Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target and Trustwave Sued Over Credit Card Breach

Unknown Lamer posted about 6 months ago | from the kill-the-auditor dept.

Security 87

jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

cancel ×

87 comments

Sorry! There are no comments related to the filter you selected.

Sad to see it takes a lawsuit ... (4, Insightful)

UnknownSoldier (67820) | about 6 months ago | (#46585133)

... for companies to get their shit together about their lax security policies.

It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.

Re:Sad to see it takes a lawsuit ... (4, Informative)

sconeu (64226) | about 6 months ago | (#46585341)

AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.

Re:Sad to see it takes a lawsuit ... (0)

Anonymous Coward | about 6 months ago | (#46585573)

That's reality - human nature.

Get away with what you can. It ain't limited to "doze evul korporashuns".

Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.

Re:Sad to see it takes a lawsuit ... (1)

UnknownSoldier (67820) | about 6 months ago | (#46585893)

The context is a little different in that case though. If no one is around, and you can visibly see that, no one gets hurt if you blow through the stop.

In Target's case, vulnerabilities were found, were reported, were ignored, and then thousands of people's personal financial information are open to be abused.

Re:Sad to see it takes a lawsuit ... (2)

lgw (121541) | about 6 months ago | (#46585931)

In Target's case, vulnerabilities were found, were reported, were ignored,

In Target's case the intrusion was found, automatically reported, and ignored, weeks before the actual theft of CC numbers.

This has all the makings of a "gross negligence" tort, which is the criminal justice system for corporations.

Re:Sad to see it takes a lawsuit ... (1)

UnknownSoldier (67820) | about 6 months ago | (#46594529)

Thanks for the clarification.

Running red lights in the middle of nowhere where (0)

Anonymous Coward | about 6 months ago | (#46630879)

Then.. not paying attention one day, because you've done it over and over again, and a car plows into you.. is pretty much EXACTLY what happened to Target.

Re:Sad to see it takes a lawsuit ... (1)

hermitdev (2792385) | about 6 months ago | (#46585941)

Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.

Middle of nowhere? I see it in the middle of town all the time. Worse yet, it's pretty frequent to see the cops do it, too (lights/siren off).

Re:Sad to see it takes a lawsuit ... (1)

gstoddart (321705) | about 6 months ago | (#46586153)

Middle of nowhere? I see it in the middle of town all the time.

No kidding. I can't count how many times I've been proceeding through a green light on a road and the idiot coming to the red light is half way into the intersection to turn right before he turns to look to see if there's any oncoming traffic.

I can't even begin to understand how "I'll decide if I should stop 20 feet past the stop line when I'm already in the intersection and then look" becomes the way people drive.

They half run the light to turn right on red before they have any idea if there isn't already a bus in the lane they're entering.

Re: Sad to see it takes a lawsuit ... (1)

valdezjuan (83925) | about 6 months ago | (#46590551)

It is sad but hopefully companies (and others) will realize that compliance with things like PCI doesn't really mean all that much, though I think it will take a few more.

Banks are responsible too (4, Insightful)

hawguy (1600213) | about 6 months ago | (#46585201)

Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

Re:Banks are responsible too (3)

brunes69 (86786) | about 6 months ago | (#46585429)

The banks ARE making moves here.

All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.

It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.

Re:Banks are responsible too (4, Interesting)

way2trivial (601132) | about 6 months ago | (#46585571)

Not precisely correct.

Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

Liability shift, will now be on one of two entities.
The merchant, for not having the terminal, or the consumer, for not protecting their pin.

the liability also shifts almost 100% OFF the card issuing bank....
(the real reason)

Re:Banks are responsible too (2)

brunes69 (86786) | about 6 months ago | (#46585673)

.. and all customers will have chipped cards by October.

Re:Banks are responsible too (2, Interesting)

Anonymous Coward | about 6 months ago | (#46586329)

All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:

The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not upheld to their satisfaction, it's the bank's job to arbitrate, judge, and carry out a decision about the transaction. Thus all onus must be on the bank. And if the bank made a bad call by doing business with a crook (either by issuing them a card or by allowing a fraudulent transaction to pass as valid), then the bank must be on the hook for the transaction. Chip+pin is the banks' way of dodging their responsibility. I refuse to let them off with that free pass without as much of a fight as I can muster.

