×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target Has Major Credit Card Breach

samzenpus posted about 4 months ago | from the you're-the-target dept.

Crime 191

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

191 comments

Wouldn't be surprised if Wal-Mart was... (0, Troll)

KrazyDave (2559307) | about 4 months ago | (#45733257)

...financing the hacking (hidden by many layers) to target Target as a form of corporate espionage. Just the bad press alone is worth literally billions in the final run-up to Christmas (and Kwanza, of course) spending.

Re:Wouldn't be surprised if Wal-Mart was... (2, Insightful)

DaHat (247651) | about 4 months ago | (#45733653)

It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.

Well, with a name like that... (5, Funny)

Anonymous Coward | about 4 months ago | (#45733265)

Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.

don't connect everything to the internet! (5, Insightful)

Nyder (754090) | about 4 months ago | (#45733267)

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet! (4, Interesting)

Nyder (754090) | about 4 months ago | (#45733275)

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Re:don't connect everything to the internet! (4, Insightful)

E-Rock (84950) | about 4 months ago | (#45733317)

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet! (5, Insightful)

rmdingler (1955220) | about 4 months ago | (#45734881)

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Re:don't connect everything to the internet! (1)

omnichad (1198475) | about 4 months ago | (#45735541)

That's why you attach a cellular device to the internal network or pull out the microSD card from the skimmer before it's found.

Re:don't connect everything to the internet! (3, Interesting)

operagost (62405) | about 4 months ago | (#45736535)

PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

If Target is PCI compliant, then this is an internal breach.

Re:don't connect everything to the internet! (1)

justthinkit (954982) | about 4 months ago | (#45735621)

It's a shame that we probably won't get good details about what happened.

Right. And considering Target has a rather unique "red card" of their own, I would at least like to know if THIS was also compromised during the most recent hack. Seems more secure, mainly because it is less portable to other stores.

Re:don't connect everything to the internet! (4, Insightful)

JWSmythe (446288) | about 4 months ago | (#45733351)

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:don't connect everything to the internet! (2)

mysidia (191772) | about 4 months ago | (#45733427)

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

There are perfectly safe ways of doing this -- it's called a VPN, and an isolated network behind the firewall whose only WAN is the VPN connection, to access approved systems; and be monitored by approved systems.

Re:don't connect everything to the internet! (1)

sabri (584428) | about 4 months ago | (#45733553)

There are perfectly safe ways of doing this -- it's called a VPN,

Not necessarily true. Not all VPNs are the same.

For example, a simple MPLS-based Layer 3 VPN will separate traffic between network A and network B, but it will not be encrypted. The only relatively safe way of doing it is via a strongly encrypted tunnel.

Re:don't connect everything to the internet! (1)

DarkOx (621550) | about 4 months ago | (#45733803)

IPSec would not require a tunnel and should be perfectly safe as well. That has the advantage of not requiring any separate routing, vlans, etc.

  Honestly if you are building an IP based CC scanning device why you'd support anything other than IPSec I don't know.

Re:don't connect everything to the internet! (1)

ruir (2709173) | about 4 months ago | (#45733861)

IPsec is the tunnel creating mechanism and it is very unwise not to isolate sensitive equipment in their own vlans.

Re:don't connect everything to the internet! (1)

DarkOx (621550) | about 4 months ago | (#45734519)

IPSec *can* tunnel but does not require a tunnel, I don't disagree isolation would be better but most of the time that isolation ends at the next hop router anyway. It isn't as if a retail box store is going to have a layer2 network back to HQ.

If you have some port security in place like 802.1x so you can have some at least low level of assurance that the only things on the network are supposed to be there, there isn't nearly as much value in isolation in this type of situation.

Frankly tunneled IPSec is weaker than what I am proposing, it only would authenticate the tunnel endpoints to each other, transport mode would allow the server and the swipe machines to mutually authenticate every session. If you just put them on a vlan and route the address range into an IPSec tunnel or other VPN than anyone who can get access to the network on either side can talk to the swipe machines or the server end and start banging away at the application layer for vulns. If the ip stack on the other hand is configured to just drop any packet without a valid ah header that is going to be much much harder.

