Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Neiman Marcus and Other Retailers Breached, Credit Card Details Stolen

Soulskill posted about 8 months ago | from the not-their-problem-until-it's-their-problem dept.

Security 151

Fnord666 writes "Another day, another data breach. Apparently high end retailer Neiman Marcus has also suffered a breach of credit card data. Brian Krebs has the report: 'Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards. Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus. Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.'" The Chicago Tribune reports that "at least three other well-known U.S. retailers" suffered breaches this holiday season as well.

cancel ×

151 comments

Sorry! There are no comments related to the filter you selected.

Obamacare is worse for tards like me! (-1)

Anonymous Coward | about 8 months ago | (#45930675)

Is an abject retard, I think that Obamacare saving Americans money while saving American lives is a bigger outrage than the fact that both Neinman Marcus and Target are unable to keep the credit cards I used to buy gifts secret...

Like I said, I'm an abject retard.

Re:Obamacare is worse for tards like me! (-1)

Anonymous Coward | about 8 months ago | (#45930693)

I know you're trying to get in quick, but at least spell "as" properly.

Re:Obamacare is worse for tards like me! (0)

Anonymous Coward | about 8 months ago | (#45930739)

i didn't read it as "as". I read it pronounced 'eyes', like a contraction of 'I is'.

Perhaps it would be easier (5, Funny)

Anonymous Coward | about 8 months ago | (#45930697)

For the companies not breached to just come forward.

Re:Perhaps it would be easier (0)

Anonymous Coward | about 8 months ago | (#45931649)

I'm sure it's just some kid trying to be nice and find vulnerabilities.

More 10% discounts? (0)

Anonymous Coward | about 8 months ago | (#45930705)

Will be busy shopping soon

Good thing Visa takes the risk... (1)

Frosty Piss (770223) | about 8 months ago | (#45930707)

That's the thing about CREDIT cards, the customer generally doesn't take the financial fall for fraud.

Re:Good thing Visa takes the risk... (4, Funny)

binarylarry (1338699) | about 8 months ago | (#45930721)

Yay Credit Cards! We don't have to worry about getting screwed over because they protect us while they screw us! So we're used to it!

I feel so loved.

Re:Good thing Visa takes the risk... (1, Insightful)

Frosty Piss (770223) | about 8 months ago | (#45930757)

Yay Credit Cards! We don't have to worry about getting screwed over because they protect us while they screw us! So we're used to it!

I've never had a problem with mine. Ever. I pay it off every month (thus I pay no interest), and I know that if an on-line retailer screws me over, I can dispute the charge, and the credit card company will back me.

So, I don't see a problem.

If you can't manage your finances responsibly, maybe you shouldn't have one?

Re:Good thing Visa takes the risk... (2, Interesting)

Anonymous Coward | about 8 months ago | (#45930769)

What you don't see is the money that VISA charges the company you buy from. which in turn that company charges you. And since all companies need to support VISA (because of the duopoly of VISA and MC), it's pretty hard to change. And you don't even know it because said company is not allowed to discuss that.

Re:Good thing Visa takes the risk... (3, Interesting)

Frosty Piss (770223) | about 8 months ago | (#45930805)

What you don't see is the money that VISA charges the company you buy from.

I'm fully aware of the money the CC charges the retailer. That's not my problem, that one of the costs of doing business.

which in turn that company charges you.

The cash price would be no lower, and even without the CC tax, most businesses will charge as much as they can anyway.

.And since all companies need to support VISA (because of the duopoly of VISA and MC), it's pretty hard to change. And you don't even know it because said company is not allowed to discuss that.

First, companies certainly do not have to accept CREDIT cards. Secondly, retailers bitch moan and complain all the time about CC fees, they certainly can and do "discuss" it with customers many times.

Accepting CC is a convenience for BOTH the customer AND the retailer. And since they build the CC fee into the price which they charge even CASH customers, retailers are in no position to make a stink. They are not obligated to sell their product to me, they can switch to a cash / debit card only business if they so choose. As it happens, it benefits them to accept CREDIT cards, and so they do.

Re:Good thing Visa takes the risk... (1)

ub3r n3u7r4l1st (1388939) | about 8 months ago | (#45930921)

The cash price would be no lower, and even without the CC tax, most businesses will charge as much as they can anyway.

You are shopping in the wrong places then.

Most small businesses, especially those in the Chinatowns or other ethnic communities, gives discount for people who pay in cash (sometimes you have to ask). The discount comes from waiving the CC merchant fees and local sales tax.

Re:Good thing Visa takes the risk... (1)

Lisias (447563) | about 8 months ago | (#45931181)

The discount comes from waiving the CC merchant fees and local sales tax.

Waiving the CC fee is ok. Waiving the tax is not.

I'll not even discuss about ethics, but for plain value: by waiving the tax, you're are waiving the right to get the product replaced if defective - and so, you will eventually taking home rejected products that wouldn't be sell to consumers otherwise.

Re:Good thing Visa takes the risk... (3, Interesting)

DarkOx (621550) | about 8 months ago | (#45931059)

a couple things. Handling cash costs retailers money too. Might not impact smaller ones as much but box stores and like it makes a difference. Cash transactions take longer, so they need more checkers, it takes longer to get cash to the bank do they lose interest. Assistant managers often still hourly have to count it, and they usually need an armored car service to come pick it up, and it increases theft risks.

For bigger retailers the swipe fees can be a bargain. It's been proven over and over again customers spend more when they don't have to think about how much cash they have on them too. As an individual I like the fees too, I can track what I spend on my card so I never pay any interest, yet I still get the cash back awards and points which part of the swipe fee pay for.

As the merchant agreements usually force places not to discount cash, it's like a tax I get to charge. As others have pointed out the cards provide useful consumer protections as well.

