Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Vendors Self-Censor Target Breach Details

samzenpus posted about 8 months ago | from the what-security-breach? dept.

Security 115

angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."

cancel ×

115 comments

Sorry! There are no comments related to the filter you selected.

Happy Wednesday from The Golden Girls! (-1, Offtopic)

Anonymous Coward | about 8 months ago | (#46042129)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Wednesday from The Golden Girls! (4, Insightful)

Taco Cowboy (5327) | about 8 months ago | (#46042231)

From TFA:

... Now, details that give insight into the attack are being hastily removed or redacted by security companies Security through obscurity at play ?

Hackers already know the way to do it, or they wouldn't be able to break into Target's databases.

By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

Re:Happy Wednesday from The Golden Girls! (0)

Anonymous Coward | about 8 months ago | (#46042329)

You say "Muchas Gracias" to Edward Snowden but what do The Golden Girls get for giving you a first post to leach onto? Nada, Señor. Nada. What kind of amigo are you?

Re:Happy Wednesday from The Golden Girls! (1)

sirlark (1676276) | about 8 months ago | (#46044761)

Well, since Swoden is apparently in Russia, doesn't he qualify as a sort of cosmonaut in this case? It's a sort of a nod ;)

read TFA. Target IPs, passwords not helpful (4, Informative)

raymorris (2726007) | about 8 months ago | (#46042963)

> By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate
> business owners a way to beef up their own security measures by learning from the mistakes of Target.

I can only guess that you didn't rtfa? Target's IP addresses, passwords, and other details are of little use to any legitimate business beefing up their own security. To secure YOUR network I need YOUR IP addresses, not Target's IP addresses.

They left the information about HOW Target was breached. They redacted victim-specific details like the IPs of specific vulnerable servers.

> Hackers already know the way to do it, or they
> wouldn't be able to break into Target's databases.

99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way.

By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

Re:read TFA. Target IPs, passwords not helpful (2)

bondsbw (888959) | about 8 months ago | (#46043111)

99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way

It would be better to add a few more 9s to that percentage, or even make it 100%.

Re:Happy Wednesday from The Golden Girls! (0)

Anonymous Coward | about 8 months ago | (#46043033)

From TFA:

... Now, details that give insight into the attack are being hastily removed or redacted by security companies Security through obscurity at play ?

Hackers already know the way to do it, or they wouldn't be able to break into Target's databases.

By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

No, they still have a way. Purchase some high-price services from these security firms!

Re:Happy Wednesday from The Golden Girls! (0)

Anonymous Coward | about 8 months ago | (#46042613)

confidant, not cosmonaut

Re:Happy Wednesday from The Golden Girls! (0)

Anonymous Coward | about 8 months ago | (#46042649)

You would see the biggest gift would be from me

Or from Symantec...

As you say, if the "security companies" are involved and covering up, you can be dead certain that:

1. It was Windows malware that enabled the breach.
2. Their malware detection tools failed to perform as advertised.

Using Windows for financial transactions should be a criminal offence.

really ? (1)

Anonymous Coward | about 8 months ago | (#46042131)

i hear changing default POS passwords helps

Your data is in everyone else's hands (4, Insightful)

Toe, The (545098) | about 8 months ago | (#46042569)

Exactly. The story that still isn't being expressed well is that your data is in the hands of every company you have transactions with.

And so you are entrusting all of them to have top-notch IT (better IT than all hackers interested in targeting them). What are the chances that's the case?

I'd hazard that 10% of companies have good, solid, rigid security policies (and it's the policies that matter much more than the tech, usually). So that implies that 90% of the time you hand out your personal info to someone, it's highly vulnerable.

Just chew on that for a bit. I'd be very interested in hearing proposals for a global solution.

Re:Your data is in everyone else's hands (0)

Anonymous Coward | about 8 months ago | (#46042691)

I dunno, maybe governments could help out a bit. Maybe by making vendors do things like, I dunno, not making "admin/password" the default credentials for my wifi router. Would that be asking too much?

Re:Your data is in everyone else's hands (4, Interesting)

AlphaWolf_HK (692722) | about 8 months ago | (#46044023)

Even if you take every security precaution imaginable, you still remain with a system that can be broken into. I think the idea that you can hold companies criminally liable is a stupid one (and am glad they don't do it) much in the same way that it would be stupid to hold a bank criminally liable in the event of an armed heist.

That said, I think the problem isn't that our systems aren't secure enough, rather the problem is that the way we identify and authenticate is now inadequate.

Let's take credit cards for example: All the person needs to obtain is the numbers written on it, and they can buy things in your name. Unfortunately that means each time you make a purchase with that card, you are handing it over to somebody who can abuse it. We have the technology to avoid this, so why don't we? Something like this would be great:

Make the credit card number be a public key, and the private key is contained ONLY in the card itself using ISO 7816. The bank doesn't even have the private key, only the card itself does. If you want to make a purchase, the merchant generates a random 128-bit number and asks your card to sign it. If it signs it, it has proven its identity, and the merchant can go ahead and bill that card. No internet communication is necessary, so the business can still operate even in the event of a network outage.

