Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Michaels Stores Investigating Possible Data Breach

timothy posted about 8 months ago | from the switching-targets dept.

Security 106

tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."

cancel ×

106 comments

Sorry! There are no comments related to the filter you selected.

This is because CONservatives... (-1)

Anonymous Coward | about 8 months ago | (#46070021)

don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.

Re: This is because CONservatives... (-1)

Anonymous Coward | about 8 months ago | (#46070171)

This is because DEMONcrats don't give a fuck about freedom. They want to force shit on us (obamacare, welfare,etc.) Why should I have to pay for the fact that you live a risky life and have high medical costs or that you're a lasy ass bum who makes no sort to find a job. And don't even get me stated on the welfare queens popping out spawn left and right to get "govmint cheese"

Re: This is because CONservatives... (-1)

Anonymous Coward | about 8 months ago | (#46070419)

Why shouldn't people that have more than they need pay for everyone else's healthcare? To not do so is selfish, and by some accounts, murder.

Re: This is because CONservatives... (1)

Anonymous Coward | about 8 months ago | (#46070557)

Because I worked damn hard for that money? Whose right is it for you to tell me what to spend it on?

Re: This is because CONservatives... (0)

maharvey (785540) | about 8 months ago | (#46071161)

You have more than you need. I know because you have a computer and free time to post on Slashdot. Why aren't you donating 90% of your pay to hunger relief? Why don't you donate it to the Federal Government for healthcare? After all, failure to do so is murder. I guarantee they'll take your check! Don't know where to send it because you're too lazy to ask? Still murder. You could at least donate it to a local shelter. You don't need more than one set of clothes either. Or a car. You don't need the computer you're staring at right now. Liquidate and donate! Or are you selfish?

Re: This is because CONservatives... (0)

Anonymous Coward | about 8 months ago | (#46071617)

Same to you, hypocrite. Sell your computer so we never have to read your shit ever again

Re: This is because CONservatives... (0)

Anonymous Coward | about 8 months ago | (#46073147)

Tu quoque. Hypocrisy is not an argument.

Furthermore, your reply did not make sense, since he doesn't actually believe what he was suggesting. That is, he was using sarcasm!

Re: This is because CONservatives... (2, Insightful)

Anonymous Coward | about 8 months ago | (#46071587)

CONservatives vs LIEberals or REPTILEcans vs DEMONcrats; you make the call.

Re: This is because CONservatives... (2, Insightful)

Anonymous Coward | about 8 months ago | (#46071849)

Turning a Russian mafia crime scheme into an American political party debate. Do you both have any idea of how stupid you sound? This would not even be relevant if there was an actual difference between party A or party B, which time has shown there is none. Fine, go at each other's throats while your house burns down.

Re: This is because CONservatives... (1)

CohibaVancouver (864662) | about 8 months ago | (#46072853)

Because social and infrastructure programs create an environment where capitalism can thrive - When you have a healthy, educated workface along with roads, airports, telecommunications and all the trappings of a modern society you create a scenario that, at its most basic level, creates a culture of people who can actually buy your stuff and at a more advanced level creates a place that fosters entrepreneurship.

There's a reason Germany has a surging economy and Somalia doesn't...

Been there, seen it already (1)

c0lo (1497653) | about 8 months ago | (#46070923)

This is because CONservatives... don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.

... and ...