Re: don't connect everything to the internet! (1)

rickb928 (945187) | about 4 months ago | (#45734767)

No, they can use dedicated links to their processors. Even MPLS is better than SSL.

Re:don't connect everything to the internet! (3, Interesting)

Charliemopps (1157495) | about 4 months ago | (#45734949)

About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

Re:don't connect everything to the internet! (1)

Jawnn (445279) | about 4 months ago | (#45735893)

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

First of all, to GP, what makes you think that the PoS terminals are attached to the Internet? Nothing in TFA even hits at such a thing. To parent, GP is right. The Internet is not required for the things we're talking about. Private networks, including VPN's (running through the Internet) are a much better choice. That said, if properly secured, credit card transactions can be safely processed across the Internet. An entire industry has been built around just that.

No. I think we're going to find that this skimming operation was operated from within Target's private network.

Re:don't connect everything to the internet! (2)

DigiShaman (671371) | about 4 months ago | (#45733321)

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard [wikipedia.org]

Re:don't connect everything to the internet! (5, Informative)

girlintraining (1395911) | about 4 months ago | (#45733709)

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.

Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.

There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras in the parking lots. These cameras are continuously scanning the egress points and recording license plates; Ostensibly to deter shoplifting, this data is also correlated to DMV records to determine the zip codes and certain demographic data available; so-called "non-personally identifiable information". There's also some stores with equipment that monitors the location of active cell phones within the store, plotting out how long customers stand at particular locations (a good indicator of successful advertising), and can uniquely identify and track these customers between stores by using their MAC address embedded in their bluetooth-enabled phones.

And everything I have described meets PCI compliance. I suppose you were expecting something more out of government regulation -- peace of mind, maybe? A sense of security? Let's be clear: Those protocols are there to protect the vendors, not you. Financial systems are designed to be tamper evident, not tamper resistant. Everything is audited and recorded, but access to the data streams and transaction records is not well protected.

Credit card fraud is a multi-billion dollar "black" industry. It's all tracked. Every fraudulent transaction is dutifully recorded and then processed. Little is done to stop it because what's a few billion in fraudulent charges amongst a multi trillion dollar ledger? These guys got creative -- they didn't go after the POS systems, they went after the network. Perhaps fortunately for the customers of Target (and indeed, most retailers), they're only interested in data they can flip on the black market quickly -- a few thousand credit card numbers might be worth ten grand. But the health care data and ANPR records, changing room video, etc., is probably subjectively worth more to us than a number on a piece of plastic. It is fortunate that there is no black market for that data as well, or society would have a very big problem on its hands -- one not easily dismissed as "the cost of doing business."

Again, while I have personal experience with Target, I don't mean to pick on them. All large businesses are the same -- too wrapped up in bureaucracy and blind adherence to policy to be either efficient or effective. All large businesses survive not on intelligent and guided actions, but by inertia -- To borrow from Mr. Newton; "a profit in motion stays in motion until acted upon by an outside force." This level of incompetence is very common in the industry. It just isn't talked about publicly -- and most who do are quietly disappeared or put on watch lists. If people knew how vulnerable our informational infrastructure is, they'd probably be loudly demanding reform. In a career that is viewed as a cost center where every budget-saving move is viewed favorably regardless of what it sacrifices, I rather hope they do find out... but I also know that it's not realistic. Afterall, in just this one tiny example, you can see how law enforcement was co-opted to tell a little "white lie" on behalf of profit. How do you think they'd view someone telling the world the barn door's open, the cows are gone, everything's on fire, and the farmer is drunk? -_-

Re:don't connect everything to the internet! (2)

ruir (2709173) | about 4 months ago | (#45733879)

You are spot on sir. And this is why at my bank, I always have refused their multiple suggestions to do Internet banking. I tell them flatly I work in the field, and know how weak the process is.

Re: don't connect everything to the internet! (0)

Anonymous Coward | about 4 months ago | (#45734171)

*ma'm/miss

Re:don't connect everything to the internet! (0)

Anonymous Coward | about 4 months ago | (#45734655)

It's cute how you think your decision not to use an online account at your bank has any impact on the security procedures in place for your account.