If the card is stolen, it can be reported and the merchant can see that its stolen so long as they have network connectivity. Keep existing laws so that the consumer is only liable for up to $50 (most banks already waive that to zero.) Require the merchant to retain the original 128-bit number as well as the signed response to verify that the merchant actually saw the real card and can prove that they didn't fraudulently bill a customer. The card itself stores each 128-bit number and doesn't ever sign the same number twice. If the same 128-bit number happens to be generated twice (this borders upon a statistical impossibility, by the way) then the card is to interpret that as a hack attempt and zero out its private key.

Now if the merchants database is compromised, all the attacker has gained is the public key. They can't sign messages with that, so the information is useless. If another merchant tries to bill based on having a stolen 128-bit number, signed result, and public key, then they'll be caught as being linked to the conspiracy so fast that it'll make their head spin off of its shoulders.

There, you've just defeated about 99.99% of the credit card fraud out there; no more posts spammed to your favorite web boards of people offering to sell credit cards because that information is now useless. All that remains is somebody physically stealing your card and buying gas with it, which could be prevented in 90% of the cases with a PIN system.

Online purchases could easily be done with a $10 USB smart card reader. Add NFC support and your existing smartphone could be the reader.

Set up a similar scheme with social security numbers (the SSA issues smart cards instead,) and identity theft would only exist in stories you tell to your grandkids.

Re:Your data is in everyone else's hands (4, Informative)

xaxa (988988) | about 8 months ago | (#46044359)

(Public key cryptography for credit cards)

I think you've more-or-less described the EMV standard, which is widely used pretty much everywhere except the USA.

http://en.wikipedia.org/wiki/E... [wikipedia.org]

I just bought some food by credit card, and the receipt says:
Visa Credit £6.34
[ICC] **** **** **** 3435
AID: A0000000013039
PAN SEQUENCE: 03
MERCHANT: **41872
AUTH CODE: 146972

PIN Verified

I have a smart card reader for validating online banking transactions, I think the administration and transport costs were probably more than the cost of the reader -- the bank sent it for free. The card has NFC, for low-value transactions (under £20, I think) I can pay contactlessly without a PIN. London is trialling accepting this for train/underground travel, it's already accepted for buses.

My card still has a magnetic strip, but I don't think it's ever been used.

Re:Your data is in everyone else's hands (2)

amalcolm (1838434) | about 8 months ago | (#46044619)

I suspect LT will not do NFC because Oyster is better for them. They get positive cash flow from the money you load onto the Oyster card. As an occasional Oyster card with a £60 balance, LT has my £60 until I use it (which might be never!)

Re:Your data is in everyone else's hands (0)

Anonymous Coward | about 8 months ago | (#46045203)

it would be stupid to hold a bank criminally liable in the event of an armed heist.

We don't hold them criminally liable, but we do hold that it is *their* money that has been stolen. If they told their customers "Sorry, your money was all stolen. You don't have a balance here any more.", *then* we'd press criminal charges against them.

A credit card, as you point out, allows anyone to make purchases in your name. If a company has a copy of your credit card number, and loses it, they should be liable for any subsequent unauthorised purchases with that credit card, just as if they'd used the card to make purchases themselves.

Then we'd have the incentive in place to implement a really secure system, like the one you described.

Fine and Well? (0)

Anonymous Coward | about 8 months ago | (#46046001)

Gee, that sounds like the system we had back in 96, gee that was a great year for wine. But, then, they added the requirement for keeping the 3/4 number identifier in their databases, and the PIN, and other identifiers for the withdrawl of funds from the account? so security was better in 96 then now?
No, but, I still wonder?
After reading the articles, I'm still wondering which security agency or mob hired these russian kids, six years ago, to implement this attack.
Shirly, damn sp chk. they didn't develop the BF attack that to down a major Walmart opponent. Without help. Who? Russians? Chicoms? Interesting...NSA?

Re:Your data is in everyone else's hands (0)

Anonymous Coward | about 8 months ago | (#46046777)

That said, I think the problem isn't that our systems aren't secure enough, rather the problem is that the way we identify and authenticate is now inadequate.

how it works:

Hi, I'm Joe Blow, and I want to do business with you.
Um, which Joe Blow are you?
I'm Joe Blow from Cincinnati.
Hmm, that's not enough. Do you have something public and unique we can use to identify you?
My SSN is 123-45-6789
Ok, hi Joe, we want to make sure this is actually you.
It's really me. I promise.
Hmm, that's not enough. Do you have something private and secret we can use to authenticate you?
My SSN is 123-45-6789
Ok, that works.

*facepalm*

Re:Your data is in everyone else's hands (2)

hmmm (115599) | about 8 months ago | (#46044285)

Absolutely true. Companies these days are like 9th century coastal villages in Europe. Snakeoil vendors are selling magic potions and amulets to the village inhabitants promising to ward off evil. These villages may have some security people. These security people might be diligent and hard working, but when a horde of vikings appear on the horizon there is little or nothing they can do.