the U.S. Secret Service has confirmed it is investigating

I know where this is leading. The attack will be likened to "9/11 on retail", and:
* the "Providing Appropriate Tools Required to Intercept and Obstruct Tampering of POS bill of 2014" - also know as "the PATRIOT-POS v2014 act";
* it will be required those POS-es be operated from behind reinforced doors, but since the retail industry will complain about the cost...
* ... the "Retail Security Agency" will be created under the DHS; it will buy and operate (on public funds, of course), "nude scanners" at the entry of each retail shop (after all, those POS-es were physically tampered... a nude scanner will certainly help detecting... ummm... POS tampering devices);
* after a while, the customers will be required to take off their shoes before enter a retail shop
* the stores will no longer allow entry while carrying bottle of liquids more than 3.4 ounces, etc and ...;
* ... to help the above, those stores will no longer sell liquids in bottles larger than 3.4 ounces - (yay, packaging industry and mayor Bloomberg... no longer sugary soda drinks in large cans);
...
* NSA will intercept and store the transactions recorded at each POS (the Utah stae will need extra energy capacity for the three new secretd NSA data centers). Now, mind you, this will be strictly legal (after all, it's only metadata... not like NSA would intercept any of the money or merchandise exchanged during the shopping), with safeguards implemented by FISA-courts and congressional supervision; you can trust them on that.

(what? you point to my tin-foil hat? Well... you asked to be taken care of, as a peon and average Joe that is their customer).

(grin)

Re:Been there, seen it already (2)

Dunbal (464142) | about 8 months ago | (#46071869)

You're in the right direction but not thinking radically enough. The US will want all financial transaction data everywhere. Cos, you know, "terrorists". Go on, let Uncle Sam into your wallet. Surely you have nothing to fear if you have nothing to hide, citizen. Oh by the way we've noticed you have too much money, more than your "fair share". Somewhere buried in the 13,000 odd pages of US tax code there's something you or your accountant missed, your money is ours now. Hand it over quietly and maybe we don't throw you in jail.

Re:Been there, seen it already (1)

bondsbw (888959) | about 8 months ago | (#46072715)

And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.

Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.

Re:Been there, seen it already (0)

Anonymous Coward | about 8 months ago | (#46072747)

And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.

Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.

You sure? I mean, I thought each of them are wealthy enough to afford a bed on their own.

Credit cards (2, Insightful)

Anonymous Coward | about 8 months ago | (#46070033)

Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing

Re:Credit cards (3, Funny)

Nerdfest (867930) | about 8 months ago | (#46070629)

I'm not even sure that will help. These guys have proven that they're quite ... crafty.

Re:Credit cards (0)

Anonymous Coward | about 8 months ago | (#46070823)

Why is the credit card information being stored after the transaction is processed? The data should be short-lived and immediately scrubbed once the payment processing system indicates a successful debit transaction.

Re:Credit cards (1)

pspahn (1175617) | about 8 months ago | (#46071085)

The main reasons for storing CC information is to handle recurring payment services (subscriptions) or to have a method for refunding a customer without requiring them to enter all their information again.

Re:Credit cards (3, Informative)

cusco (717999) | about 8 months ago | (#46071123)

In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.

Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.

metafraud purpose traitors dark maters too (-1)

Anonymous Coward | about 8 months ago | (#46070043)

some still calling this 'weather'? http://www.globalresearch.ca/weather-warfare-beware-the-us-military-s-experiments-with-climatic-warfare/7561

accounting problems still http://rt.com/business/us-unemployment-economy-crisis-assistance-006/

our preferences; mlk http://www.youtube.com/results?search_query=mlk%20sppech&sm=3
  jfk http://www.youtube.com/results?search_query=jfk%20sppech&sm=3
  world's local hero http://www.youtube.com/results?search_query=scott%20olsen&sm=3

Chip & Pin (4, Insightful)

beelsebob (529313) | about 8 months ago | (#46070047)

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Re:Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46070155)

The NSA is busy "hacking" with great fanfare public American institutions because they want us to believe we need them to keep America safe. In fact, a mass-hacking is exactly the kind of thing they previously warned about. What a coincidence!

Despite all the FUD, not a single fraudulent charge was made. That proves that they're scrupulous enough not to rip us off more than they already have for the sake of continuing their propaganda.

Take the NSA, CIA, DHS, FBI, and ATF out, American people -- they fear you.