Re:don't connect everything to the internet! (2)

ruir (2709173) | about 4 months ago | (#45734705)

Actually it has. No activated account until I request so, not using it in any terminal at all also (in the case it was activated by default), and plausible deniability. If in any case at all, anything is ever lifted via the Internet banking mechanism, I never had access to it, nor any password. From what I have seen in projects I have been indirectly involved, I would not want this guys to design my home network, much less a bank network. And then I dont trust their choice of Internet facing operating systems too.

Re: don't connect everything to the internet! (0)

Anonymous Coward | about 4 months ago | (#45734209)

what's truly unfortunate from my experience is that large companies like this often won't go for good security firms for testing. They go with big shops that basically shit out new security consultants monthly who lack real passion for the field. Even when a large company does receive a good test they lack in house personnel who can actually remediate. The best part? They're often so large with so many policies and governance that even high risk vulnerabilities (which are usually rampant and wide spread) can take the better part of a year to fix. Frustrating.

Re:don't connect everything to the internet! (1)

smpoole7 (1467717) | about 4 months ago | (#45735055)

@girlintraining:

Very, very interesting. My only observation would be that the police would be likely to accept what Target told them; I wouldn't think there is active collusion between them.

But if we accept the premise that this is a coverup, I have a rather pertinent question.

I don't shop at Target stores. I don't like them. But sometimes, my wife and I *do* use their online site. During the dates in question, we may have sent a Target gift card (via said Website) to a family member.

If this is a coverup, it'd be nice to know the actual details. I'd like to know if *we* are at risk. We have a couple of those "credit protection" plans on all of our accounts, but it'd still be nice to know. :)

Re:don't connect everything to the internet! (1)

sunderland56 (621843) | about 4 months ago | (#45735531)

here's the more likely scenario: They hacked their wifi

Let's say they did hack or otherwise gain access to the wifi. Shouldn't a credit card transaction be encrypted over SSL/TLS?

Re:don't connect everything to the internet! (1)

omnichad (1198475) | about 4 months ago | (#45735879)

The attack on the POS system would change that or cause a second transmission of data.

Re:don't connect everything to the internet! (1)

Baloroth (2370816) | about 4 months ago | (#45736365)

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public.

Where, exactly, was this story released to the public? I've read two articles on the subject, neither of them say that anyone has made any such claims whatsoever. Target's press release [target.com] certainly makes no such claims. All they've said is that they've fixed the immediate problem and they're hiring a forensics company to figure out how it happened.

Re:don't connect everything to the internet! (1)

Albanach (527650) | about 4 months ago | (#45735563)

NBC report [nbcnews.com] that, according to Target, the data includes CVV information. Is this even stored on the magnetic strip? I thought it was kept separate for this very reason.

Re:don't connect everything to the internet! (5, Informative)

Anonymous Coward | about 4 months ago | (#45736185)

CVV is on the magnetic strip.

CVV2 is only printed on the card.

Do not confuse them. One of them is used to validate a swiped transaction, one is used to validate a keyed transaction. Any transaction that has both is invalid. A transaction that has neither is ripe for an audit.

don't give your info to the internet! (0)

Anonymous Coward | about 4 months ago | (#45733375)

Cracks like this prove that you should limit the personal info you give out to the bare minimum. Well-meaning or not, well-funded or not, high-tech or not, adding your info to third party databases is always going to be a risk.

Re:don't connect everything to the internet! (2)

AK Marc (707885) | about 4 months ago | (#45733439)

They do direct-authorization. The two common ways of doing that are having an analogue line per terminal and every terminal dial in. You remember hearing the dial in sounds for cards, right? That takes 20 seconds per card, and more if it has trouble (and is prone to trouble). Or, you have it connect to the same database, but over a VPN or private network. VPNs are cheaper, so more common. sub-5 second authorization. More reliable. The Internet wins. But that doesn't excuse lax physical security of the "trusted" authorization machines.