We need to withdraw to fortified castles and towns. Centralise our security resources and, instead of making holes all over the corporate networks, ensure that there is only one way in and out. Monitor everything going in and out of the corporate network through a single chokepoint. If you want to set up your business outside the fortified walls, you take your chances. It won't stop all attackers, but it will stop most.

There simply isn't enough good security people, and those that are out there are scattered working with multiple companies - the attackers have all the advantages at the moment and it is only getting worse.

Really? (2)

atari2600a (1892574) | about 8 months ago | (#46042157)

You mean I won't be able to tweak some search query that gives me the service manual to a POS terminal, including how to access service mode & dump new firmware?

Re: Really? (2)

pegr (46683) | about 8 months ago | (#46042201)

Not here. Target's pos pos is homebrew.

Re: Really? (1)

atari2600a (1892574) | about 8 months ago | (#46042249)

So they say. Find one buried in the backroom, tear it open, find the microcontroller's manual & the serial port. Dump, hack, reflash, ???, profit (or net loss, considering you can't necessarily sell them cc's ATM)

Re: Really? (2)

Anonymous Coward | about 8 months ago | (#46042373)

I bet it ran Windows CE and was connected to a register running Windows CE or XP, which in turn was connected to a Windows server. "RAM dump" as a method for extracting cleartext data is an ingenious misleading of the public, and the genius of that statement is that average people with a little bit of know-how will assume it was a super-sophisticated hardhack on an secret ultra-proprietary system and not some embarassing lack of proper encryption code within the system.

The truth will show that I was right, that the truth is in fact far more banal and unremarkable - the malware was, after all, submitted to Symantec according to the linked article. As if Symantec gave a fuck about real proprietary microcontroller code.

The spinmasters are now smarter than you are, Slashdot readers. Those of you who aren't paid shills need to up your game a little.

-- Ethanol-fueled

Re: Really? (1)

aaarrrgggh (9205) | about 8 months ago | (#46043017)

The original hack could have been much easier... Just a well crafted series of 2d bar codes with the right escape characters could be enough to get the first machine, assuming they were not living on the corporate network for months or years.

What actually surprises me about this attack is that it was not better targeted; what is the point of millions of credit cards when you could pick and choose the cards you take at the register? Why go for the credit cards when identity fraud is so easy?

Interestingly, I had my first post-target fraud warning come through this week from the credit card company, but not a peep out of target for me.

Re: Really? (0)

Anonymous Coward | about 8 months ago | (#46043093)

You, sir, are not only a liar, you are most certainly NOT a pal nor a cosmunaut.

GOOD DAY!

Re: Really? (2)

viperidaenz (2515578) | about 8 months ago | (#46042459)

Not all microcontrollers can have their firmware dumped.

Re: Really? (0)

Anonymous Coward | about 8 months ago | (#46043209)

... without sulphuric acid and some know-how and effort.

Re: Really? (1)

AmiMoJo (196126) | about 8 months ago | (#46045065)

No need. Target had the ability to do remote firmware updates, meaning that a copy of the firmware was being kept on a server somewhere ready to be downloaded and disassembled. Once hacked it was a simple matter of sending it out to all terminals in stores and waiting for the data to roll in.

Re: Really? (0)

Anonymous Coward | about 8 months ago | (#46042635)

As a construction worker i can't even count how many server rooms,old pos terminals,and credit card machines that i have had access to. Granted access to equipment makes things a lot easier, but so do LAN taps, DD-WRT routers, and raspberry Pi...Try putting on a hard hat and a yellow vest and see how far you can get And i'll bet you a dollar that a criminal on a mission will get even farther than you

Re: Really? (1)

burningcpu (1234256) | about 8 months ago | (#46043625)

And from now on, I will refer to all those infuriatingly insecure devices as POS^2.

Oh good (5, Insightful)

gamanimatron (1327245) | about 8 months ago | (#46042171)

Without details about the attack vector and attacker behavior during and after the breach, we're left with "Well, someone broke in to their servers using [redacted] and then they did [redacted]." Totally frickin' useless for me when trying to secure our sites: "There's this horrible emerging threat that can fry your brand overnight, but we won't tell you what it is or give enough details for you to defend against it."

Meanwhile, the guys in timbucktooistan can now order the proven exploit kit from their favorite BBS.

Meh.

Re:Oh good (1)

fuzzyfuzzyfungus (1223518) | about 8 months ago | (#46042203)

On the plus side, the odds that somebody important ends up looking stupid are incrementally reduced, so all is right with the world.

Re:Oh good (2)

bobbied (2522392) | about 8 months ago | (#46042269)

You are "on target" eh?

Re:Oh good (5, Insightful)

abirdman (557790) | about 8 months ago | (#46042283)

I agree 100%. The security companies who advise the likes of Target aren't talking about the whole exploit-- indeed, are pro-actively hiding the details-- because they don't want to explain how their hideously expensive security best practices were utterly pwned by some foreigners who weren't interested in any of their acronyms. These security guys are like Stratfor-- pugnacious, pistol-packing, ex-military folk who think computer security is just a variation on any other kind of security detail, and are prepared to sell the hell out of their ideas, even when they can't secure their own passwords.

Re:Oh good (1)

onyxruby (118189) | about 8 months ago | (#46045601)

Target wasn't following security best practices. They were aware of certain risks and willingly took them.