Re:Banks are responsible too (1)

DarwinSurvivor (1752106) | about 6 months ago | (#46590767)

All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46595027)

All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

Who cares how you can read it, it will be read by the cash register ... so in this case for example how would it help at all to have a chip + pin, both pieces of data are in the cash register at the same time and could have been read from memory just as easy.

What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center

Re:Banks are responsible too (1)

DarwinSurvivor (1752106) | about 6 months ago | (#46595443)

What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center

Actually no. The new chip+pin cards are actually smartcards that do their own processing on the card itself. I recommend doing some research before spouting false information about the chips being glorified memory cards.

Re:Banks are responsible too (1)

Trogre (513942) | about 6 months ago | (#46598421)

You're joking, right? As another poster has said, anyone with an NFC chip can read those cards.

The PayWave system is also being pushed as a single factor payment system. Did you get that? Single. Factor. Wave your card at a cash register and you've paid for your meal. Or your colleagues.

Re:Banks are responsible too (1)

DarwinSurvivor (1752106) | about 6 months ago | (#46600283)

Chip+pin is NOT tap-to-pay. Chip+pin is the system where you have to physically insert your card into the machine (where metal contacts talk to the chip) and then enter a pin that is verified by the chip.

Tap-to-pay is a whole other system whichI personally do not like and am disapointed that it is impossible to get a card without it in Canada (I've checked with multiple places).

Re:Banks are responsible too (1)

Trogre (513942) | about 5 months ago | (#46626699)

Okay, fair call. My bad - I was targeting the ludicrous tap-to-pay system.

I'm fine with chip+pin, so long as it preserves two-factor authentication.

Re:Banks are responsible too (1)

whoever57 (658626) | about 6 months ago | (#46588611)

.. and all customers will have chipped cards by October.

This simply isn't true. I just looked at a newly issued card and it doesn't have a chip. Furthermore, the one US card in my wallet that does have a chip is a chip and signature card. Not chip and PIN

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46585903)

In the United States, the customer will still be protected against liability as mandated by law, having a chipped card does not shift the liability onto them.

Re:Banks are responsible too (2)

rsborg (111459) | about 6 months ago | (#46586177)

Not precisely correct.

Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

Liability shift, will now be on one of two entities.
The merchant, for not having the terminal, or the consumer, for not protecting their pin.

the liability also shifts almost 100% OFF the card issuing bank....
(the real reason)

I wonder how this will impact online payments - how will chip/pin be supported there?
Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

Re:Banks are responsible too (2, Insightful)

Anonymous Coward | about 6 months ago | (#46586431)

Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.

You key your credit card number in 1 field
You key your 3 digit "security code" (printed on the back of the card) in a different field.

You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.

Re:Banks are responsible too (1)

Fnord666 (889225) | about 6 months ago | (#46589019)

I wonder how this will impact online payments - how will chip/pin be supported there? Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

The impact will be that the majority of CC fraud will move to online merchants.

Re:Banks are responsible too (1)

Anonymous Coward | about 6 months ago | (#46586307)

Chip & pin is not the answer. The answer is a new system that has the pin pad on the card itself and only releases an authorization number that is valid for the merchant in which they are paying for the amount in which the customer has agreed to. Such a system should work regardless of if the merchant is online or off. The responsibility should fall on the purchaser to protect there pin. There is no good reason that stores should have to accept liability for fraudulent purchases when the financial institutions haven't built a system that allows for merchants to protect themselves.

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46585873)

The banks ARE making moves here.

All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it..

We've had chip and PIN since at least 2011 in Canada. Why is the US waiting until 2015? Do the "too big too fail" investment banks need more time to figure out how to profit?

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46587379)

I'm sorry, I must have missed something here: how does Chip & PIN improve security again? It (and Paywave) has been broken in Europe for how long now?

Re:Banks are responsible too (0)

IamTheRealMike (537420) | about 6 months ago | (#46587669)

It improves security by preventing card cloning, which is one of the key ways the US card system is defrauded. It is not "broken" in Europe, so your latter question is irrelevant. You are probably thinking of academic papers which did what academics do: probe the system for weaknesses and published their research, which often led to fixes (except when their attacks were so convoluted nobody actually does them in practice). This is common to all security systems everywhere and is one way they get better. However magstripe cards don't incrementally improve this way because they're so fundamentally broken there's no point researching them.