Everybody wins except the folks who can't keeps and track receipts and get surprised with a bill they can't afford at months end or the folks who have messed up so bad they can't get a card

Re:Good thing Visa takes the risk... (2)

mjwx (966435) | about 8 months ago | (#45931211)

a couple things. Handling cash costs retailers money too. Might not impact smaller ones as much but box stores and like it makes a difference. Cash transactions take longer, so they need more checkers, it takes longer to get cash to the bank do they lose interest. Assistant managers often still hourly have to count it, and they usually need an armored car service to come pick it up, and it increases theft risks.

You've never run a business.

I'm not asking, I'm telling because I ran a business and Merchant Service Fees were higher than my staffing costs or my utility bills. Sometimes they were even higher than my rent.

If you honestly think cash is more expensive than credit to accept, you've never seen the figures.

Add to this that electronic transactions can take several days to go through (this is due to the bank interchange system, so switching banks doesn't help), if you're a business that has to buy stuff on daily basis (like fresh food) too many EFT customers can kill you even whilst your business seems strong.

Re:Good thing Visa takes the risk... (1)

umghhh (965931) | about 8 months ago | (#45931301)

gp never run business and his feel for time is fkd too - my observation is - paying with the card takes as long or longer than with cash. but we in europe are retarded commies so this does not count I guess.

Re:Good thing Visa takes the risk... (2)

DarkOx (621550) | about 8 months ago | (#45931355)

I have seen the numbers actually for a major nation wide retail chain; from an activity based costing perspective.

I know for a fact the average ticket total is always larger when the tender type is credit. I never said cash handling cost more than credit processing fees and the associated IT infrastructure to support it, just that cash handling was by no means without cost.

Retailers participate in these contracts because they represent a net win. At least the big ones understand perfectly well both the costs involved and the revenue enhancements accepting CCs generates. They do it because its profitable, for the guys operating 1000+ box stores.

I know a lot of small business owners that give reports more similar to yours and I can imagine that. If you don't do retail transactions averaging several per minute you are open, I am sure the math changes. As I am sure it does if you are operating a business like a restaurant or gas station where people tend to buy things in fixed predestine quantity independent of tender type.

But don't try to tell me CCs are not a good thing for the box store type business I was talking about, I know better.

Re:Good thing Visa takes the risk... (0)

Anonymous Coward | about 8 months ago | (#45931405)

Better than what? There are not options because none are allowed.

Re:Good thing Visa takes the risk... (1)

DogDude (805747) | about 8 months ago | (#45932127)

Cash transactions take longer, so they need more checkers, it takes longer to get cash to the bank do they lose interest.

Sorry, none of this is true. Cash takes the same amount of time as credit/debit, sometimes less. Cash gets to the bank immediately, credit cards/debit cards take 2-3 days. Credit/debit costs about 2-3%. Cash doesn't cost anywhere near that amount. If the business is using a credit union, the cost of accepting cash is near 0%.

Re:Good thing Visa takes the risk... (1)

gl4ss (559668) | about 8 months ago | (#45931469)

somehow you don't seem to be grasping the cost of doing business going directly to the price... but here's the real kicker here: you and every other US customer is paying the price for this data breach shit of massive scale.

anyhow, the real problem is the shit enforcing of the rules about them. you see, when you start processing credit card data you agree to certain rules about how to handle it...

of course, that the US version of credit cards is from the early '80s or so doesn't really help. but who is going to pay for the lost money from the stolen cards? the credit card users.

Re:Good thing Visa takes the risk... (0)

Anonymous Coward | about 8 months ago | (#45932017)

What you don't see is the money that VISA charges the company you buy from.

I'm fully aware of the money the CC charges the retailer. That's not my problem, that one of the costs of doing business.

You are working under the assumption that the company will always take the extra profit and leave you with the same price. Assumptions that use the term "always" are risky ones.

which in turn that company charges you.

The cash price would be no lower, and even without the CC tax, most businesses will charge as much as they can anyway.

To further provide counter-example, in my area Specs Liquors provides a 5% discount for using cash or debit cards. I believe their plan to be ingenious, as they don't have to manage a double-price system. Obviously not everyone does something like this, but it does provide a competitive advantage. Initially Specs was one store, but after ten years, they dominate the Houston liquor market.

.And since all companies need to support VISA (because of the duopoly of VISA and MC), it's pretty hard to change. And you don't even know it because said company is not allowed to discuss that.

First, companies certainly do not have to accept CREDIT cards. Secondly, retailers bitch moan and complain all the time about CC fees, they certainly can and do "discuss" it with customers many times.

Accepting CC is a convenience for BOTH the customer AND the retailer. And since they build the CC fee into the price which they charge even CASH customers, retailers are in no position to make a stink. They are not obligated to sell their product to me, they can switch to a cash / debit card only business if they so choose. As it happens, it benefits them to accept CREDIT cards, and so they do.

My brother ran a small restruant primarily featuring hamburgers. It's average sale was between $8 and $9 USD. About 70% of the clientele didn't have cash or checkbooks on them. They were paying for everything by credit / debit card. Yes, he could accept a 70% drop in sales, but not if he wanted to stay in business.

I personally carry credit / debit cards only. It really cuts down on the constant hassles as I walk through the downtown streets. When someone comes up asking for money, you can easily state you don't have any cash on you. Apparently from their reactions over the years they have come to accept that people are not carrying around cash like they did. A decade ago, they'd keep on, knowing it was a brush off. Today they try to get you to hit a corner shop, etc, for cash.

Business don't have to work with all of the population, but they do have to work with their customers. Small retail must accept credit and debit cards, as otherwise VISA and others become a barrier in reaching your day-to-day customers.