You're missing the point (2)

Toe, The (545098) | about 8 months ago | (#46042575)

There's an easy solution.
Just hire one of those security companies!

Re:Oh good (2)

rtb61 (674572) | about 8 months ago | (#46042623)

Well, this might make you warm and fuzzy, perhaps it was a NSA hack in POS software so they could track the majority credit card transactions. This information was then passed onto another party who simply did what the hack was designed to do, extra all personal information. Now the question is can the NSA sue for copyright infringement because according to them and the US government the own the personal information of everyone on the planet.

same thought (0)

Anonymous Coward | about 8 months ago | (#46043851)

Yeah, that same idea came to mind. And your probably being sarcastic, but I don't see the NSA interested in what people are buying from a shitty department store?

Maybe some is buying up to many "cleaning chemicals" or "fertilizer"!!!
{sarcasm} because that is the preferred bomb making material of the supposed terrorist.

That type of bomb making information has been around since the 50's, and yet few seem to use it!!

Re:same thought (1)

Cenan (1892902) | about 8 months ago | (#46044283)

Because planes and pressure cookers are easier to get your hands on, and fertilizer bombs smell fucking awful during production.

Not that,... (0)

Anonymous Coward | about 8 months ago | (#46046127)

Maybe they were tracking the phone with the B/C thru a POS device, but that still begets the question, did they get into the ATM, or the HST...They should then be in the Wall Street, so don't count on the market daily, or the banks to keep you safe anymore..So are they doing the mouse that roared? skimming off the .00009's from all transactions now, because they haven't been found or reported, I'd say they either work for a government, or are dead...Mob would have killed them for the 9's. Because they know too much.

Re:Oh good (1)

biodata (1981610) | about 8 months ago | (#46045059)

of course they will tell you what it is if you pay them

Target just couldn't handle this any worse (5, Insightful)

Sycraft-fu (314770) | about 8 months ago | (#46042177)

If they'd just come out and said "Yes, some evil hax0rs got in to our system and stole lots of cards. Stupid haxors, everyone hates those guys. Here's how they did it, here's what we are doing, and here's some security experts that are helping us," well people would probably be fine with it.

Instead they are being all secretive and it makes people worry. They also are doing shit for notification. I always use my Target card when I shop at Target because it has the best bribes (5% off anything, since they actually run their own bank and don't have to pay payment processing fees on it). I have received zero notifications from Target about the compromise, and no new card. I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified, but Target hasn't done anything.

I'm not worried, they have to deal with all the fallout of any unauthorized charges and the card can only be used at Target, but it is just extremely bad form. It shows a real lack of care and understand as to the severity of this. It really makes them look bad.

If there's something history has show with regards to people and companies it is that you need to admit you fucked up, even if it wasn't your fault really, and show people how you are making it right. Then, they are happy and forgive. Get all secretive and hostile, and they'll get hostile right back.

Re: Target just couldn't handle this any worse (1)

pegr (46683) | about 8 months ago | (#46042215)

The card brands call the shots when this much sh!t hits the fan, but, yeah.

Re:Target just couldn't handle this any worse (2)

fuzzyfuzzyfungus (1223518) | about 8 months ago | (#46042225)

Given that this is at least the second (known) major Target CC breach, anyone who still holds out hope for Target's good faith may have difficulties with empiricism...

Target's CC-issuing arm also scuttled a 'chip-and-pin' rollout a while back; because the store side was worried about it taking longer at the register, and the 'marketing advantages' that were supposed to have been offered by the additional customer data didn't materialize...

Re:Target just couldn't handle this any worse (4, Funny)

c0lo (1497653) | about 8 months ago | (#46042347)

Given that this is at least the second (known) major Target CC breach, anyone who still holds out hope for Target's good faith may have difficulties with empiricism...

Nah dude, no problem with empe... imper... whatever you just said.

Yours,
Joe Average

(does the above illustrates well the level of critical thinking into the consumer mass?)

Re:Target just couldn't handle this any worse (5, Insightful)

phantomfive (622387) | about 8 months ago | (#46042393)

No one cares about backups until their hard drive crashes.
No one cares about security until they get hacked.

Re: Target just couldn't handle this any worse (0)

Anonymous Coward | about 8 months ago | (#46043219)

It really is a shame the things people think they can get away with just because it's on a computer.
I don't care about backups or security but that is because everything on my computer came from the internet and can be had again in 2 days.

Re:Target just couldn't handle this any worse: ?? (3, Interesting)

Anonymous Coward | about 8 months ago | (#46042565)

Well, this seems worse: I did an online order with store pickup at Target yesterday, and their Id "requirement" for pickup included scanning some kind of QR/barcode off the back of my driver's license! I could not figure out at first why the clerk was wanting me to take the card out of my wallet see-through holder when most clerks just glance at it for my birth date for buying booze (keep asking for the senior citizen discount, but it's never the right day...), or just to see that my name matches that on a CC, but before I understood what he was doing, he held the back up to his register screen. So now I need to call the DMV to ask just how much PII I just let Target dump into their leaky DB to hand out to the hackers.