Re:don't connect everything to the internet! (2)

Cramer (69040) | about 4 months ago | (#45733731)

It almost always takes more than 20sec. And it requires a real (circuit switched) phone line. For small retailers, this works. For a big chain store, with dozen of lanes, individually processing each CC transaction would be complete murder; no one is going to wait even 30s for a CC authorization these days. How long did your last CC purchase take? Under 5s? Now imagine standing there for 45s.

Re:don't connect everything to the internet! (4, Informative)

blincoln (592401) | about 4 months ago | (#45733477)

Who said anything about these devices being compromised by an attack from the internet? There are all sorts of ways to attack them indirectly:

- Compromise the system that manages them, then use that management system to push out compromised firmware or OS updates (depending on the device type - the newer payment terminals are often little Linux machines).
- Compromise the POS registers and capture the data there instead of directly on the terminals.
- Compromise the centralized back-end systems that Target uses for payment authorization. PCI-compliant retailers aren't supposed to capture full track data from the cards, but it might be possible to enable some sort of legacy mode that does just that.
- Compromise the network devices (routers, etc.) that the data is transmitted over. PCI only requires network-level encryption for transmission over untrusted networks, not internal corporate networks.

Etc. etc. Magnetic-stripe cards are a security nightmare, and everything that retailers do related to them is just a band-aid. We (the US) need to move to systems that use one-time codes - like chip-and-PIN - like the entire rest of the world is either in the process of doing or has done already.

Re:don't connect everything to the internet! (1)

NJRoadfan (1254248) | about 4 months ago | (#45735039)

EMV Chip cards are being issued in the US now. The major processors are pushing to move liability of charges to the retailer starting in 2015 for mag stripe transactions. The only problem is that US based processors aren't going for the full "chip and PIN", but "chip and signature". The EMV terminals will have a PIN pad, so hopefully card issuers will give the option of PIN security to those that want it.

Re:don't connect everything to the internet! (1)

stealth_finger (1809752) | about 4 months ago | (#45734497)

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Well then how do the credit cards verify that there's enough credit available and tell the bank or whatever to transfer the credit to the shop?

air gaps aren't useful either (0)

Anonymous Coward | about 4 months ago | (#45734843)

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

The Iranian equipment was not connected to the Internet either, and it got hit with Stuxnet. So air gaps are not guarantee.

And card readers, or at least the central point of sale brain, does need to be connected to the Internet: it has to be able to connect to the credit card servers to be able to verify that the purchaser has enough credit. (Though they could go "old school" and use dial-up modems or leased lines.)

Re:don't connect everything to the internet! (1)

wiredog (43288) | about 4 months ago | (#45734917)

Apparently you don't realize that not every network is part of the public internet.

Re:don't connect everything to the internet! (1)

operagost (62405) | about 4 months ago | (#45736471)

Why are you assuming their plastic card system is attached to the internet?

Chip and Pin (4, Interesting)

the eric conspiracy (20178) | about 4 months ago | (#45733291)

You would think that these breaches would get the US to update it's security practices.

1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.

Re:Chip and Pin (4, Insightful)

Tanktalus (794810) | about 4 months ago | (#45733329)

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. [slashdot.org] It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Re:Chip and Pin (4, Informative)

Mashiki (184564) | about 4 months ago | (#45733517)

Considering you need the pin for it to work, it becomes a bit more difficult. And it's either going to be 4 or 6 numbers long, so unless at every terminal they're recording the pin, you're talking about brute forcing all known pin's against the card. Most cards lock after 5 failed attempts, plus at least with the Interac system here in Canada, if the otherside doesn't authorize the pin, the chip doesn't authorize the pin you get squat.

It's massively cut down on the bank card, and CC fraud we've been dealing with up here. I'm sure it'll be an arms race again in a few years, but right now it is an improvement in security albeit a small one.

Re:Chip and Pin (0)

Anonymous Coward | about 4 months ago | (#45736441)

Nope, due to a design bug, the PIN is optional [wikipedia.org]. No need to guess it, just bypass it. As far as I can tell, cloning a card is still difficult, so it does provide notable additional security, but it's still not remotely secure.