If you need further encouragement, consider that America has 5% of the worlds population, 25% of the worlds credit cards and over 50% of the worlds credit card fraud.

Re:Banks are responsible too (1)

Fnord666 (889225) | about 6 months ago | (#46589067)

The banks ARE making moves here.

All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it.

The banks are not mandating anything. The credit card networks dictate the conditions by which a merchant or a bank can participate in their system.

One issue that hampers the conversion is the replacement of the card accepting terminals. The US has retailers that have more terminals in a single region than most OECD nations. That's a lot of hardware to replace for merchants who have not been held responsible for anything that happens when they don't.

Irritated (0)

Anonymous Coward | about 6 months ago | (#46618181)

What do you expect? Credit card companies use insecure methods for consumers to use their products, charge the consumers and the merchants for accepting their cards, and then fine everyone when data is stolen.

It's a win win win win win win winwinwiwinwinwinwnw situation for them.

PCI puts the burden on the merchant, so a store that sells a $1.25 sandwich needs to put in thousands of dollars in security to protect the Credit Card Company's insecurities, with the reality that they'll be liable for the insecurity. Visa/MC/Discover/Amex need to own up at some point instead of making the consumer ultimately pay the price for a) their own insecure product and b) making the consumer the risk for using their product and c) driving up the cost at a retailer because of the per-location security needed to secure an unsecure method of payment

In short, the credit card companies have found a great way of extracting huge sums from merchants who aren't compliant, using the CC's crap technology.

"Here's a Yugo and a NASCAR race track. If you can't get around the track in 45 seconds, we're going to fine you and the spectators for failing....and you owe us per lap, the car, and we want a piece of the admission from spectators. You have no other option to conduct your business either, other than cash and lol to that (or bit coins and good luck with that)"

Re:Banks are responsible too (1)

gewalker (57809) | about 6 months ago | (#46585443)

Unfortunately, the way the credit card companies work, most of the damage is externalized onto the merchants (via reversed charges) and ultimately the consumers -- via higher prices & fees. Of course, this is hardly accidental. Target is certainly guilty of lots of stupidity, but the real players won't change their ways until they really feel the pain -- the whole system is far too easy for the black players to game. Some much business is depending on CC transactions, most businesses have little choice but to play the game.

This pain could be regulatory, financial losses, etc. But, no pain, no improvement.

Re:Banks are responsible too (1)

EvilSS (557649) | about 6 months ago | (#46585455)

Banks hold some of the responsibility too...

Ethically, yes, they do. Legally? Well, they made sure the laws didn't work that way. As for merchants not wanting to ditch magstipes, the national retailers have wanted to ditch them for a while (oddly, around the same time PCI came into existence). It's the banks dragging their feet over it. The cards cost more and there are questions about how Chip and PIN transactions costs will work (as a swipe transaction or a PIN transaction) and what networks they will use.

Re:Banks are responsible too (1)

Misch (158807) | about 6 months ago | (#46585843)

Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com] .

Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

Re:Banks are responsible too (2)

hawguy (1600213) | about 6 months ago | (#46585957)

Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com] .

Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".

It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.

So are Consumers (0)

Anonymous Coward | about 6 months ago | (#46585575)

Find me a consumer who wants to deal with more than swiping a mag stripe to protect themselves. Seems they only give a shit about security when it's convenient.

The onus isn't all on the banks.

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46586601)

1970's era magstripe technology

Wow, you Republicans are always trying to fuck us over by throwing-up smoke screens. The mag stripes were not what was attacked in this case. It was the right-wing IT department at that right-wing corporation that decided to fuck the poor and minorities over by giving-out the numbers. No amount of trying to put small businesses out of business by not allowing them to accept credit cards by making the readers cost more than they can afford will help with what they did. Please top being so anti-small business. You Republicans are disgusting.