Although the cat is likely out of the bag, there will be no more of those online/in-store pickup deals with those bozos!

Re:Target just couldn't handle this any worse: ?? (0)

Anonymous Coward | about 8 months ago | (#46043063)

So now I need to call the DMV to ask just how much PII I just let Target dump into their leaky DB to hand out to the hackers.

If it's just a bar code, then all it contains is your driver's license number. (And you can decode it yourself if you want, google around a bit for the format)
If it's a magnetic strip, then it has all the data which is visible on the license.
I've never seen anyone use QR codes on licenses... at least not yet.

Re:Target just couldn't handle this any worse: ?? (1)

Muad'Dave (255648) | about 8 months ago | (#46045795)

The 2D barcode also has all that info. See this [turbulence.org] or this [turbulence.org] page to see what's on there.

Re:Target just couldn't handle this any worse: ?? (1)

Muad'Dave (255648) | about 8 months ago | (#46045789)

OMG! The first time they did that I friggin' flipped. They asked to 'see' my license - I held it up so she could read the birthdate, and the salesperson grabbed it out of my hand and scanned it before I could object. Man, I was pissed! I complained to her, the store manager, and I wrote a letter to HQ. No one understood the privacy implications of them scanning all of that data from my license.

this site has a map [turbulence.org] and a table [turbulence.org] that tells you what's on your license by state. Virginia has a ton of info that I'd rather Target not have.

Re:Target just couldn't handle this any worse (0)

Anonymous Coward | about 8 months ago | (#46045195)

That chip-and-pin thing they did was about 10 years ago, and it wasn't for their credit system, it was something to do with coupons or discounts. The readers probably could have been used for chip-and-pin, but few American banks were issuing smart cards back then.

Re:Target just couldn't handle this any worse (3, Interesting)

c0lo (1497653) | about 8 months ago | (#46042331)

Target just couldn't (and can't) handle this FULL-STOP

My guess: the fix is expensive to apply, it will take some time and Target hopes that not-everybody-and-their-dog will know they are still vulnerable.
Because otherwise nobody would buy anything from Target on card any more - which would be quite wise for the potential customers but disastrous for Target.
I think is understandable, when it comes to survival, the "better your mama mourn you than mine" applies. So hush... "jobs are at risks", "share market may crash" and what-not will keep hax0rs happy for a while.

Re:Target just couldn't handle this any worse (1)

bob_super (3391281) | about 8 months ago | (#46043593)

We could have a fun comparison: TARGET vs TEPCO !

Re:Target just couldn't handle this any worse (0)

Anonymous Coward | about 8 months ago | (#46042333)

evil hackers never got inside.
This was an inside job, and the Indian gov. is working hard to cover this up.
The reason is that a number of the other systems were ALSO inside jobs from India.

Re:Target just couldn't handle this any worse (3, Informative)

LordKronos (470910) | about 8 months ago | (#46042871)

They also are doing shit for notification. I always use my Target card...I have received zero notifications from Target about the compromise, and no new card.

Are you sure? You might want to check you mailbox again, or your spam filters. I've received the following emails from them:

Dec 20 - Letter from Target’s CEO Gregg Steinhafel and Important Notice
Dec 23 - Important Information for our REDcard Holders

Re:Target just couldn't handle this any worse (0)

CaptQuark (2706165) | about 8 months ago | (#46043459)

I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified...

No, you are assuming your information was taken because other people had their information taken at the same store.

  • Perhaps if Target was able to identify which POS terminals were compromised and determine your information was never processed by one of them, you don't need to be notified.
  • Perhaps the terminals encrypt the Target card information and only transmit outside card info in the clear. Your information was never in jeopardy.
  • Perhaps Target has programmed their POS terminals to automatically re-write new card numbers onto their cards the next time you use it in Target so the stolen info would be useless.
  • Perhaps they have decided the cost of notifying all the Target card holders is more than the anticipated losses and they will just eat the small cost of fraudulent use. As you said, Target cards can only be used in Target stores.

.
There are many reasons why you might not need to be notified.

~~

Re: Target just couldn't handle this any worse (0)

Anonymous Coward | about 8 months ago | (#46044373)

If you're using a Target credit card then they absolutely pay processing fees on the transactions. Just like nearly every other bank they outsource their credit transaction processing to a third party.

They got the PINS, lol! (0)

Anonymous Coward | about 8 months ago | (#46045359)

Did you notice that Target sent out a mea-culpa email and told everybody to get signed up for their free year of experian credit monitoring, but they forgot to mention something?!? They forgot to mention to everybody that when they change their CARD, they need to change their PIN as well.

Many people just use the same PIN always, everywhere they go. The carders now have a tidy database of name to pin. If they get access to your card info in the future, they will have your pin ready as well.

You mean I gotta change my PIN too? Now I am pissed! haha...

Useless effort (3, Insightful)

pegr (46683) | about 8 months ago | (#46042191)

If by "don't want to compromise the investigation" they mean "don't want to let the crooks know what we know", they have already failed. Any action to remove material now is simply playing to politics.