Re:Chip and Pin (4, Informative)

blincoln (592401) | about 4 months ago | (#45733537)

Chip-and-PIN isn't perfect, but it's about a thousand times better than the archaic mag-stripe cards that are still in use in the US.

Mag-stripe cards are a relic of 30-40 years or more ago - similar to social security numbers - where your identification is the same as your authentication. It's a "secret name"-type system where as soon as you tell someone what your account number is, they can do whatever they want with it.

Mag-stripe cards can be cloned easily with a ~$100 reader/encoder that you can order from China on eBay (I have one - it's pretty neat). All you need to do is swipe the card through it once (or through a cheap reader, which you save the data from and then write to a card using the bulkier encoder later). AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Also, AFAIK, with Chip-and-PIN, you can't clone the card solely by intercepting network or device-to-device traffic. You have to compromise the reader itself. If you can intercept unencrypted network traffic from a mag-stripe transaction, then at a minimum you've got everything you need to use that card fraudulently online, and depending on how bad the system is that's involved, you probably have everything you need to create a full clone of the card.

Re:Chip and Pin (4, Interesting)

IamTheRealMike (537420) | about 4 months ago | (#45734051)

AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

Re:Chip and Pin (2)

makomk (752139) | about 4 months ago | (#45734305)

In practice, those obscure protocol attacks that could be detected by the bank weren't detected by the bank - they didn't bother looking for them and deleted the logs which would indicate if they were used. Some people in the UK had fraudulent transactions that were likely caused by this attack being used in the wild (in fact that's why researchers went looking for it in the first place), but the customers ended up liable for them because they couldn't prove it since the bank had deleted the logs.

Re:Chip and Pin (0)

Anonymous Coward | about 4 months ago | (#45734527)

Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry).

No one knows how to clone cards except the people that do? Tautology aside, I'm sure there is at least one person in the banking industry that has more incentive to use their knowledge of EMV cards for nefarious gain than they do for staying honest.

this is wrong (1)

rewindustry (3401253) | about 4 months ago | (#45733573)

one time pad is far more secure, the information gathered would have been useless, as it only applies to a transaction target would have already processed.

how is this comment rated 4, whereas the correct information, the parent, is currently only rated 2?

Re:this is wrong (1)

weilawei (897823) | about 4 months ago | (#45735051)

One time pads suffer from the problem of key sharing, which reduces their security to that of the key sharing/shared generation scheme.

Re:Chip and Pin (1)

gl4ss (559668) | about 4 months ago | (#45733971)

it's harder to copy the chip.

certainly harder to do it whilst maintaining a normal transaction happening.

but in usa, all you need is the magstripe. then you can buy shit with it. just go to a pharmacy and load up on whatever and use the self-checkout counter and scribble something on the touchscreen joke signature area...

Inside job (4, Insightful)

Spy Handler (822350) | about 4 months ago | (#45733293)

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

Re:Inside job (0)

Anonymous Coward | about 4 months ago | (#45733347)

I sure hope someone is getting grilled considering I just had to go through the trouble of cancelling a credit card which was used at Target on the other side of the damn country from me. I have no idea how someone got the card number as I have not been to Target in at least a year. But someone got the number and spent $172 at a Target in Flushing, NY. Go figure. Glad the credit card company caught it fast, but still. What a pain in the butt.

Re:Inside job (0)

Anonymous Coward | about 4 months ago | (#45735321)

I sure hope someone is getting grilled considering I just had to go through the trouble of cancelling a credit card which was used at Target on the other side of the damn country from me. I have no idea how someone got the card number as I have not been to Target in at least a year. But someone got the number and spent $172 at a Target in Flushing, NY. Go figure. Glad the credit card company caught it fast, but still. What a pain in the butt.

Your issue has nothing to do with this incident at Target on Black Friday. I had my credit card used at Kohl's in Arizona last year. I haven't been to Arizona or Kohl's in several years.