Re:Banks are responsible too (0)

Anonymous Coward | about 6 months ago | (#46586887)

Wow, you Democrats are always trying to fuck us over by throwing-up smoke screens. The mag stripes were not what was attacked in this case. It was the left-wing IT department at that left-wing corporation that decided to fuck the poor and minorities over by giving-out the numbers. No amount of trying to put small businesses out of business by not allowing them to accept credit cards by making the readers cost more than they can afford will help with what they did. Please top being so anti-small business. You Democrats are disgusting.

Re:Banks are responsible too (1)

Kalriath (849904) | about 6 months ago | (#46598601)

The readers cost $1000 in NZ. Probably $500 in the US. If your small business can't afford that, it probably cant afford the stock to sell either, making the whole point moot.

Re:Banks are responsible too (0)

melting_clock (659274) | about 6 months ago | (#46587909)

I realise that this is a US based issue but I've spent a lot of time in the US in recent years. I first needed chip and pin for trips to Europe where it was rapidly becoming the only option available. Australia (home) shifted to chip and pin being preferred a few years ago. Now my bank is saying that only my PIN can be used for in store purchases. A signature will not work... On my last trip to the US, there were still many stores asking for a signatures with credit cards so my next trip might be really painful.

Re:Banks are responsible too (1)

Trogre (513942) | about 6 months ago | (#46589331)

Erm, banks are issuing cards with 2010's era paywave right now, and it's a major step backwards in security. We've gone from two-factor (swipe and PIN) to single-factor wave. Nothing safe about it.

Re:Banks are responsible too (1)

mjwx (966435) | about 6 months ago | (#46589973)

Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

I hate to break it to you, but brand new cards are coming out with NFC technology (Paywave and Paypass) that is even easier to steal your card details from than from the magstripe.

Magstripes aren't a huge security flaw because they require physical access to the card (and yes, the card holder should be responsible for the cards physical security), but NFC allows card details to be stolen wirelessly so even if the user is taking all due care to physically protect the card, the details can still be stolen without the users knowledge.

And yes, Paywave/Pass gives out your card number, name and expiry date (everything on the front of the card) to any NFC transmitter asking for it. Even an Android phone with an NFC chip.

Magstripes on the other hand are still on cards because they are practically guaranteed to work and are considerably less vulnerable to damage.

Things that make you go Hmmmmmmmmm (0)

Anonymous Coward | about 6 months ago | (#46590777)

The irony, the banking industry is responsible for just about every economic collapse since the great depression. And yet no one bothered to go thru this much trouble in hopes of finally getting the industry to change.

That doesn't excuse Target, or the idiot security firm that apparently lacks common sense when it comes to security.

Credit Cards are on the list of 'next bubble' waiting to burst, it will be interesting to see how the bank get off the hook when that happens, while Jane/John public get f***d. The security issues you bring up should've been in place years ago, and what a shock here we are talking about another security issue in this country. No one learns there lessons, as long as the big wigs make out, while everyone who is responsible for making them there easy lifestyle suffers.

Re:Banks are responsible too (1)

Trogre (513942) | about 6 months ago | (#46598369)

why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen?

Do you have shares in a card-chipping business?

SSDD (3, Insightful)

Wookact (2804191) | about 6 months ago | (#46585207)

I am surprised it took this long for the lawyers to get geared up

Re:SSDD (0)

Anonymous Coward | about 6 months ago | (#46586267)

Hey, Morgan & Morgan, the ex/next-govenor of Florida [wikipedia.org] works for them.

Mandatory arbitration? (1)

schwit1 (797399) | about 6 months ago | (#46585211)

I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

SCOTUS has consistently ruled that these mandates are legal and binding.

Re:Mandatory arbitration? (1)

MightyMartian (840721) | about 6 months ago | (#46585313)

"We're so sorry we allowed your credit card to be used to facilitate theft. Fortunately the arbitrator has come up with an equitable payment; a Jelly of the Month Club membership. It's the gift that keeps on giving."

Re:Mandatory arbitration? (1)

Doug Otto (2821601) | about 6 months ago | (#46585403)

Don't spread that around....

Re:Mandatory arbitration? (1)

the_skywise (189793) | about 6 months ago | (#46586661)

Groan...

Re:Mandatory arbitration? (3, Insightful)

Overzeetop (214511) | about 6 months ago | (#46585527)

I would have thought a coupon for a free pizza a drink would have been enough. It's not like Target blew up a town, they just lost some CC#s. On second thought, maybe just a free drink with your next purchase.