Personally, I think the value of publishing the data is higher than not tipping your cards to crooks. They know what they left behind.

What kind of a problem is there... (0)

Anonymous Coward | about 8 months ago | (#46042197)

That information like this starts disappearing from the internet?

Call me paranoid, but this makes me think there is a far, far worse problem either with the system in general, or the equipment pertaining to a certain manufacture that is in widespread use.

Normally security companies are all over this kind of thing, blasting their findings far and wide so they can get fixed. The fact that they're trying to cover it up makes me think that there is some fundamental flaw somewhere that cannot easily be fixed.

Re:What kind of a problem is there... (2)

fuzzyfuzzyfungus (1223518) | about 8 months ago | (#46042253)

I suspect that it's less a matter of some fundamental flaw, and more a matter of the fact that 'POS' stands for more than 'Point of Sale' when it comes to the hardware and software in wide use, and everyone wants to cover their asses given the amount of fraud related losses and upgrade costs that may be floating around and looking for a place to land...

It's not news that mag-stripe systems (with their 'Hey, let's pretend that the stripe data are some kind of secret, and require them for every transaction! And, um, if that seems stupid, how about a 3-character "security" code?' design) have issues; but nobody really wants to do anything other than try to shovel liability onto the next guy.

Re:What kind of a problem is there... (1)

rmdingler (1955220) | about 8 months ago | (#46042273)

Or.

Target's suits are tired of answering questions that continue to place the corporation in a negative light.

Can you imagine what their January sales numbers are going to be?

Re: What kind of a problem is there... (0)

Anonymous Coward | about 8 months ago | (#46042315)

This was a major financial crime, and the Secret Service is involved because of that. The investigation is ongoing.

What else is there to figure out here...

Wonder Why It keeps Happening? (5, Insightful)

rmdingler (1955220) | about 8 months ago | (#46042223)

Now you know.

No open resolution of a security breach so that particular vector of attack can be scrutinized by the retail industry and perhaps better guarded against.

Better to control PR damage now than prevent a recurrence.

Re: Wonder Why It keeps Happening? (0)

Anonymous Coward | about 8 months ago | (#46042339)

Sure it could be that, OR the Secret Service is still investigating the matter.

Captcha: morons

Re:Wonder Why It keeps Happening? (2)

Monoman (8745) | about 8 months ago | (#46044477)

I'll guess the reason it keeps happening is because most of these systems are not implemented securely. The POS systems themselves may have security issues but I'm guessing that the communications aren't running over VPN tunnels.

I know Target keeps getting the headlines but wasn't there at least two other major retailers hit by this? Did they all use the same POS or contractor for implementation?

Re: Wonder Why It keeps Happening? (0)

Anonymous Coward | about 8 months ago | (#46045907)

The way you mentioned VPNs makes me think you see them as useful. In many cases, these systems are on an actual private physical network. It is often the back end servers which are attacked, as it was in this case. VPN likely was implemented, as people seem to persist in the belief that they are secure, when usually they usually don't matter, or aren't.

Re:Wonder Why It keeps Happening? (0)

Anonymous Coward | about 8 months ago | (#46045851)

Now you know.

And knowing is half the battle! :p

Why? (0)

Anonymous Coward | about 8 months ago | (#46042309)

I think its fairly obvious that the "bad guys" already know this information. Is it that bad for the "good guys" to know too?

One thing they are keeping quiet (5, Interesting)

Anonymous Coward | about 8 months ago | (#46042321)

is that it was an inside job. Basically, Target offshored the work, and now they are trying to figure out who released this virus. Getting India to cooperate is hard to do.

Re:One thing they are keeping quiet (4, Informative)

pcwhalen (230935) | about 8 months ago | (#46042587)

Maybe. They do have a lot of job openings in Karnataka, Bangalore, India.

https://targetcareers.target.c... [target.com]

Non Windows ATMs .. (0)

Anonymous Coward | about 8 months ago | (#46042481)

What did they use before 'upgrading` to the Windows industry standard?

Come back OS2 (1)

Joe_Dragon (2206452) | about 8 months ago | (#46043039)

OS2 was BIG on AMT's to bad IBM dropped out how is eComStation going?

Re:Come back OS2 (0)

Anonymous Coward | about 8 months ago | (#46043501)

OS2 was BIG on AMT's to bad IBM dropped out how is eComStation going?

Wow! Three run-on sentences, no capitalization where needed, misspelled ATM, and typical misuse of "too". Let me guess. You text all day using only your thumbs.

Closing the Barn Door... (5, Informative)

pcwhalen (230935) | about 8 months ago | (#46042517)

...after all the cows got out.

Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."

http://www.arbornetworks.com/a... [arbornetworks.com]

They have had 3 flavors so far:
1.] Stardust (looks to be an older version, perhaps version 1)
2.] Millenium (note spelling)
3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.

A little late to be worried about snippets of code.

Re:Closing the Barn Door... (0)

Anonymous Coward | about 8 months ago | (#46043463)

OK, but target's PoS systems used Linux, made by Verifone.