-- Ethanol-fueled

Re:Chip & Pin (1)

khasim (1285) | about 8 months ago | (#46070185)

This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Maybe, maybe not. Criminals usually take the easiest way into a system. So replacing one flawed system may be sufficient. Or there might be more flawed implementations at their data center.

I think the real issue here is how the companies seem to have no idea how to do computer security.

Re:Chip & Pin (2)

fuzzyfuzzyfungus (1223518) | about 8 months ago | (#46070225)

Are you saying that passing your PCI compliance testing isn't all the computer security you need to do?

Re:Chip & Pin (3, Funny)

binarylarry (1338699) | about 8 months ago | (#46070327)

Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(

Re:Chip & Pin (1)

TheGratefulNet (143330) | about 8 months ago | (#46070363)

and the IRQ jumpers are all wrong, too!

Re:Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46070581)

I worked for an online retailer and home shopping network. The PCI standards were amateurish and would not stop anyone who was determined. The PCI program was rolled out slowly. My employer was really slow and always asking the VISA/MasterCard people for extensions. The extensions were always given. My employer didn't start working on a specific "module" until the second extension ran out. We completed the work by the third extension. IMHO, the PCI standard is a joke.

Just wait (4, Interesting)

ArchieBunker (132337) | about 8 months ago | (#46070231)

As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

Re: Just wait (0)

Anonymous Coward | about 8 months ago | (#46070319)

Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.
Is it that the chip can distinguish between a store's reader and my reader and therefore it will lie or just keep quiet to my reader?
Or does the chip generate one time pads for each transaction?
I honestly don't have a clue.

Re: Just wait (3, Informative)

Anonymous Coward | about 8 months ago | (#46070457)

Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

fuck /.
the astrophysicists are long gone
and you least common denominator assholes are worthless

Re: Just wait (3, Informative)

TheloniousToady (3343045) | about 8 months ago | (#46070489)

For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:

You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

Re: Just wait (-1)

Anonymous Coward | about 8 months ago | (#46070723)

Well now that you put it like that, fuck you. I no longer care.

Re: Just wait (-1)

Anonymous Coward | about 8 months ago | (#46071109)

BAh, I was right and you are an asshole. Those chips can be duplicated. Once again, fuck you.

Re: Just wait (2)

beelsebob (529313) | about 8 months ago | (#46071363)

Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.

It can't be read. It can only be queried. You give it an input, it gives you an output.

In the same way as you can't get from a hash (the output) to the actual stored contents, you can't get from the output of a credit card chip, to the stored contents of the chip.

Re: Just wait (1)

Dunbal (464142) | about 8 months ago | (#46071909)

You are trying to secure something that is inherently insecure. Currency is not art. It is DESIGNED to be given to someone else. That's its function. Be it a coin or a cheque or a magnetic strip or a bunch of TCP/IP packets, there will always be a way to hijack currency simply because currency has to move from person A to person B. All you need to do is figure out how to stand between them. Theft is the ultimate "man in the middle".

Re:Just wait (2)

Hamsterdan (815291) | about 8 months ago | (#46070347)

The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

(Royal Bank of Canada)

Re:Just wait (1)

Mashiki (184564) | about 8 months ago | (#46070983)

Yeah that's not legal in Canada, just a FYI. The feds cracked down hard on them for trying that one. Doubly true since there are now chip skimmers out there that can duplicate the chip. Though they're very rare at the moment. Even with that, you'll find that most of the banks in Canada are now partnering with either Visa or MC for loss coverage on chip&pin cards.

Re:Just wait (1)

ScentCone (795499) | about 8 months ago | (#46072503)

The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.

Re:Just wait (1)

Solandri (704621) | about 8 months ago | (#46071377)

As soon as the cost of chip and pin is less than the cost of security breaches they will switch.

That's just it. The credit card companies have shifted the cost of fraud to the merchants, so chip and pin will probably never be cheaper than the cost of a security breach to them.