Re:Mandatory arbitration? (0)

Anonymous Coward | about 6 months ago | (#46585699)

Then they would get sued by all the sugar addicts who drank their sugary soda and got diabetes

Re:Mandatory arbitration? (1)

NoNonAlphaCharsHere (2201864) | about 6 months ago | (#46585421)

Nah. It's only CONSUMERS who are forced into these binding arbitration contracts, i.e. the card holders. There's zero probability that the card issuing bankers will be forced to put up with what they inflict on the public.

Re:Mandatory arbitration? (1)

devman (1163205) | about 6 months ago | (#46585795)

The article indicates that the plaintiffs are card issuing banks, which probably have no direct agreements with Target at all, thus no opportunity to cover ass with a binding arbitration clause.

Re:Mandatory arbitration? (1)

Sloppy (14984) | about 6 months ago | (#46585821)

I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

That sounds like something Target's customers might have agreed(*) to. But the banks? If they didn't sign(*) the agreement, then I don't know how they'd be bound to it.

(*) I am trying to use technical jargon versions of "agreed" and "sign," not the layman's, and I might not be up-to-date on the jargon definitions. Yet if it looks like I'm saying the exact opposite of what I appear to be saying, then I think that means I used the words correctly(**) so I hope that's the case.

(**) Oh no, not again. I'd explain what I meant by "correctly" but whenever I try, I get some kind of error message about a stack. What, a stack of credit cards? I don't understand.

Re:Mandatory arbitration? (1)

gstoddart (321705) | about 6 months ago | (#46585835)

I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

Is that even something they could do? When I use a CC in a brick and mortar store, I don't think you can claim there's a click-through agreement in place.

Though, I wouldn't put it past the lawyers to have done something like this.

However, since it's the banks filing the class action suit, and storing that stuff the way they did violated both state and federal laws .... good luck with the EULA/arbitration method.

This is just wholesale incompetence, allowing widespread malfeasance.

With who? (0)

Anonymous Coward | about 6 months ago | (#46585949)

I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

SCOTUS has consistently ruled that these mandates are legal and binding.

With who? The customer?

The customer (you or I who shop at Target) have a $50 maximum liability. Meaning, we don't owe anything after $50 in cases of lost or stolen cards. [ftc.gov]

In this case, it is 100% Target's fault and your bank will back you up on this - those Russian crooks max out your cards, you owe nothing.

The Republicans will never allow this to happen (-1)

Anonymous Coward | about 6 months ago | (#46585213)

They always protect their own. The right-wing ruled Target will be protected because they always do what they're told. Just look at how few minorities they employee. Also, they try to hurt the poor by offering products more suitable for only the middle class. Because of this, they are Republican heroes. The Republicans will never allow Target to be hurt by this. Besides, they know when Republicans have data breaches like this, it is the poor with their debit cards that gets hurt worse than the Republicans with their real credit cards. The law protects credit card holders much better than it does the poor with their debit cards. Of course the Democrats have done nothing to stop this.

Re:The Republicans will never allow this to happen (0)

Anonymous Coward | about 6 months ago | (#46585801)

Weak troll.

Re:The Republicans will never allow this to happen (1)

JackieBrown (987087) | about 6 months ago | (#46586973)

We are going to be seeing (and have been seeing), more and more posts like this the closer we get to midterms. They know it's ludicrous, but the more people read something (in this case the same general theme,) the less crazy it sounds and eventually some people will believe it.

As shown during the last elections, Democrats are very good at social engineering/conditioning. Look at most of the "hot" topics on this site this month and you will see a post like this.

Re:The Republicans will never allow this to happen (0)

Anonymous Coward | about 6 months ago | (#46585973)

Get back on your meds, troll.

Re:The Republicans will never allow this to happen (0)

Anonymous Coward | about 6 months ago | (#46586533)

Learn to troll ya wanker! Target is full of gun hating democrats!

Re:The Republicans will never allow this to happen (1)

david_thornley (598059) | about 6 months ago | (#46594757)

You do realize, don't you, that Target associates itself more with the left wing, and that lots of their customers got upset when they found Target donated money to Republicans?