Re:Closing the Barn Door... (1)

Anonymous Coward | about 8 months ago | (#46043553)

Nice Try but no:

Target runs most of their systems on Microsoft (except for the pharmacy app which runs on Linux in a VM). In each store Microsoft System Center provides the distribution point for application updates and security patches to 170+ devices per store including the point-of-sale register systems.

http://www.tripwire.com/state-... [tripwire.com]

Surely no one will ever be hacked again! (1)

FuzzNugget (2840687) | about 8 months ago | (#46042585)

No way anyone else could possibly be clever enough to figure it out, that's unpossible!

Target at xmas (0)

Anonymous Coward | about 8 months ago | (#46042687)

Haven't been to Target since xmas 5yrs ago. Went to sign my name , using debit card as credit, and there was a real pen attached to pin/signing terminal. I used a hatch pattern for my signature. What were they gonna do ... close down the register after a rich looking customer went thru and then go around and take a cell phone pic of the sig.

In the same town I was at the teller window of a bank when I realized something was wrong. A girl had gotten out of line, had come up close behind me and was looking over my shoulder at my banking slips. I stopped what I was doing and just starred at her till she went back into the line. Teller just pretended it didn't happen.

Credit cards are stupid. (2)

Entropius (188861) | about 8 months ago | (#46042749)

Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.

Re:Credit cards are stupid. (1)

Anonymous Coward | about 8 months ago | (#46042921)

Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous.

Well, in most of the world, that is the non-USA portion of it, credit cards have moved away from mag stripe to encrypted smartcards known as chip & pin. [wikipedia.org]

Chip & pin isn't perfect, but it's far more secure than a simple magstripe.

The USA is going toward chip & pin, and you might get one in a few years.

Re:Credit cards are stupid. (3, Interesting)

mjwx (966435) | about 8 months ago | (#46043211)

Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.

That was the old security system, they've made it even worse since adding NFC. They dont even need access to your card to get enough information to use it without your knowledge or permission. There's even an app for it for any Android phone with NFC
https://play.google.com/store/apps/details?id=com.samj.CardTest&hl=en [google.com]

NFC on phones have no range due to low power but NFC has max range of 5 metres, so it's just a matter building the right antenna. Even though you wont get the max range of 5 metres, even a radius of 1 metre is enough in a crowded shop.

Also anyone who believes the bank will simply adsorb the cost of the fraud instead of passing it onto you and merchants who'll just pass it back to you (banks are likely to use the merchants, they don't have a choice but to suck up additional fees and look like the bad guy raising prices), well, I have a bridge to sell you.

Re:Credit cards are stupid. (3, Informative)

Anonymous Coward | about 8 months ago | (#46043283)

Long before they mutated into debit cards, we had ATM cards with 4-digit PIN codes. The universe of possible codes was small, but the ATM machines of that era did something newer ones generally don't -- they swallowed your card, and didn't give it back to you until you entered the right PIN code. If you entered the wrong PIN code too many times, you didn't get the card back, which stopped most amateur fraudsters in their tracks.

Fast forward a decade to the arrival of debit cards. You still have the same 4-digit PIN code, but that's OK, because it's STRICTLY for entering after the ATM swallows your card and holds it hostage. If you used it as a credit card, they had to make an impression, and would usually ID you.

Fast forward another decade. Ohshit, the internet happened. Merchants now accept the card as payment without a physical impression or signature (otherwise they couldn't do online transactions), and they also let you pay by debit instead of credit. Oh, wait a minute... you still have a 4-digit PIN code (usually, with the option to make it 100 times stronger by adding 2 more digits, but still pretty weak). You also use the PIN code when registering for online banking, or using bank by phone.

And anyone with about a hundred bucks to spend on eBay can now build a mag stripe writer suitable for making custom cards with. The only thing that prevents street thugs from writing their own mag stripes & embossing their own custom credit cards is the fact that the Secret Service goes after anybody selling real-looking blank cards and throws the book at them.

Oh, the holograms? Pfffft. Pure security theatre. When's the last time you EVER saw somebody in a retail establishment scrutinize the hologram, or even look like they even noticed or cared whether a card has one? The holograms aren't there to help store clerks identify potentially-fraudulent cards... there there to make it easier to prosecute criminals caught with a box full of blanks cards without embossing or printing.

Oh, and anybody can go to Wikipedia and figure out that the first 4-6 digits of the card identify the bank, and the last digit is an error correction code... so that 16-digit number really has 9-11 digits, 90% of whose permutations are by definition invalid courtesy of the Luhn algorithm. And unlike 30 years ago, if you have good credit, your bank will probably allow the account to be overdrawn by several thousand dollars before they actually quit approving transactions, since they're probably charging $30-50 in penalties for each transaction that they approve while the account balance is negative.

So you see, the problem isn't that the original designers cooked up an insecure way of doing business. In its day, it satisfied the security needs of the banks and retailers just fine. Unfortunately, over the past 30 years, the context and nature of debit card use have changed enough to break all of the original assumptions.

Re:Credit cards are stupid. (3, Insightful)

jader3rd (2222716) | about 8 months ago | (#46043361)

Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account?