Re:Inside job (1)

blincoln (592401) | about 4 months ago | (#45733545)

I disagree. It's certainly possible that there was inside help, but I think it's a lot more likely someone compromised a system in Target's corporate offices and used it to pivot to capturing the data in question.

Re:Inside job (1)

ruir (2709173) | about 4 months ago | (#45733895)

You are assuming they are not so misers as to maintain and pay proper IT admins...

Paying proper admins? (1)

swb (14022) | about 4 months ago | (#45734713)

Target appears to be a massive H1B user, at least based on the people I see streaming in and out of their office buildings. So I'm not sure that paying for proper IT admins is part of their business plan.

Re:Paying proper admins? (1)

cdrudge (68377) | about 4 months ago | (#45735411)

Target appears to be a massive H1B user

Please state which Fortune 100 (or even 500) doesn't hire a significant number of H1B workers. Or for that matter, why it needs to be an incompetent H1B worker and not a incompetent US citizen if it even was incompetency.

Re:Paying proper admins? (1)

swb (14022) | about 4 months ago | (#45736323)

Please explain how a desire to suppress wages and import cheap workers leads you to the conclusion that competency is the principal value of Target hiring and IT systems.

EMV (0)

Anonymous Coward | about 4 months ago | (#45733309)

Now if only there was a technology for authenticating credit cards based on a challenge response model instead of transmitting the key in plain text, we wouldn't have to deal with stuff like this. And if only Target's fancy new POS terminals had support for such a standard already built in...

Re:EMV (1)

aaarrrgggh (9205) | about 4 months ago | (#45733373)

The problem with chip and pin is that it still isn't impervious to hacking, yet the customer is now responsible for preventing fraud. At least with the US system systemic fraud is a problem for the banks, even if transactional risk is placed on the merchant.

You have to establish where the endpoint of trust is for the user, and where that point is for the merchant. Everything in between is untrusted. One approach is escrow, and the other extreme is mutual authentication and authorization.

Glad I paid cash a few days ago (2)

sandytaru (1158959) | about 4 months ago | (#45733339)

I only paid cash because it was such a trivial amount - under ten dollars - but I should make a point of doing it more often. I've been a victim of this before, when they targeted Office Max several years ago. Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Re:Glad I paid cash a few days ago (1)

couchslug (175151) | about 4 months ago | (#45733379)

That's why prepaid credit cards are better than debit cards if you have no regular credit card. They reduce potential damage by not being linked to your bank account. My regular card isn't paid by automatic draft either, and my PayPal account links to a small, separate bank account I keep for that purpose.

Re:Glad I paid cash a few days ago (1)

whoever57 (658626) | about 4 months ago | (#45733691)

Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Which is exactly why you should get and use a credit card if you can. I have had credit card fraud on my card of over $3k. Impact to me: nothing (well, I did have to fill in a form stating that the items on the statement were fraudulent).

Re:Glad I paid cash a few days ago (1)

sandytaru (1158959) | about 4 months ago | (#45735457)

I do now - just one, a Delta AmEx that I'm using at every opportunity to get crazy amounts of frequent flier miles.

Re:Glad I paid cash a few days ago (2)

philip.paradis (2580427) | about 4 months ago | (#45733939)

You should have switched to a better bank, or rather a decent credit union. When this happened to me, Navy Federal Credit Union returned all the funds to my account within four hours.

Re:Glad I paid cash a few days ago (1)

sandytaru (1158959) | about 4 months ago | (#45735469)

Well, Wachovia was eventually eaten by Wells Fargo. They did return my money after about two weeks - it just took going through their fraud investigation stuff.

Re:Glad I paid cash a few days ago (0)

Anonymous Coward | about 4 months ago | (#45735533)

Or even a bad bank that isn't Wachovia. I'm with the most cartoonishly evil bank of all time, Bank of America, and the two times I've been hit with debit card fraud (~$1k both times) they've had my money back to me by the next day. The biggest inconvenience, aside from the incomprehensible (southern?) accent of the fraud agent I spoke with, was being without my card for a couple days while I waited for the new one to arrive.