That's the real fundamental problem here. The credit card companies have made the merchants pay for fraud, and the merchants have no leverage to improve the security of credit card machines or networks. Heck, most merchants don't even know how the machines work, they're a magic black box to them.

Any time you decouple profit from costs, you're just asking for trouble. Market solutions fail in these cases because there is no cost incentive for the person creating the problem to fix it. The classic example is pollution - the polluter reaps the profits from an activity while society bears the cost. Same thing is going on with credit cards. The credit card issuers create the card system, its network, and its (lack of) security, and reap the per-transaction profit; but the merchants pay for fraud. Consequently there is no economic incentive for the credit card issuers to improve the security of the system - doing so just increases their costs.

Re:Just wait (1)

Dunbal (464142) | about 8 months ago | (#46071901)

Cost of breaches? My dear sir, haven't you noticed that banks are now too big to fail? There is no cost to anything for a bank. If there is a cash flow problem simply go talk to uncle Ben and he'll hand you another few interest free billions - much easier than actually having to work (gasp) for your money. Consequences are for the little guy. When he gets in trouble we buy him up cheap. But seriously do you know how HARD it would be to actually secure the network? It's not like the card holder is responsible anyway - at least not directly. We'll just destroy the value of his currency and the solvency of his government and pretend to fix the problems while doing nothing at all. It's better for everyone trust me.

Re:Chip & Pin (0)

Bite The Pillow (3087109) | about 8 months ago | (#46070439)

If Chip & Pin were the answer, the financial incentives of having it in place would make it the obvious choice.

Clearly externalizing loss to the merchants and consumers is financially more attractive. And there's your answer to "Why?" No need for useless rhetoric because there is a simple answer.

If you want a more complicated answer, the merchants basically have no say and the consumers don't care, so the issue rarely gets pushed.

Re-wiring all of the point-of-sale machines would be a major expense, even if it were just software updates and testing. Even if only .01% of the POS machines have issues, that's downtime and labor expense that is far outweighed by not changing.

Sounds like you're not really aware of how credit and debit card transactions that are declared fraudulent affect the parties involved, compared to the cost of upgrading. Because that's the magic number.

Re: Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46070495)

"Re-wiring all of the point-of-sale machines would be a major expense ..." I hate the whiny "Doing it better would be expensive" argument. Eg, "We can't make cars mare fuel efficient, it would make them cost more." What has happened to risk taking in America? We could have Hyperloop, instead we get "high speed rail" that is slower than slow speed rail in other countries. Etc, etc. America has become soft.

Re: Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46076097)

I correct myself. America has become _too conservarive_.

Re: Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46076135)

I correct myself again: _conservative_. Danged non-keyboard.

Re:Chip & Pin (1)

Mashiki (184564) | about 8 months ago | (#46070993)

The US banks have waffled on it for nearly 6 years and getting terminals upgraded. We've been fully chip & pin in Canada for that long now, and if you're wondering why it hasn't been done it's because the cost of upgrading millions of terminals is expensive.

Re:Chip & Pin (1)

Dunbal (464142) | about 8 months ago | (#46071937)

Yeah those poor banks, only earning an up to 3% "cut" of every single transaction, billing most of their customers for regular "transaction" fees, hardly paying out interest at all to savers, getting money for free from the government (because you know, they're too big to fail) and charging their debtors usurious interest. Poor, poor banks. Changing the terminals is so EXPENSIVE.

Seriously, they pass a regulation saying all terminals must be changed by x date and surprise, you the merchant are going to have to pay for it - didn't you read your contract? But it's ok we'll deduct the cost of the new equipment and installation directly from your account so you don't have to worry... This is how the real world works. Me big bank. You small business. Me screw you.

Would Chip and Pin Have Prevented This? (1)

raftpeople (844215) | about 8 months ago | (#46070811)

The data was stolen from the POS device's ram during the brief amount of time it was there. Would Chip and Pin prevent using any of that data later on? Seems like the pin would have to be in mem at some point also, but I don't really know.