Someone trying to lower the costs of moving money around. The system currently has one big important factor to it, and that's the fact that if anybody tries to break the trust of the big players, the big players won't let them back into the system. So they can have as little security as possible, because of the belief that the desire to continue to do business with the big players will keep everybody in check.

Others (2)

the eric conspiracy (20178) | about 8 months ago | (#46042917)

Not too worried about Target and Neiman Marcus. But having several others who haven't owned up to being victims of this is really annoying. And the status being up in the air, coverups being ATTEMPTED etc.

I am not doing the P.O.S. thing for a while. Sticking with cash.

FFS (0)

Anonymous Coward | about 8 months ago | (#46042973)

This should not be an issue because any breach should require a mandatory card reset.

nigga (-1)

Anonymous Coward | about 8 months ago | (#46043011)

would you 7ike 7o Area. It is the

doesnt matter (3, Insightful)

EMG at MU (1194965) | about 8 months ago | (#46043029)

I have done large scale POS stuff. Probably at least the same scale or bigger than target. This was done by someone who knows target's system. Not necessarily someone on the inside but someone who knows inside information. Nothing top secret, just general info on how stuff works.

And there are hundreds of people who know this information. Hundreds of people who are no longer with target. If target is anything like the place I worked, they use a lot of contractors (temps). They treat these temps like shit. It's not just devs who know the dirty on target's system, its QA people, network people, support people, ops people.

The cat is out of the bag. Censoring websites isn't going to help target. The info has already spread to places target can't censor. They should focus on fixing their shit. It's going to be expensive.

Re:doesnt matter (0)

Anonymous Coward | about 8 months ago | (#46045031)

Yep. I worked at a power company, same contracting shit different company.

Helpdesk is clueless when the organization is being targeted. Difference here is most IT people I've come across just do not give a shit and a half about getting systems to the point they hum and are secure, because management views that as a "freebie bonus", fires them and sticks the money in their back pocket. The labor market is now at a point where finding someone who actually gives a damn about the long-term prospects of your company is impossible.

They just pissed off the majority of their IT Department and are having issues retaining people. Last time I heard the new people are causing more problems than it's worth.

Pay cash (1)

johanw (1001493) | about 8 months ago | (#46043405)

You don't have this kind of problems if youy just ay cash. I prefer cash, it's anonymous too so companies can't track what you buy (and sell it to your insurance company who might increase your health insurance payments it they can find an excuse (smoker, buy's too much snacks, ...)).

Re:Pay cash (1)

flyingfsck (986395) | about 8 months ago | (#46043651)

Ya think? The banks know which serial numbers were issued to you at the ATM and they have your video mug shot as well.

Re:Pay cash (1)

Monoman (8745) | about 8 months ago | (#46044451)

I sure hope if this gets modded up it is tagged as Funny.

Net damage route around, blah blah.... (0)

Anonymous Coward | about 8 months ago | (#46043571)

The report posted above is not one of the the really hot shit ones. The real stinkers are these two: The ThreatExpert Report [krebsonsecurity.com] iSIGHT Partners Report [scmagazine.com]

Copyright DMCA take down (4, Funny)

flyingfsck (986395) | about 8 months ago | (#46043639)

Actually, the hackers filed a DMCA takedown to protect their user names and passwords.

US MAG STRIPE DESERVES TO GET PWNED (0)

Anonymous Coward | about 8 months ago | (#46043927)

Magnetic stripe terminals deserve to get pawned, companies have had years to go to chip and pin or some other more secure technology any idiot can read the stripe cards. Its just horribly lazy to leave that 70s 80s tech in place is anyone still using a cassette, I don't think so. Well its the same for MAG stripe cards.

Thos whole Target fiasco baffles me (0)

Anonymous Coward | about 8 months ago | (#46044185)

I don't have an account with Target and I haven't shopped there since around 2009. All I ever did once was give the cashier my zip code, yet Target set my email address an apology letter about the breach.

There's more to this than retailers are letting on.

Short sighted damage control (0)

Anonymous Coward | about 8 months ago | (#46045527)

To target's reputation not to their security.

Apprently, the credentials necessary to get in are public.
      They could admit this, and suffer the consequences while they fix it.
            (Can you say credit card timeout?)
      Or they can keep the money flowing but also keep putting their customers at risk.

It's amazing that the CC companies put up with it.

Definitely interesting theater.

Fundamental National Security 101 (0)

Anonymous Coward | about 8 months ago | (#46046377)

"How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive."

That, my dear human noobs, is the same essence of national security.

If you disagree then perhaps you deserve no protection from the state because of your inability to grasp that remedial concept.

Run as Credit or use Cash (1)

Sir_Eptishous (873977) | about 8 months ago | (#46046571)

A few years ago I read something about running a debit card as credit, so that the pin wouldn't be logged. I've been doing that since then and have always told people I know to do the same. I understand this isn't perfect, but it is one less thing that can be accessed by some dickhead in Russia.

On the flipside, since this thing with Target has happened, and having read these /. submissions on it and other breaches, I've gone back to using cash. Yes, cash. I now hit my ATM and get what I need for the week and use that instead of using my debit card. I honestly hope more people do this so that it shows there is a major trust issue with using cards in transactions at POS like Target.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?