RIP Target. (0)

Anonymous Coward | about 6 months ago | (#46585307)

Only McJobs and WallyJobs to be had.

It's about damn time (0)

Anonymous Coward | about 6 months ago | (#46585357)

I had to get two new cards last year while the Bank grilled me on my browsing habits ect thinking it's always the customers fault. Finally they are going to the source!

Sad that it might take a lawsuit... (1)

thestudio_bob (894258) | about 6 months ago | (#46585445)

I wish there were better ways of reporting broken sites. I just tried to inform quicksilver.com that there SSL was messed up, but the told me to reset my cookies. Lol.

How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

Re:Sad that it might take a lawsuit... (1)

gstoddart (321705) | about 6 months ago | (#46586063)

How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues.

If you're a customer, you call up and cancel and tell them that since they seem to be unqualified to do security, you are no longer willing to use them.

If you're not a customer, make sure you can't be brought up on charges of "hacking" their stuff which was secured by chimps and move on.

You don't. (1)

khasim (1285) | about 6 months ago | (#46586951)

How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

You don't.

And you don't leave ANY trails showing that you knew about it.

It's too easy for them to drag YOU into court on "hacking" charges.

They'll be looking for ways to cover their incompetency later. Do not be their victim.

Trustwave monthly scans of my ecommerce site (0)

Anonymous Coward | about 6 months ago | (#46585517)

Every month, Trustwave runs an automatic scan of my tiny e-commerce site. Wells-Fargo Bank, which handles my skimpy credit card collection, pays them to check that my Debian & Apache server is up to date and look for obvious php errors. Each month, I receive a report saying that everything is OK, and a comment that my PCI Self-Assessment Questionnaire will soon expire. (the online questionaire/class essentially says not to store credit card information in a computer) It's pretty simple stuff; I expected a more rigorous analysis.

As a (very small) online merchant, I really don't want to see anyone's credit card information, nor do I wish to waste time on security issues. Still, I've put in several honeypots and tripwires...

Re:Trustwave monthly scans of my ecommerce site (1)

Kalriath (849904) | about 6 months ago | (#46598653)

I'm assuming your volume is small, and you don't actually get PAN details right? Because if you did, then you wouldn't be able to get away with SAQ-A and would have to submit to actual audits, which is a whole lot harder. Target, undoubtedly, was the much stricter PCI-DSS probably at level 2 or above. Major auditing. Theoretically.

Best quote I read about this (1)

Gothmolly (148874) | about 6 months ago | (#46585653)

âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

Re:Best quote I read about this (1)

Mr. Flibble (12943) | about 6 months ago | (#46586113)

âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

What is missing from quote this is not that Bangalore sent them a flagged alert, but how many alerts had Bangalore sent in the past, and how high of a priority were they? How much did Bangalore cry wolf in the past?

I am with teams from Bangalore that sent me reams and reams of "alerts". Most of these high-priority alerts were garbage. I spent 4 hours the other day tracing down a "critical" alert because a router on the other side of the world from me had not sent logs in the last 8 hours. Turns out that this router is on a section of dark fiber, and it is not supposed to log unless it comes online during a system failover.

Bangalore has repeatedly created critical alerts on this for the past 3 days like clockwork.

Most of the stuff they send us is noise. What we need to be sent is real actionable data, not a billion "alerts" that are actually systems-normal.

Re:Best quote I read about this (1)

khasim (1285) | about 6 months ago | (#46587037)

I've worked for a company that used Trustwave.

I hate them.

They did NOTHING except forward
EVERY
SINGLE
ALERT
FOR
EVERY
SINGLE
SERVICE
ON
EVERY
SINGLE
SERVER
that was in scope.

I understand WHY Trustwave did that. It is so that they cannot be blamed for when YOU miss something. So you are buried in their reports.

But you do get to check off the box labelled "24/7 monitoring of all systems".

Which is why "compliance" is NOT the same thing as "security".

I don't care if it is the same fucking dictionary attack as yesterday. Root and Admin are NOT valid names. They can throw 10,000 attempts and they will still not get in. But Trustwave will send you 10,000 notifications AGAIN. Just like yesterday.

Per service. Per server.