Re:Would Chip and Pin Have Prevented This? (1)

beelsebob (529313) | about 8 months ago | (#46071379)

Yes, it would. The pin is given to the chip without it ever interacting with firmware or RAM (it's transmitted from keypad to chip).

Even if that weren't so though, the terminal never knows what account is processing the transaction. It simply sends the transaction details to the chip, which produces a signed transaction (with the pin, and some secured data stored on it). The signed transaction is sent to the bank, who can then use it to extract money from the correct account.

Re:Chip & Pin (1)

EvilSS (557649) | about 8 months ago | (#46071259)

October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.

Re:Chip & Pin (0)

Anonymous Coward | about 8 months ago | (#46071485)

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Because, in the 1980's, when the chip system was created and successfully implemented in Europe, the American banks (mistakenly) invested in the telcos. Reinventing the technology to alter the profits made by the telcos on every card transaction would have been a financial disaster in the minds of the bankers.(Pure capitalism, ftw.)

Re:Chip & Pin (1)

pcr_teacher (1977472) | about 8 months ago | (#46071607)

Chip and Pin has already been comprimised in the wild:

http://www.telegraph.co.uk/new... [telegraph.co.uk]

Re:Chip & Pin (1)

rfunches (800928) | about 8 months ago | (#46073017)

Chip and Pin has already been comprimised in the wild:

http://www.telegraph.co.uk/new... [telegraph.co.uk]

Nothing in the article states that the fraudulent charges were run as Chip+[Sig/PIN] transactions, though. They were processed in a way that bypass the chip:

  1. 1) Card not present transactions (mail/phone/internet)
  2. 2) Cloned magstripe-only card on a non-chip terminal (I had a chipped Visa fraudulently used in the US with this method)
  3. 3) Same as #2 but with a PIN at a merchant terminal for cash back or at an ATM for cash withdrawal or advance

I've yet to hear of a case where a fraudulent chip transaction came from a cloned card.

Forcing everything in the card present transaction chain -- cards, POS devices and ATMs, card processor networks, banks -- to require the chip, eliminating the use of the magstripe, should (at least in theory) eliminate methods 2 and 3. But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.

Re:Chip & Pin (1)

plover (150551) | about 8 months ago | (#46080015)

The Vasco DIGIPASS device is a small smart-card reader that resembles a pocket calculator. It allows the cardholder to insert their card, enter the transaction details, and produce a one-time authorization code that can be entered into a web page (like a CVV2 code, but cryptographically secure.) It's a sealed device that is electrically air-gapped from everything apart from the batteries and the card, so it is unhackable from on-line threats. Such devices are used to secure on-line banking transactions. The only thing it can't protect against is users being duped by fraudulent web sites: "paypa1.com" type threats, phishing, etc.

They're cheap and simple devices that some European banks give out to their customers.

Re:Chip & Pin (1)

badzilla (50355) | about 8 months ago | (#46071633)

Chip and PIN has seen widespread use for years now and would probably stop this kind of attack. Remember you have hardware-based encryption happening not only in the card reader but also in the card itself. An amazing amount of crypto happens at step one just so that the card can satisfy itself that it is indeed inside a valid reader. Then some more so that the reader can be confident it has a real card. Once all the authorisation and monetary amounts are complete then the reader finally dumps out an encrypted blob. Malware that had got root in the POS terminal could deny the transaction from happening but could not change the amount or snarf any of the card information. The only time I have heard of any cracks in this scheme was a murky story of collusion with employees at the card reader manufacturing facility, which is a lot less of a risk than poorly-configured POS.

No Chip & Pin? Carry Cash. (1)

!-!appy_!!arnian (666023) | about 8 months ago | (#46076567)

Until chip and pin, I guess I'll have to carry cash. That waitress at the restaurant taking my card and coming back with it a few minutes later - has always unnerved me.

