherwise, they're subject to non-compliance penalties.

Just like an audit of a company's financial statements -- the auditors only opine on the accuracy and compliance with GAAP as of a certain date (balance sheet) or period of time (income statement).
 
2013-12-19 11:22:58 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


The question I have is what "department" does this fall under at Target.  I used to work for an oil and gas company and all the company credit card processing for the gas stations was essentially its own division.  I would imagine a company the size of Target has essentially the same thing.  Those folks all the way up to the officer level can't be feeling real secure right now.
 
2013-12-19 11:23:16 AM

rnatalie: Violation of the merchant agreement.  The CVV2 codes are not supposed to stored longer than it takes to verify the validity of the card.     Target's got some 'splain' to do.


I'm starting to think that their data stream was intercepted and not stored data. Because if it was stored data Target needs to get the death penalty from card services.

Ie immediate revocation of acceptance of Visa, MasterCard, AMEX and Discover at their stores.
 
2013-12-19 11:23:42 AM

ChipNASA: I shop at Target all the time cause I ain't giving my cash to Wallymart and them Chinee.


So, you give your money to a company that funds the campaigns of anti-gay  and extreme right-wing political candidates -- much better.
 
2013-12-19 11:24:43 AM

Earl of Chives: I treat my debit card like a password and change it periodically just because. I'm sure for every reported case like this, three go unreported/undiscovered.


Excellent idea!
 
2013-12-19 11:25:26 AM

The Irresponsible Captain: They solved it in Europe, but though some kind of Monty Python-esque logic they clam it's too expensive to do in the U.S.
[www.thestar.com image 545x365]


It's the "Next quarter is all that matters!" mindset. If it reduces next quarter's profits by 0.00003% then it won't happen regardless of the longterm benefits.
 
2013-12-19 11:26:07 AM

TheSelphie: HotWingConspiracy: Sounds like an inside job.

I don't think it could be anything else.  Anyone who knows anything about this stuff chime in?

I used my credit card a few times there during that time period but haven't seen anything on my statement.  I check usually at least twice a week.  Will be checking more often for a little while.  Not gonna do anything unless I see a fraudulent charge as I have $0 liability on my CC.  I had a PSN account when all that went down and never had any issues so I'm crossing my fingers that that happens this time.  Only time I ever use a debit card is for my cat's prescription at Costco because fark Amex.


I agree - according to TFA, it was the card readers themselves that were compromised to steal all the data from the magnetic swipe (which would be the only way to get the three digit security code, since you don't have to actually use it when purchasing at Target).  The most likely explanation for that compromise is that it was an inside job.

Card swipes have been compromised before, such as on gas pumps and ATMs, but AFAIK that involved placing an actual reader on the device that records your data - that would not be possible to do on the thousands of swipers in all the Target stores, which is what it would take to steal millions of swipes.  Also, PCI compliance I believe prevents the saving of card data collected in this manner, so it would have to be gathered and saved somewhere for the purpose of stealing the data.

Another common method of stealing swipes is when you hand your card to somebody, such as a waiter, who swipes it on his own reader before running your card for the actual charge.  This typically doesn't happen at Target, since they have swipers for the customer to use directly.

In (my amateur) conclusion - this wasn't a farkup, this was a planned heist.
 
2013-12-19 11:26:21 AM
This event is a good argument for implementing Chip & PIN technology widely used in Europe. Eliminates the risk of cloning cards using captured track data.
 
2013-12-19 11:26:35 AM

Banacek: They talked about this hack at DEFCON over a year ago. Good to see nothing was done.

/please don't use debit cards. At least with credit cards it's not your money that's being stolen


Meanwhile, in a civilized country...
 
2013-12-19 11:26:36 AM
Well fark.
 
2013-12-19 11:27:25 AM

wildbill0712: As someone that works in IT, I am VERY glad I do not work for Target. Can't imagine the pucker factor right now. If you pass PCI and something like this happens, can you sue the auditors?


Since it was all in-store purchases, I'd be looking at the vendor who provides their POS card payment application. It's still going to suck for Target, but if it's the payment application vendor's problem they may be able to shift some of the liability and cost to them. On the other hand, if I'm the VP in Target's IT department who decided to wait until after the new year to apply the latest vendor patch for that POS system, I'd be calling up my cousin at MnDOT to see if they have any seasonal openings for snow plow operators.

/Point of sale, not the other POS.
//OK, given the circumstances, maybe that one too.
 
2013-12-19 11:27:45 AM

tricycleracer: "There is so much of this kind of stolen data out there that the prices are really low," he said. "The market is completely saturated."

There's your silver lining.  You have lottery-odds of your CC# being used fraudulently.


Where did you see this quote?  I didn't find it in the linked article.
 