Re:Glad I paid cash a few days ago (1)

McKing (1017) | about 4 months ago | (#45736389)

This is why I have 2 checking accounts: one for paying bills and one for daily spending. I direct deposit my paycheck in the billpay account, pay all of my months bills at the beginning of the month, and then as I need to spend money I transfer the amount from billpay to spending and use my debit card. This way there is only like $20 in the spending account (for emergencies like gas or something) and if someone gets my card then they can't spend up my entire paycheck at once.

Target has always HAD a major breech (1)

turkeydance (1266624) | about 4 months ago | (#45733345)

so has Walmart, etc. no cash-register software is secure.

Re:Target has always HAD a major breech (1)

ruir (2709173) | about 4 months ago | (#45734167)

The problem is not the software per se, but that everyone and his dog "glues together" a network. I have seen as consultant unbelievable things, and unfortunately, not talking about pa & mom shops.

I hope no one loses money, but... (4, Funny)

cervesaebraciator (2352888) | about 4 months ago | (#45733357)

the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.

upset employees? (0)

Anonymous Coward | about 4 months ago | (#45733361)

In the last few months Target has been laying off employee programmers in large numbers and moving their jobs to India with less than 8 hours notice. Target also employs India based TATA for support and programming. They do have tight controls ofter their internal systems so I would expect for them to track down the culprit or point of entry. Regardless this sucks for the retailer and is certain to affect all major retailers, not just Target.

Re:upset employees? (1, Insightful)

SpzToid (869795) | about 4 months ago | (#45733483)

Hello AC. It is extremely noticeable you have cited nothing to support your inflammatory anecdote.

Re:upset employees? (1)

Kagato (116051) | about 4 months ago | (#45733633)

Recent? Target has put it's eggs in the offshore and "prevailing wage" H1-B workers years ago. They have a bit of a reputation in the market as a result. Their divorce from Amazon onto their own web platform turned out pretty poorly and it resulted in the CIO abruptly exiting the company.

Our Target just installed new card readers (3, Insightful)

NixieBunny (859050) | about 4 months ago | (#45733367)

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:Our Target just installed new card readers (5, Funny)

SeaFox (739806) | about 4 months ago | (#45733419)

This must mean something, or not.

...those would be the choices

Re:Our Target just installed new card readers (0)

Anonymous Coward | about 4 months ago | (#45733445)

no mod points but this is hilarous

Re:Our Target just installed new card readers (0)

Anonymous Coward | about 4 months ago | (#45736625)

I whole-heartedly agree.

Re:Our Target just installed new card readers (0)

Anonymous Coward | about 4 months ago | (#45734763)

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

I hope they are using encrypted card readers ! It appears as though they were using plain text readers.

Target, not Target (0)

phluid61 (2501032) | about 4 months ago | (#45733589)

You mean Target Corporation (with the red all-caps title), not Target Australia Pty Ltd (with the black title-case title), right? And by extension "the country" means "the greatest gosh darned country in the world, the United States of America!" right?

They still have the same homophobic CEO so... (0, Offtopic)

Anonymous Coward | about 4 months ago | (#45733661)

...glad I'm still boycotting.

I Stopped Shopping At Target (2, Insightful)

Anonymous Coward | about 4 months ago | (#45733903)

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

Re:I Stopped Shopping At Target (1, Funny)

ruir (2709173) | about 4 months ago | (#45734175)

You were buying a terrorist training kit, what do you expect? Glad you told them to sod off, we need more people like you.

I don't believe you could resist the headline (1)

Chrisq (894406) | about 4 months ago | (#45734095)

I don't believe you could resist the headline:

Target Hit by Credit Card Breach

Use Cash (1)

EmagGeek (574360) | about 4 months ago | (#45734933)

I stopped using credit cards at retail a long time ago because I was sick and tired of having my credit card numbers stolen every few months. And, these days there are always the privacy implications, knowing that government is collecting every transaction you make with a credit card.

Re:Use Cash (1)

omnichad (1198475) | about 4 months ago | (#45735937)

sick and tired of having my credit card numbers stolen every few months

You must have been doing something wrong. That's not the normal experience.