Re:Good thing Visa takes the risk... (2)

LordLimecat (1103839) | about 8 months ago | (#45931105)

If you are getting screwed with credit cards, there is a strong possiblity that youre making poor choices (like not paying your bill in full each month).

Re:Good thing Visa takes the risk... (0)

Anonymous Coward | about 8 months ago | (#45930745)

If you used cash there would be no details on file to be hacked!

Re:Good thing Visa takes the risk... (1)

Frosty Piss (770223) | about 8 months ago | (#45930781)

If you used cash there would be no details on file to be hacked!

On-line retailers don't take cash.

Re:Good thing Visa takes the risk... (1)

DarwinSurvivor (1752106) | about 8 months ago | (#45930829)

The cards in question (it's even in the summary) were used at brick and mortar retailers. I want to know how/why these credit card numbers were being stored in the first place. If I walk into a store and buy something with a credit card, they have NO business keeping that information after they've received the money!

Re:Good thing Visa takes the risk... (1)

Frosty Piss (770223) | about 8 months ago | (#45930891)

The cards in question (it's even in the summary) were used at brick and mortar retailers. I want to know how/why these credit card numbers were being stored in the first place. If I walk into a store and buy something with a credit card, they have NO business keeping that information after they've received the money!

If you have a habit of returning items purchased with Credit Cards, often they return the dollar amount to your card rather than cash, to prevent fraud.

If you are paying for a service such as a hotel room, they retain your info as a guarantee you will pay when you check out, and be responsible for damage (the same is true of rental cars).

These are two reasons, there are others. Try not to be paranoid, and if you must, simply use cash if as it seems you don't like the convenience of Credit Cards.

As I said, in a previous post, I have *never* had an issue with a Credit Card that was not resolved in 30 years of using them.

Re:Good thing Visa takes the risk... (1)

DarwinSurvivor (1752106) | about 8 months ago | (#45931373)

First, the stores know it was a credit card purchase because you usually have to bring in your receipt to get the return, or did you think they would be able to look up the sale in the computer just by looking at the product?!?

As for the rest of your explanations, those are all related to rentals where a "you may owe us money if you fuck it up" agreement is always presented clearly before they record your information, but I can see by the hilarious link in your signature that you may have difficulty following peoples' explanations.

The only legitimate way (for the store) that I can see having caused this is Travis Mansbridge's explanation (in the sibling post to yours) where the POS machines where compromised.

Re:Good thing Visa takes the risk... (1)

Travis Mansbridge (830557) | about 8 months ago | (#45931009)

If these were the same perpetrators as the Target attacks, as some journalists have suggested, they procured the numbers via physical card scanners infected with malware, not from a stored database.

Or bitcoins... (1)

ub3r n3u7r4l1st (1388939) | about 8 months ago | (#45930929)

More online retailers are accepting it. Overstock.com being the most recent example.

Re:Good thing Visa takes the risk... (1)

LordLimecat (1103839) | about 8 months ago | (#45931109)

Conversely, if you get mugged, its a lot better to have credit than cash.

Re:Good thing Visa takes the risk... (1)

DogDude (805747) | about 8 months ago | (#45932155)

I've never been mugged, but I've had fraudulent charges on my CC several times in my life. I guess the whole "mugging" concern depends on where one lives!

Re:Good thing Visa takes the risk... (2)

davester666 (731373) | about 8 months ago | (#45930749)

yeah, we don't immediately have to pay for it, the cost is just spread out to everybody over the next year or so

Re:Good thing Visa takes the risk... (1)

LordLimecat (1103839) | about 8 months ago | (#45931113)

Visa doesnt charge consumers a dime to use their cards, so Im not clear how those costs are being spread.

Re:Good thing Visa takes the risk... (1)

DogDude (805747) | about 8 months ago | (#45932167)

Visa doesnt charge consumers a dime to use their cards, so Im not clear how those costs are being spread.

Are you kidding?

Re:Good thing Visa takes the risk... (3, Informative)

Mitreya (579078) | about 8 months ago | (#45930763)

That's the thing about CREDIT cards, the customer generally doesn't take the financial fall for fraud.

Maybe not, but Visa/Mastercard might just pass the pain onto the retailers.
My dad runs a small business, and usually if there is any problem with a credit card charge, Visa/MC will extract money back from him in a blink of an eye.

Re:Good thing Visa takes the risk... (3, Insightful)

Frosty Piss (770223) | about 8 months ago | (#45930771)

My dad runs a small business, and usually if there is any problem with a credit card charge, Visa/MC will extract money back from him in a blink of an eye.

What kind of "problem" would that be? If your father is not providing adequate customer service such that customers seek redress from their credit card company, maybe the problem isn't the credit card?

Re:Good thing Visa takes the risk... (1)

Anonymous Coward | about 8 months ago | (#45930791)

My dad runs a small business, and usually if there is any problem with a credit card charge, Visa/MC will extract money back from him in a blink of an eye.

What kind of "problem" would that be? If your father is not providing adequate customer service such that customers seek redress from their credit card company, maybe the problem isn't the credit card?

Because the credit card companies have small retailers and by extension our entire economy by the balls. They can charge small businesses whatever they want because they know the small businesses cannot refuse the credit card service.The entire system is an oligarchy and a scam.

Re:Good thing Visa takes the risk... (1)

AK Marc (707885) | about 8 months ago | (#45930815)

If it's a scam, why don't people take their business elsewhere? Discover started up to combat the duopoly. AmEx isn't one of the big 2, and they charge the most of anyone. The charges are small and mostly reasonable, $0.50 + 2% per transaction is about average. Non-zero, but not economy crushing.