Re:Best quote I read about this (0)

Anonymous Coward | about 6 months ago | (#46587703)

Its because TrustWave is a JOKE. Ever wondered why TrustWave is one of the most expensive PCI auditors, but why they seem to be one of the worst, and why so many huge retailers use them??? I'll give you a hint, its because that price isnt for quality, its buying compliance when you arent compliant.

But one might wonder, just how the heck does TrustWave get away with this?? Doesnt the PCI Counsel see this happening and intervene? Well thats where it gets interesting boys and girls. TrustWave and The Counsel have an interesting relationship....they happen to share a very important person, making money on both sides of the deal....look into TrustWave ownership and The Counsel leadership.

I happen to work for a retailer in security and handle PCI Compliance, and TrustWave is a well known joke of an auditor in the industry....

credit cards? (1)

Anonymous Coward | about 6 months ago | (#46585777)

so, only credit cards were affected? not debit cards or American Express cards? Cool.

Wonder if TW techs read marketing's whitepaper? (1)

xxxJonBoyxxx (565205) | about 6 months ago | (#46586111)

Retailers a Top Target for Attackers in 2012, Trustwave Says
http://www.securityweek.com/re... [securityweek.com]

This is such a bizarre case... (1)

buttfuckinpimpnugget (662332) | about 6 months ago | (#46586229)

Target has one of if not the most diligent loss prevention programs in place of any retailer. They even have their own forensics lab and sometimes donate time/expertise to high profile investigations for the police, fbi, etc. You would think that mindset would be throughout.

Re:This is such a bizarre case... (1)

Ziggitz (2637281) | about 6 months ago | (#46586837)

Most organizations see PCI compliance as a huge annoyance. It's generally too technical for an executive to have eyes on so it falls to a technical person to enforce it. Once you get big enough merchants tend to go easier on you because it's a huge cost to be PCI compliant and they really want your business. Then shit like this happens.

Wondering why it took so long... (1)

marcgvky (949079) | about 6 months ago | (#46586361)

Did anyone question that this was going to happen. My surprise is that it took so long to compile and file the complaint LOL This one should send the lead counsel (firm) skyrocketing i.e. houses in the Hamptons, helicopters, yachts, the whole nine!

usual & customary. (0)

Anonymous Coward | about 6 months ago | (#46586869)

all major retailers archive bank card data.

it's usual & customary.

Just goes to show (0)

Anonymous Coward | about 6 months ago | (#46587027)

These Credit Cards aren't ready for mainstream adoption. Criminals can just hack into any server and take the money, and the cost is just pushed onto everyone else! The dollars they represent are good for nothing but SPECULATING that you might be able to buy goods with them in the future, and aren't even backed by anything. Your 1950's libertarian fantasy of high-speed digital commerce conflicts with reality - this hack proves is that Credit Cards would be safer with much more regulation.

I'll stick with tried-and-true barter, thank you.

Amount of involvement from Trustwave (0)

Anonymous Coward | about 6 months ago | (#46587169)

I'm not sure if I'm misreading TFA but it seems like Trustwave's involvement was solely that they did an automated vulnerability scan for Target. Can anyone confirm?

If that is all that Trustwave had done then I imagine the amount of companies offering vulnerability scans (i.e. pointing Nessus or OpenVAS at your site and charging you for the report it produces) is about to drop sharply...

Banks Sueing Corporations (0)

Anonymous Coward | about 6 months ago | (#46587337)

*grabs popcorn*

And anyone personally affected by this? Maybe a $10.00 target gift card?

Apparently the banks need to sue the banks (0)

Anonymous Coward | about 6 months ago | (#46587417)

...it violated federal and state laws in storing the credit card data on its network.

Can you show me a single bank that doesn't store credit card data on its network?

Re:Apparently the banks need to sue the banks (1)

Kalriath (849904) | about 6 months ago | (#46598693)

Banks are bound by a very different set of rules - they have to stick to PCI-DSS sure, but since they literally have to store credit card data...

The problem would be that Target failed to comply with PCI-DSS correctly, Trustwave verified that they were in compliance (when they were not), and many states now have laws on the books mandating PCI-DSS compliance.

Tort Reform (0)

Anonymous Coward | about 6 months ago | (#46589313)

The one-sided in favor of the corporation tort reform should be reformed so we can get down and funky again with these monsters.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?