Re:Chip & Pin (1)

elistan (578864) | about 8 months ago | (#46077075)

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

It's not costing the banks anything - the costs of the refunded transactions are the responsibility of the merchants. I don't see any financial incentive for banks to do anything different. It'll have to be either a legal regulation or a consumer backlash, and I don't see either happening right away.

thank god (-1)

Anonymous Coward | about 8 months ago | (#46070147)

Thank god these are all stores i don't shop at.

Re: thank god (-1)

Anonymous Coward | about 8 months ago | (#46070241)

Thank God no one here gives a fuck

Re:thank god (2)

pspahn (1175617) | about 8 months ago | (#46071111)

You might not, but the rest of us have mothers, aunts, sister-in-laws, girlfriends, wives, daughters (and all their male counterparts in some cases) that require us to shop at Michael's at least once a year. Typically around either the first week or two of May, or in the few days running up to Dec. 25.

There was a time, though, that Michael's was a fun place to shop. If you didn't have a Hobby Lobby or the like, it was the best place to buy model rockets and the like.

Point of Sale Network Access (2)

Luthair (847766) | about 8 months ago | (#46070215)

There is an easy solution to this problem - don't put point of sale systems on a network with external access. At the minimum one should limit the network addresses these systems are allowed to access.

Re:Point of Sale Network Access (1)

beelsebob (529313) | about 8 months ago | (#46070239)

Who says external access was required?

Re:Point of Sale Network Access (1)

Luthair (847766) | about 8 months ago | (#46070283)

If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.

Or.... (0)

Anonymous Coward | about 8 months ago | (#46073167)

You could put a frequency broadcaster in the loop, a physical hack. The NSA does.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46084685)

If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.

You forget social engineering as a third option. "I'm here from PoS maintenance. Need to make sure the flux capacitor is capacitating and that the streams are not crossed." It's not the most talked about attack vector for no reason.

Re:Point of Sale Network Access (0, Insightful)

Anonymous Coward | about 8 months ago | (#46070279)

There's an even easier solution: don't store cardholder information in a database

There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.

Getting an auth code means you're getting your money. You don't need to store my entire credit card number.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070297)

easy returns?

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070731)

easy returns?

The credit card number is not required for that. All you need is the transaction confirmation number issued by the payment processor and they will issue the refund to the card. Scanning the barcode on the issued receipt should be enough to pull up the entire transaction + transaction confirmation number.

It is literally brain-dead stupid to store card information. All integration documents from payment processors that I've worked with has had "no card information needs to be stored" stamped on it in big bold letters everywhere around the documentation and illustrative examples for processing credit card payments over the Internet.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070333)

That's it, really. They are careless with *your* private information. They collect it, not because they need it, but because they want it. Are they held responsible for any problems and costs associated with their carelessness?

Re:Point of Sale Network Access (2)

penix1 (722987) | about 8 months ago | (#46070445)

Are they held responsible for any problems and costs with their carelessness?

They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070851)

On Dec 23rd I drove to a mall containing a Target store.

It was 10pm, and dozens of people were entering the store, and many were leaving with shopping carts filled to the brim ... /anecdote

Re:Point of Sale Network Access (1)

Jah-Wren Ryel (80510) | about 8 months ago | (#46070937)

They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.

Sounds like it was a ghost town before the breach too. In my case, I've been to the nearest store about a dozen times and it has been no different than before the news broke. I always use cash so it made no difference to me.

Re:Point of Sale Network Access (1)

NonSequor (230139) | about 8 months ago | (#46070437)

Target has a system where you can return anything without a receipt if you can show the credit card the item was purchased with. Plus Target makes heavy use of data to track customers. Not that that's a good thing.

I would have to guess that Target views these things as strategic advantages over their competitors and they may have a culture which views IT infrastructure only as a means to further develop these advantages. In that kind of environment, "what we can do if we hold onto this data" is going to trump security concerns.