Re:why don't people take their business elsewhere? (1)

TaoPhoenix (980487) | about 8 months ago | (#45931275)

"AmEx isn't one of the big 2, and they charge the most of anyone."

However, if I chime my voice in as "just one from the average streetgoer", American Express has made its name in infamy as the card many businesses don't accept! (Because of those higher fees.)

So to be sure someone has held a few meetings over at AmEx, and decided losing those smaller accounts aren't worth whatever other clout they have among the executive set.

In contrast, I can't think of any tangible difference to me between Visa and Mastercard.

Re:Good thing Visa takes the risk... (0)

Anonymous Coward | about 8 months ago | (#45930875)

Two things:

1. You sound bitter. Been refused for a CC?
2. Move to Cuba.

Re:Good thing Visa takes the risk... (1)

umghhh (965931) | about 8 months ago | (#45931327)

why dont you move to somalia seems like free market conditions would suite you well.

Re:Good thing Visa takes the risk... (3, Interesting)

Mitreya (579078) | about 8 months ago | (#45930917)

What kind of "problem" would that be? If your father is not providing adequate customer service such that customers seek redress from their credit card company, maybe the problem isn't the credit card?

Do I have to spell it out for you? "Credit card owner called and they do not recognize the charge because their card was stolen" qualifies as a charge-back problem. And because the items are sent within a day or two, it will often happen after the purchase has already been sent.

The point is -- just because you, as a consumer, do not have to pay the costs of stolen credit cards, do not assume that a faceless credit-card corporation will eat these costs. In reality, it will not.

Re:Good thing Visa takes the risk... (1)

chihowa (366380) | about 8 months ago | (#45932071)

So... the retailer is accepting stolen cards. How else would they expect that to play out?
You never get to keep stolen property, even if you pay for it in good faith. Why would the retailer get to profit from a fraudulent transaction? This is an avoidable situation, especially with mail-order items. Only ship to the billing address of the card and you'll cut these events down to a tiny number.

Now I agree that the credit card system is extremely poorly set up, but almost every situation that results in a merchant chargeback can be traced to poor behavior on the merchant's part (not verifying the cardholder's ID, not addressing the customer's complaints, etc).

Re:Good thing Visa takes the risk... (2, Insightful)

Anonymous Coward | about 8 months ago | (#45932033)

My dad runs a small business, and usually if there is any problem with a credit card charge, Visa/MC will extract money back from him in a blink of an eye.

By brother ran a small business, a fast food restaurant. These kinds of complaints arise more often than you think.

Once a customer ate his meal, complained, asked for a refund (which was met with an offer of more food, but not a return of the charge), and called his credit card company to have the transaction reversed. It was. As a small retailer, there's precious little recourse. The card company will typically take any customer complaint over the shop owner's defense.

What kind of "problem" would that be? If your father is not providing adequate customer service such that customers seek redress from their credit card company, maybe the problem isn't the credit card?

What kind of a statement is that? Basically you know little to nothing about the situation, yet you assume the worst to validate the current status quo.

For the privledge of having any payment reversed at a moment's notice, you pay per month a lump sum, an installation fee, buy the equipment, take a percentage cut out of every sale, and abide by their rules which include the right to reverse. Yes, it's all agreed to, but it's the kind of agreement that must be made if you want to be able to do business with 70% of the population. That's why it's not seen as an easy-come, easy-go proposition.

Re:Good thing Visa takes the risk... (1)

ThatsMyNick (2004126) | about 8 months ago | (#45930773)

Actually the merchants that accepted the transactions made on stolen cards, take the hit. Visa doesnt have any sort of risk in this business.

Re:Good thing Visa takes the risk... (2)

Frosty Piss (770223) | about 8 months ago | (#45930785)

Actually the merchants that accepted the transactions made on stolen cards, take the hit. Visa doesnt have any sort of risk in this business.

Exactly, but many of these same merchants would tell me to get fucked if it were not for the fact that the credit card company will back me on the refund.

Re:Good thing Visa takes the risk... (1)

tompaulco (629533) | about 8 months ago | (#45931887)

I wonder were the stolen cards used to purchase online or in person. If they were used in person, They must have been used for small POS purchases like gas or fast food, which don't require even a signature. If they were used online, then a zip code should have been used to verify the billing address. Some gas stations also require the zip code. Also, I don't believe that the credit cards are even encoded with the 3 or 4 digit security code on the card, so it can't be read by an infected reader, and those codes are usually asked for online.
Unfortunately, it is rather easy to find retailers willing to let you buy without any confirmation checks on the owner of the credit card. I guess if they consider that to be worth the effort of a few chargeback sales, then so be it.

Re:Good thing Visa takes the risk... (1)

mjwx (966435) | about 8 months ago | (#45931189)

That's the thing about CREDIT cards, the customer generally doesn't take the financial fall for fraud.

The nice banks will certainly take it out of their bottom line. They'd never charge additional fees to recoup their loses.

They'll certainly never make the merchant pay fees (which will get passed onto you in the form of higher prices.

Re:Good thing Visa takes the risk... (1)

Monoman (8745) | about 8 months ago | (#45931769)

In the long run the customer and/or the taxpayer pay.

Time to overhaul the Credit Card system in the US. (4, Interesting)

thesandbender (911391) | about 8 months ago | (#45930765)

The primary justification for not overhauling the inherently weak credit card system in the US has been the cost to the retailers, banks and credit card processors. And there's some validity to this, upgrading the system would have a major impact everyone from the banks and large retailers on down the the mom and pops and the card holders themselves. However, the cost of continually cleaning up these messes is going to start adding up. It's time to accept the fact that the current system is horribly outdated and fix it (most retailers in Europe won't even accept chip-less us cards anymore).