NPR: Brian Krebs broke this story (1)

McGruber (1417641) | about 4 months ago | (#45734991)

National Public Radio (http://www.npr.org/blogs/thetwo-way/2013/12/19/255415230/breach-at-target-stores-may-affect-40-million-card-accounts) says that the story was first reported by Brian Krebs, who writes the "Krebs on Security" blog. (http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/)

NPR and other news outlets are only reporting the story because Target put out a press release (http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores) that confirmed that the breech happened.

POS Hacked? (1)

deKernel (65640) | about 4 months ago | (#45735567)

If the story does have the details correct meaning their POS terminals were somehow compromised, then Target must have some type of central server that the terminals call into to see if there are software updates because don't see any physical way so many terminals could be compromised. With that, the terminals could be reprogrammed to first send the authorization request, but then send a second message out with all the needed information which indicates an inside job.

bitcoin user not affected (0)

Anonymous Coward | about 4 months ago | (#45735779)

bitcoin user not affected...

bought target cards via gyft

Nothing unique about this, home depot been here (1)

madmatty (3468483) | about 4 months ago | (#45735787)

Nothing is new about this, it's the same scam or identical to what hit home depot in 2012

CVV security codes in magnetic strip? (0)

Anonymous Coward | about 4 months ago | (#45735983)

From the article: "Target told customers ...that the criminals had stolen customers ... CVV security codes.", "and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards."

Does the magnetic strip contain the CVV codes? That doesn't seem likely to me.

What if it wasn't the credit card auth? (2)

ai4px (1244212) | about 4 months ago | (#45736539)

I see in many of the comments that the probable method of attack was sniffing the outbound traffic... but w hat if the hack was embedded in a firmware update on all the cash registers? The cash register gets the CC number from the POS keypad, right?

Lots of misinformation (0)

Anonymous Coward | about 4 months ago | (#45736605)

So many opinions so little facts..

1. We don't know where and how the attack took place.. anything beyond that is speculation
2. If the attack took place 'on the pin pad', that would be the ONLY time PINs are in the clear. So any article that says "ATM Pins could be compromised" is either misinformed about how security of ATM PINs work in retail environments (most likely) or they have insider information (extremely unlikely). There are some excellent standards governing how PIN security should work and where what is encrypted -- https://www.pcisecuritystandards.org/documents/pts_program_guide_2010_v1.pdf. Yes all the devices in the market (except gas stations) have this level of security
3. EMV/Chip-and-PIN is not the answer. The security of that technology is not put to test because the markets that have implemented it are pretty small, compared to the US. Even then there are a bunch of problems with EMV http://www.cl.cam.ac.uk/~rja14/
4. Connecting card terminals to the internet is a better thing to do, except sadly nobody does it. It doesn't reduce security, just the opposite.. Maybe not obvious statement, so let's think. There is a card terminal, that is connected to a cash register, which is connected to a whole bunch of other systems where card data needs to go through before getting processed. Your chances of a successful attack?: compromise 1 out of 10 systems. Connect it directly to processing centers via the internet -- your chances to be successful 1 out of 1! Far less likely. /* let's not start saying that should be SSL protected, of course; that's obvious. Don't connect to internet without SSL protection.. */
5. Encryption is the magic bullet (somewhat).. But.. most of the encryption standards governing the use of encryption in payments are really new. So if you're as big and have been in business for longer than 3-4 years, you probably need time to migrate. There is no "easy button" to enable encryption
6. Someone as big as these guys, probably had really good security in place to begin with. That doesn't stop a determined attack clearly -- but just calling them out without knowing details is ....
If you are a consumer and you don't use your credit card, you are just being silly. You have zero liability (by law it is $50). Why do you care? Not your problem. Let the system which pays for the risk of your card compromise figure out the best way to provide security. Might as well earn points.. Yes, losing card numbers is a hassle, but.. there are benefits
If you are a security guy claiming that there is some magic bullet that is so obvious that you know and folks at Target don't -- you are being silly. I am sure Target folks are pretty smart (determined attackers still pose a problem), either that or you clearly don't know implementation challenges

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...