2013-12-19 11:28:05 AM

acohn: ChipNASA: I shop at Target all the time cause I ain't giving my cash to Wallymart and them Chinee.

So, you give your money to a company that funds the campaigns of anti-gay  and extreme right-wing political candidates -- much better.


Dang Right......they're the debbil and so is FARTBONGO too and YEEEEE HAWWWWW USA USA and JEBUS and GUNS and GEORGE DUBEEOO BUSH!!! 9/11!!!! Farking Chick-Fil-A!!!!!
 
2013-12-19 11:28:06 AM

acohn: epyonyx: Some idiot clicks a link they shouldn't have and gave them access. That idiot should burn.

Know how I know you didn't read the TFA?

"The chain said that accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have been exposed."


So the thieves individually went to all the stores, tampered with the card readers, and no one noticed?

It's easier for someone to go to a site, have the malware installed, and spread within the network.
 
2013-12-19 11:29:02 AM

The Irresponsible Captain: They solved it in Europe, but though some kind of Monty Python-esque logic they clam it's too expensive to do in the U.S.


Well the problem is that most small merchants don't have the Chip and PIN equipment. And the small merchant processors make the business pay for the equipment.

With that being said Chip and PIN has already been hacked, although it would have been an amazing stunt to hack the number of machines needed to get 40 million swipes. (The hack has to be installed on the swipe machine)

If we had Chip and PIN the numbers would have still been stolen, but not the PINs (I think. I thought the machines were supposed to encrypt the credit card numbers immediately after swiping so if they did, the debit card PINs are gone too)
 
2013-12-19 11:29:07 AM
Funny that the financial industry simply appears not to even farking care about trying to solve issues like this. I think the whole country works because of corruption and denial.
 
2013-12-19 11:29:14 AM
Redcard account management site is farked worse than the Obamacare site right now.
 
2013-12-19 11:29:29 AM
This is why I ONLY shop at Wal-Mart.  In all the years I have purchased steak and lobsters there, my EBT card has never once been compromised.
 
2013-12-19 11:30:51 AM

acohn: tricycleracer: "There is so much of this kind of stolen data out there that the prices are really low," he said. "The market is completely saturated."

There's your silver lining.  You have lottery-odds of your CC# being used fraudulently.

Where did you see this quote?  I didn't find it in the linked article.


I feel like I'm taking crazy pills because I can't find it either.
 
2013-12-19 11:30:54 AM
For once I would like to know who gets caught after the end of these investigations. Be also nice to know how they did it. Not exactly how but in general.
 
2013-12-19 11:31:52 AM

Gaseous Anomaly: Slaves2Darkness: devildog123: I just checked my visa statement, and realized I went to Target the week before Thanksgiving, and then on the 16th of December, so I guess I dodged that bullet.

Nah, they retain your data. Pretty much everybody does, not that they are supposed to, but they retain your data.

Well, with the Target cards, they pretty much have to retain your data, there isn't anybody else to do so.

I have one: we dig the 5% off and pharmacy rewards. It's a credit card though, so as long as we watch the statements we'll be OK. I feel for the folks using the Target debit cards; the stores have been pushing those pretty hard, and if someone gets that info they can take your money and you have to try to get it back, rather than just disputing the charges.


Debit cards are such a bad idea, it's amazing how many people don't realize how disasterous the aftermath of fraudulent activity/theft can be.
 
2013-12-19 11:32:51 AM

Flakeloaf: Banacek: They talked about this hack at DEFCON over a year ago. Good to see nothing was done.

/please don't use debit cards. At least with credit cards it's not your money that's being stolen

Meanwhile, in a civilized country...


When I go to Canada for work I just end up apologizing for my backwards credit card and it's lack of real security features.
 
2013-12-19 11:34:26 AM

IanMoone: Well the problem is that most small merchants don't have the Chip and PIN equipment. And the small merchant processors make the business pay for the equipment.


My local burger van has a chip & pin card reader.  I've had pizza delivery people arrive with card readers (chip & pin ones) to pay for an order.

So yes, most small merchants do have the equipment.
 
2013-12-19 11:35:43 AM

acohn: epyonyx: Some idiot clicks a link they shouldn't have and gave them access. That idiot should burn.

Know how I know you didn't read the TFA?

"The chain said that accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have been exposed."



Huh? Your reply makes ZERO sense.

This boils down to either a current/former target IT employee, or one at the terminal manufacturer/distributer. They had to have at least some knowledge of how the terminal system was set up. Most probably something malicious planted on a centralized DB/Server, or an employee working on that server/network clicking on things they shouldn't have been.

Pucker factor most definitely reaching implosion levels.
 
Displayed 50 of 171 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report