Re:Time to overhaul the Credit Card system in the (3, Insightful)

AK Marc (707885) | about 8 months ago | (#45930819)

The "fix" is to hold the breaches responsible for every fraudulent charge and re-issued card. The stores store the numbers, often in violation of their agreements, and nobody cares. They should get sued for their negligence. When that happens some, nobody will want to store the card numbers (like they are supposed to), and breaches will net nothing more than customer names and addresses, at most.

Re:Time to overhaul the Credit Card system in the (3, Interesting)

bill_mcgonigle (4333) | about 8 months ago | (#45930855)

The "fix" is to hold the breaches responsible for every fraudulent charge and re-issued card.

Not just the card itself, the bank's time and to send a letter, reissue all the cards, mail them.

And then, I read earlier today, 140 million Americans are affected by the Target breach. Each of them with a current card that's getting cancelled has to go set up new automatic payments on their various autopay services, etc.

Target should be giving them a concession, say $100 or so per person for all the time they'll waste.

Now then, given acutal liability for their actions, Target would never assume such risk without getting an insurance policy to cover it. And the insurance company would have a squad of auditors in their IT center to scour the thing before they issued the policy.

In the end, we'd wind up with the secure solution we're actual looking for. So the actual problem here is that corporations aren't held responsible for their negligence. Which is exactly why they form these big corporations in the first place.

Re:Time to overhaul the Credit Card system in the (1)

zippthorne (748122) | about 8 months ago | (#45931473)

Which is why, you shouldn't use pull autopay. You should use push auto pay.

If the credit card companies want to be involved in auto-pay or one-click situations, they should bring their id/authentication out of the 1950s.

Re:Time to overhaul the Credit Card system in the (1)

Sponge Bath (413667) | about 8 months ago | (#45931913)

...140 million Americans are affected by the Target breach.

Half of all Americans shop at Target? That may be right, but it seems wrong.

Re:Time to overhaul the Credit Card system in the (1)

tompaulco (629533) | about 8 months ago | (#45931941)

140 million Americans are affected by the Target breach.

Surely not directly? Are they saying 2 of every 3 adult Americans shopped at a brick and mortar Target in December and used a credit card? I can vouch that I was one of those that did not.
Are they saying everyone who has a Visa or Mastercard is "affected"? That number does seem pretty close to the number of adults with a visa or mastercard (estimated at well above half of the adult population but I couldn't find an exact number).

Re:Time to overhaul the Credit Card system in the (1)

thesandbender (911391) | about 8 months ago | (#45930887)

While I'm not arguing that they should not be held accountable, what you're proposing is not a "fix". The system should be designed so that they can't be negligent in the first place.

Re:Time to overhaul the Credit Card system in the (1)

Chris Mattern (191822) | about 8 months ago | (#45931277)

The system should be designed so that they can't be negligent in the first place.

Since negligence includes failing to follow the system properly (and often does), this is not possible.

Re:Time to overhaul the Credit Card system in the (1)

Eravnrekaree (467752) | about 8 months ago | (#45931971)

But the card number does not have to be stored for it to be vulnerable. They could also capture the data in transit. If you can get access to a database, its pretty reasonable that other things on these systems can be accessed such as memory and network interfaces where data is in transit. All you need is a monitoring program that records everything passing through the system.

Re:Time to overhaul the Credit Card system in the (0)

Anonymous Coward | about 8 months ago | (#45930955)

The inherently weak system is manufactured product of the NSA.
Now with the Snowden leaks... the hackers know more about those weaknesses.
Expect things to get much worse.

Re:Time to overhaul the Credit Card system in the (1)

The Walking Dude (905913) | about 8 months ago | (#45930965)

In Australia stores accept chip, swipe, and wireless (you wave it over a pad, it doesn't even ask for a pin number). Unless you specifically mention the security level of each during a transaction, the majority of customers prefer the less secure methods - wireless PayPass and swipe. This is because those two are slightly faster, and they can put the card back in their wallet while it processes. They groan and make a fuss at stores where smart chips are set as the mandatory first attempt. Paying with cash is secure AND remains the fastest transaction, but people find carrying notes and coins to be inconvenient. Every time I see the Secret Service working on these cases, I remember Albert Gonzalez [wikipedia.org] from the major TJ Maxx credit card theft incident. He was on the secret service payroll at the time, in a Frank Abagnale [wikipedia.org] type prison-work release.

Re:Time to overhaul the Credit Card system in the (0)

Anonymous Coward | about 8 months ago | (#45931053)

In Australia the banks must pay after the 1st $50 dollars fraud. Not too bad considering facial recognition is already done on most ATM's and store counters. Think twice before claiming there is some mistake.

Fees: the banks dont want to stop fraud - the merchant pays for that. Lowest CC risk: Catholic / Baptist book shop ; highest risk online gadgets under $1000 - Iphones and laptops, cosmetics etc. In fact they PROFIT from it. Broadly the merchant wears the chargeback.

This is why laser stripes. magnetic puttering (unique) and ink patterns(japan) have never been adopted. Chip based cards are inferior (and expensive to issue).

Australian banks are also lazy - letting paypal eat into 5% foreign conversion fees - lets hope bitcoinn and the likes - get them going.

Re:Time to overhaul the Credit Card system in the (0)

Anonymous Coward | about 8 months ago | (#45931087)

PayPass/PayWave is more secure than magstripe swipes since the data necessary to clone a card never leaves the card itself. It's the same sort of cryptographic authentication as the chips.

The lack of entering a PIN is a policy decision by the banking industry - they decided that it was easier to make the merchant eat amounts of up to AU$100 per transaction in fraud in exchange for faster, smoother transactions = more transactions = more revenue. Large merchants benefit too since any loss to increased card fraud is offset by reduced losses to cash theft.