It's kind of interesting that a concept of user data being innately dangerous to hold onto hasn't taken hold in the same way that the concept of raw chicken being innately dangerous to hold onto. Most industries where users can get hurt have some sort of "hygiene" practices that ensure segregation of dangerous materials if followed rigorously. Continuing on the raw chicken metaphor, the current state of things seems to be as if the health inspector had to analyze the design of every machine and process in the meat packing plant to determine whether it's safe.

PCI seems to be intended to tackle this, but it doesn't seem to be stringent enough to do the job.

Re:Point of Sale Network Access (1)

TheGratefulNet (143330) | about 8 months ago | (#46070473)

I've had the receipt for the few times I've had to return things at target.

I was amazed how fast it can be done. from when you get to the counter with your item to the time you leave, its often less than 1 minute, sometimes as short as 10 seconds. I kid you not! I've never seen anything like that before. walk in, 10 seconds and you're out.

gotta give them credit for how fast they can process returns, assuming you have the receipt and your credit card or license (the magstrip does speed things along).

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070573)

The easy answer is hardware encryption on the swipers. The technology has existed for years. That way sensitive information is isolated all the way to the processor where extraordinary security measures can be focused. Take a look at Magtek, IDTech and Cashier Live. Go ahead and scape ram and get nothing but tough to crack hardware encryption.

Re: Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070585)

But how else are we going to track or customers so we know who to send coupons to?? :(

Re:Point of Sale Network Access (1)

TwoBit (515585) | about 8 months ago | (#46070755)

That's not how the hack worked. The hackers had software on the POS machines that read the RAM of the machines and when the card info was briefly in RAM during the transaction the hackers grabbed it.

A better question is one of why these POS machines don't have a more locked down OS that allows only signed processing from running. XBox, Playstation, and iPhone have been doing this successfully for years, so surely commercial POS machines could.

Re:Point of Sale Network Access (1)

cusco (717999) | about 8 months ago | (#46071135)

It's a RAM scraper attack on the POS machines, not a database dump off the mainframe. It's hard to believe that people don't know the difference. Oh, you're too dumb/lazy to actually figure out how to log in with an account, I guess that explains it.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46071233)

But... but... how will they track your purchases and sell your information to advertisers if they only keep the auth code?

Obviously you haven't thought this through enough.

Re:Point of Sale Network Access (1)

plover (150551) | about 8 months ago | (#46080075)

There's an even easier solution: don't store cardholder information in a database

There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.

Getting an auth code means you're getting your money. You don't need to store my entire credit card number.

Go read the analysis of the BlackPOS malware at Krebs. He says that the attack that hit Target was done with a RAM scraper. It wouldn't matter if Target stored the data or not, or if they used SSL or not, the malware read the card data as soon as it was in the memory of the register.

Re:SCADA is next (0)

Billly Gates (198444) | about 8 months ago | (#46070355)

Sadly until breaches like this occur the more MBAs will listen to those annoying cost centers and view them with value and listen. Reason they are on internet is because the suits said so and the accountants whined about having real time access.

Maybe if congress is involved they can make regulation requiring secure operating systems with ASLR which scramble ram. Windows 7 and MacOSX have it and I think can support it via a patch with 3.0 or higher. Crosses fingers for redhat 7.Also POS equipment is SUPPOSED to be upgraded every 2 to 3 years just like browsers. Guess who says NO? The MBAs who feel if it ain't broke don't fix it. Here here for insurance companies forcing them to follow manufacture requirements

Time for TECH / IT UNIONS (2)

Joe_Dragon (2206452) | about 8 months ago | (#46071205)

So the tech workers have the power to get stuff done and the MBAs take the blame for there mess ups.

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070579)

There is an easy solution to this problem - don't put point of sale systems on a network with external access.