That's not to say that contactless payment cards are perfect, far from it.

Re:Time to overhaul the Credit Card system in the (1)

eyenot (102141) | about 8 months ago | (#45931153)

PINs are sort of stupid in a retail setting, any way. The way most pads are set up, the other customers can clearly see what digits you're inputting, and voila, now they can use your card at any ATM.

Signatures are just as pointless. They don't prove anything unless you have a meticulous signature. People in general aren't that anal and unless you're Benjamin Franklin or some shit with a degree in calligraphy, the makeup of your signature fluctuates over time.

The US appears to be using a system that's outlived its usefulness.

Re:Time to overhaul the Credit Card system in the (1)

zippthorne (748122) | about 8 months ago | (#45931483)

Signatures aren't meant to be your password. They're meant to be a deliberate act signifying your acceptance of terms. Any deliberate mark will do, which is why old movies have (usually illiterate) characters literally signing contracts with an X.

Another problem wit trying to use a signature for ID is that your calligraphy plan won't work. It only even sort-of works as id when muscle memory kicks in - when you sign as quickly as possible.

Re:Time to overhaul the Credit Card system in the (1)

rmdingler (1955220) | about 8 months ago | (#45931685)

I remember Albert Gonzalez [wikipedia.org] from the major TJ Maxx credit card theft incident. He was on the secret service payroll at the time, in a Frank Abagnale [wikipedia.org] type prison-work release.

As a founder of ShadowCrew (an early credit @ Atm numbers acquisition venture of his), his site moderators forced members to provide refunds if the stolen credit card was no good.

Re:Time to overhaul the Credit Card system in the (1)

erroneus (253617) | about 8 months ago | (#45931003)

Yes, we should use government issued IDs with biometrics to prove our identity with every transaction. It's the last link in the chain they haven't quite closed yet... well that and paper cash.

Re:Time to overhaul the Credit Card system in the (0)

Anonymous Coward | about 8 months ago | (#45931013)

The obvious fix is to prohibit the storing of credit card data. These companies are fools if they think they can aggregate that data and get away with it.

Re:Time to overhaul the Credit Card system in the (1)

IamTheRealMike (537420) | about 8 months ago | (#45931043)

You're assuming it would have made any difference. Remember that these systems have to store the data whilst the transactions are in flight. No, the solution has been known for decades - it's EMV, and every Slashdot story on these card breaches contains exactly the same discussions about how the USA needs to upgrade. Seriously, the USA is more than 10 years behind by now. It doesn't just dick over Americans. The need to be able to travel to the USA means banks everywhere else still need to support stupid magstripe or chip'n'signature transactions. If the USA upgraded it'd become more easier to start aggressively targeting the remaining magstripe transactions with tougher risk analysis and that would cut card-present fraud everywhere.

Re:Time to overhaul the Credit Card system in the (1)

Demonoid-Penguin (1669014) | about 8 months ago | (#45931479)

You're assuming it would have made any difference. Remember that these systems have to store the data whilst the transactions are in flight. No, the solution has been known for decades - it's EMV.

I'm hoping it's just ignorance of how EMV actually works that makes you say that. Some people are under the mistaken belief that EMV means account details are encrypted (yes their are private keys on it), or that EMV somehow protects your account details from being used to charge your account - and they're wrong on both counts.

In this particular instance the problem only looks like it's related to Target, the common factor is the Indian card processor, the people behind it have been operating this and similar rips for almost a decade.

And no, the problem isn't (just) failure to comply with PCI - it's outsourcing responsibility (that is the problem).

Re:Time to overhaul the Credit Card system in the (1)

IamTheRealMike (537420) | about 8 months ago | (#45931743)

I'm hoping it's just ignorance of how EMV actually works that makes you say that. Some people are under the mistaken belief that EMV means account details are encrypted (yes their are private keys on it), or that EMV somehow protects your account details from being used to charge your account - and they're wrong on both counts.

You should read the EMV wiki page [wikipedia.org] . When used with DDA cards, which modern cards all are, it protects against cloning of the card and thus protects card-present transactions. Yes, EMV cards still have magstripe data on them which can be stolen and used for online merchants where the card is not present, but there are other systems that are working on making online transactions more secure as well (like 3D-Secure). The combination of these things is an upgrade.

Re:Time to overhaul the Credit Card system in the (1)

Demonoid-Penguin (1669014) | about 8 months ago | (#45932031)

I'm hoping it's just ignorance of how EMV actually works that makes you say that. Some people are under the mistaken belief that EMV means account details are encrypted [google.com] (yes their are private keys on it), or that EMV somehow protects your account details from being used to charge your account [bbc.co.uk] - and they're wrong on both counts.

You should read the EMV wiki page [wikipedia.org] .

Wikipedia [wikipedia.org] huh? [cam.ac.uk]

Maybe if I get bored I'll add a link to a paper recently published by, um, some Australian researcher showing much simpler techniques. Though I expect the industry shills will just pull it off Wikipedia (again) - it's the only way they can avoid losing in the courts as EMV isn't to protect you - it's to protect banks from liability.

And math skills aren't required - EMV can also be defeated with a paper-clip. I'm sure you can do your own reseach (clicking on Wikipedia barely qualifies as research). Replacing the merchant generated nonce with one embedded by the bank would be a step forward - as will the proposed one-time-key code display for Mastercard. Emue is even more secure.

Re:Time to overhaul the Credit Card system in the (1)

eyenot (102141) | about 8 months ago | (#45931131)

What impact? Mom and pops aren't in charge of how the banking system runs. The efforts required to fix the problem don't "scale down" -- it's all up at the top with the people who hate parting with their hoarded money.

Re:Time to overhaul the Credit Card system in the (0)

Anonymous Coward | about 8 months ago | (#45931161)

I am always amazed that the cost is an excuse. The rest of the planet has already changed to the not perfect but better chip.
This includes countries that have a "little bit less" usage per machine then what you have in the US.
A basic terminal [worldline.com] in Belgium costs 695EUR. A 99EUR solution [worldline.com] is also available.

I am sure that for a HUGE market like the USofA prices would be easily around 50 - 100 USD, if not cheaper. (UK has a 20GBP one)

How do I check if my card number is compromised? (1)

mapkinase (958129) | about 8 months ago | (#45931403)

How do I check if my card number is compromised?

Does this affect only cards used in brick-and-mortar store cashier machines?

Re:How do I check if my card number is compromised (4, Funny)

Sponge Bath (413667) | about 8 months ago | (#45931961)

How do I check if my card number is compromised?

Add the digits of the CC number, multiply by the CSC then divide by the expiration month. Write that number on a piece of paper and fold it in half. Then check your CC statement to see if you shopped at Target or Neimen Marcus. If so, burn the paper. If the Eye of Sauron appears in the flames, you are OK. If not, you are compromised.

And this is why... (0)

Anonymous Coward | about 8 months ago | (#45930847)

...I never give my real card number to internet shops, or offline shops for that matter. On the internet I use virtual debit cards generated by my bank with a low limit and short validity, separate ones for each purchase. Off the internet I use cash which I get from my bank's dispensers using my real debit card, for which they already have the number.

Re:And this is why... (0)

Anonymous Coward | about 8 months ago | (#45930873)

...I never give my real card number to internet shops, or offline shops for that matter. On the internet I use virtual debit cards generated by my bank with a low limit and short validity, separate ones for each purchase. Off the internet I use cash which I get from my bank's dispensers using my real debit card, for which they already have the number.

I have a special credit card with a $200 limit for the same purpose since we don't have virtual cards here (unfortunately).

keep critical shit (0)

Anonymous Coward | about 8 months ago | (#45930865)

off the fucking grid. duh.
it is possible to deply an isolated network and secure critical point-of-sale systems, but the companies are too fucking lazy and cheap to do it... all those stupid fucks in suits care about is current stock price, how big a bonus they're getting because of it, and where they're gonna go when they've milked the current job for all they can.

Krebs (0)

Anonymous Coward | about 8 months ago | (#45930975)

Krebs is a fucking national treasure.

I'm beginning to wonder (1)

erroneus (253617) | about 8 months ago | (#45930997)

Is this the next false flag? We've already got just about everyone convinced that magic card numbers are "identity" And we've already convinced the public that breech of this "identity" somehow hurts the person identified (not the banks or retailers) and that the banks and retailers are being generous by helping us out of this mess when it happens. And on top of that? When it happens, we get "free credit monitoring services!"

We're now seeing an avalanche of these types of breeches. What are they planning? A National ID to prevent "identity theft"? Biometric tracking?

Re:I'm beginning to wonder (1)

lxs (131946) | about 8 months ago | (#45931247)

Put down the bong. Like the whole credit crisis this is the result of cutting corners to put short term profit over long term benefit. Steal a little here fudge a little there. It all works fine until the shit hits the fan. Domesticated monkey politics at its finest. It takes a crisis to get us off of our collective asses.

burn indeed (1)

eyenot (102141) | about 8 months ago | (#45931047)

The companies don't wanna pay good money for real security, and they want to throw you behind bars if you go vigilante white-hat on them, so give up. I agree with another /.'er who stated yesterday about the news of the Australian white-hat kid: let 'em burn. If that means going cash, too, go cash.

Keeping everything consolidated on just one card doesn't hurt, either. If it's a debit card you can coal-load it. When you need to make purchases, tally them up first and then go deposit the money you'll need. Charge it back out online and what will the thiefs steal, if anything? Next to zero.

I've always been wary of internet business. I didn't start purchasing things online until literally just a couple of years ago, and that was some music-related art imports from Italy. This year is the first year I've made purchases on Amazon or Ebay. That about marks my limit, too. I have no reason to use anything else. I haven't even activated my newer Bank of America debit card since BoA changed to another bank.

At least with one card I only have one cancellation to take care of if some site I've used it on gets hacked.

Re:burn indeed (1)

LordLimecat (1103839) | about 8 months ago | (#45931119)

Have fun getting mugged.

At least with credit your liability is generally zero.

Re:burn indeed (1)

eyenot (102141) | about 8 months ago | (#45931149)

> "Have fun getting mugged"

Stupid on so many levels that I'm not even sure why you said it. Do you really go around your life worried that you're a target for mugging? Maybe you should put the fancy tablet away when you're hanging out in the ghetto. Honestly I don't know what to say to you, your response should be modded down for trolling.

As far as the liability is concerned, who cares? You're still in purchasing limbo until you straighten out a new card. "Have fun" waiting for the mail to arrive and going through the process of re-activating all of your cards and double-checking to make sure the bank didn't pull a fast one in the hub-bub. I personally have been a victim of skimming on several occasions so -- "have fun getting mugged online".

Ass.

Re:burn indeed (1)

gweihir (88907) | about 8 months ago | (#45931435)

But the mugger is bound to be a lot harder on you if you cannot give them cash. Your risk-model sucks.

Re:burn indeed (1)

DamonHD (794830) | about 8 months ago | (#45931213)

There are various virtual cards available on-line (I was CTO of one issuer) where you can create a new card with a new number with exactly the limit required for each transaction, eg if you don't trust the retailer fully.

Rgds

Damon

Re:burn indeed (1)

gweihir (88907) | about 8 months ago | (#45931437)

Nice! Do you have some links?