Doesn't do a single thing to keep someone from putting a skimmer on a card reader somewhere

Re:Point of Sale Network Access (0)

Anonymous Coward | about 8 months ago | (#46070845)

I've always wondered why Target is able to do state of the art data analytics (e.g., determining that a 16-year old customer was pregnant) without relying on either a store-branded credit card (although they have started pushing one just in the past few months) or a free 'rewards' card. What do they know that other stores don't? It turns out their 'data hygiene' is not so customer friendly. Maybe this sort of thing needs to be subject to legislation.

Re: Point of Sale Network Access (1)

Anonymous Coward | about 8 months ago | (#46070897)

As someone who worked in one of Targets data centers, I can assure you those cash registers did not have direct internet access.

From what I read the hackers gained access to a server which they then setup an ftp server on. A netbios share was activated at a certain time of the day and information was then sent to that ftp server.

Easy one to catch (4, Funny)

formfeed (703859) | about 8 months ago | (#46070385)

Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.

Re:Easy one to catch (1)

rueger (210566) | about 8 months ago | (#46071185)

Damn. You had me right up to "boxed."

nsa (0)

issicus (2031176) | about 8 months ago | (#46070467)

to bad all those nsa snooping computer can't find a hacker...

Re:nsa (-1)

Anonymous Coward | about 8 months ago | (#46070553)

Or these activities are a part of its black budget.

Re:nsa (0)

Anonymous Coward | about 8 months ago | (#46073375)

hard to do when it is an inside job and you are looking for SPIES and terrorism, and spying only on a small number of the population.
What I find interesting is that so many think that NSA SHOULD be looking for this, when in fact, it would require spying on EVERYBODY. Yet, so many will then scream about the spying.

Only the US? (0)

Anonymous Coward | about 8 months ago | (#46070833)

Because they have a few stores in Canada as well, so I'm worried.

watch, going to be much worse (0)

Anonymous Coward | about 8 months ago | (#46070977)

this so called card skin game is going to be a few billion more ... i just reported a half dozen fraud charges, made at stores near my home, with my pin. no, did not share or write pin, this is scary. have not used card at any of these admitted breached company.

Submitter (-1)

Anonymous Coward | about 8 months ago | (#46071555)

Meet Asiana Airline pilots: Captain Sum Ting Wong, Wi Tu Lo, Ho Lee Fuk and Bang Ding Ow?

Re:Submitter (0)

Anonymous Coward | about 8 months ago | (#46077661)

Whoosh-o-rama! Off topic? Maybe. If any one was a troll, it would be the submitter with a pseudonym phonetically misspelling his pseudonym to look like a Vietnamese name sounding like pseudonym.

Chip/PIN (1)

Gigadafud (413848) | about 8 months ago | (#46072101)

Are there any credit cards in the US that actually offer the "newer" CHIP/PIN cards? I am also assuming that the readers have to recognize these cards as well.....

Re:Chip/PIN (1)

WindBourne (631190) | about 8 months ago | (#46073341)

nope. BUT, in light of the money lost on Target, I am guessing that is about to change.

Re:Chip/PIN (1)

wkk2 (808881) | about 8 months ago | (#46075225)

I asked Chase and they didn't seem to know what I was talking about. Citi was able to replace my card with a chip/pin card. Get one before you travel or you might need to leave your stuff a a restaurant while going to an ATM.

Re:Chip/PIN (1)

Muad'Dave (255648) | about 8 months ago | (#46081391)

Bank of America is doing Chip & Signature [bankofamerica.com] .

Another inside job (0)

Anonymous Coward | about 8 months ago | (#46073329)

Michael's outsourced their IT. Interestingly, this is NOT their first time for being cracked. You would think that they would learn.
Anybody a victim of Michael's, Neiman Marcus, or Target? Sue them LARGE.

Not the story... (0)

Anonymous Coward | about 8 months ago | (#46076607)

The theft of passwords is not the story.

It's the theft of real names, addresses, and such along with user names, and those questions we use to reset our passwords. That can reset Your password elsewhere after You change it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?