Re:burn indeed (1)

DamonHD (794830) | about 8 months ago | (#45931761)

The product/site is Entropay:

https://www.entropay.com/ [entropay.com]

(so-named given my obsession with constructing a good entropy pool to draw the random new card IDs from, amongst other things!)

Rgds

Damon

Re:burn indeed (2)

gweihir (88907) | about 8 months ago | (#45931429)

This is made worse by US banks trying to do this cheap, cheap, cheap. With my European card, I have gotten replacements for free and without asking for them 2 times now because they suspected something could be up. Cancellations are easy (mark it on a copy of the statement, send it back), and while the risk is with the vendor, they can use a processor that asks an additional password not found on the card ("verified by Visa", "Mastercard secure code"), which drives fraud nearly down to zero. In 14 years I have had 3 items I canceled, and only two were fraudulent, the third one was a vendor that that could not identify their own charge when I asked them. (Minor charge of ~5USD/EUR, which I remembered what it was several months later. Never heard from them again, guess they could really not identify it.) This way, the system works very well indeed.

For smaller charges you could also go the way of a Paysafe card, which limits fraud volume to the rest on the card and is actually reasonably anonymous.

The motherfucker did not "reach out" (-1)

Anonymous Coward | about 8 months ago | (#45931133)

He _contacted_ Neiman Marcus. Jesus, what an abuse of language (his, not mine).

Visa / MC / etc are NOT paying for the breaches (0)

Anonymous Coward | about 8 months ago | (#45931339)

Retailers and others who accept credit cards are the ones paying for this insecure system and these breaches. It's a totally f'd up system.

What we need is a credit card that authenticates each transaction the user makes.

Credit cards should have a keypad and the customer should enter a pass code on it to authenticate the transaction at the time of sale.

This wouldn't be that hard to impliment. You simply need a credit card that can recieve an ammount / merchant name / and merchant code #. The user would then be shown the merchant name, code number, and amount. If it doesn't match the place they are buying from they'd simply abort the transaction. If it matches they could then enter a password on the credit card itself (thus thwarting devices which intercept credit card data/pins/etc) to approve the transaction. The approval would simply need to include a unique number that the bank also had on file for the card holder. There would be one of these for each transaction. This data would then be encrypted with the card holder's banks public key. The card holder's data could be transmitted via the merchant's systems without worry. Even if the systems are comprimised it would not risk the card holders money, the banks money, visa's money, or the merchants money. And it would all be obvious if the transaction did not match. If the card holder accepted an amount for $10,000 when the merchant should have only charged $1,000 it would be the card holders liability (unless they had already set restrictions, in which case the transaction would fail anyway).

Once the transaction was approved by the card holder the credit card holders bank would encrypt a message with the merchants public key that said "approved" (with a unique code to the transaction of course).

This way everybody would be guarenteed no laibility / risk.

These cretins are learning security is not free... (1)

gweihir (88907) | about 8 months ago | (#45931411)

It is not so difficult keeping hackers out. Sound security implementations, regularly independently and competently reviewed (no, I am not talking about pen-tests, these are borderline useless and can maybe help keeping the script-kiddies out) and fixed as soon as flaws are found are quite enough to drive the attacker-effort though the roof. Unfortunately, many clueless MBAs in "management" thing this is not needed. If you take into account that we are only hearing about the tip of the iceberg, things are really bad right now, without any other root-cause than stupidity and greed.

 

Re:These cretins are learning security is not free (1)

rmdingler (1955220) | about 8 months ago | (#45931579)

It is not so difficult keeping hackers out. Sound security implementations, regularly independently and competently reviewed

Yes. A system can be designed that is virtually impregnable when followed to the letter, but in systems involving implementation by humans, some genius will invariably skip a step that saves him 13 seconds of personal time.

Foolproof is impossible, because just as soon as that level of assurance is reached, they make a little bit better fool.

Cookies (2)

halexists (2587109) | about 8 months ago | (#45931521)

It was probably just that lady trying to get her money back for the cookie recipe.

NSA (0)

Anonymous Coward | about 8 months ago | (#45931527)

The National Security Agency has succeeded in assuring that our internet security is sufficiently weakened and back-doored that it is chronically ripe for takedown. "White hat" intrusion proceeds Black hat intrusion. Three suggestions. 1) Rename NSA as the National Insecurity Agency. 2) Explore protocols for non-backbone data transfers, i.e. a cryptographic transport layer that prefers peer-to-peer where possible. 3) Use identity-agnostic wealth transfer methods such as BitCoin to avoid future intrusions, e.g. credit cards that use BC and don't compromise client identity.

Sorry I got here so late... (1)

rmdingler (1955220) | about 8 months ago | (#45931561)

I was purchasing stock in a couple of smart card manufacturers.

What about EMV (chip and PIN) cards in the US? (2)

TeddyR (4176) | about 8 months ago | (#45931569)

One reason that you may not hear of these breaches in places outside the US is that many use PIN and CHIP cards that make it MUCH more difficult to use or steal the credit card numbers.

Visa and MasterCard and Amex already use these outside the US... http://en.wikipedia.org/wiki/EMV [wikipedia.org] and they are supposed to be mandatory for the us in the next couple of years. Maybe the deployment should be expedited? For a standard that has been in wide use for over 15 years elsewhere, its about time that the US finally catches up....

Frimst s7op (-1)

Anonymous Coward | about 8 months ago | (#45931633)

under th3 GPL. [goat.cx]

Why I like Bitcoin (1)

CrazyDuke (529195) | about 8 months ago | (#45931665)

Holy meatballs, I'm going to sound like a shill. But, this is why I like making purchases online with Bitcoin. Screw all that whiny ideological crap...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>