Target Has Major Credit Card Breach

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

Well, with a name like that...

[Anonymous Coward]

Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.

don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Re:don't connect everything to the internet!

[E-Rock]

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet!

[rmdingler]

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Re:

[omnichad]

That's why you attach a cellular device to the internal network or pull out the microSD card from the skimmer before it's found.

Re:

[operagost]

PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

If Target is PCI compliant, then this is an internal breach.

Re:

[omnichad]

Of course - but it wouldn't have to have happened out in the open near all the cameras.

But I doubt they're fully compliant.

Re:

[tibit]

MAC authorization is not even remotely sufficient in my view. 802.1x is the minimum you need.

Re:

[torkus]

MAC ACLs are like the TSA groping grandma. Looks good to those up top but only annoys the people who aren't doing anything wrong...while doing little to stop anyone with ill intent.

802.1x is a big improvement but still leaves a lot to be desired in most implementations.

Re:

[torkus]

Sure but even that's not 100% secure by any means.

I wrote a whole long rant about all the holes I've personally seen and then thought better of posting it. Many of them are possible with limited technical knowledge and minimal understanding of the target (ahem).

Anyone who thinks this was a 100% outsider attack is sadly mistaken. It doesn't even need to be someone in a position of power or great access...just some basic knowledge and perhaps a few others to do some unwitting testing (mind you retail hires

Re:

[justthinkit]

It's a shame that we probably won't get good details about what happened.

Right. And considering Target has a rather unique "red card" of their own, I would at least like to know if THIS was also compromised during the most recent hack. Seems more secure, mainly because it is less portable to other stores.

Re:

[GTRacer]

According to Target's press release on their site, REDcard was hit too. My REDcard goes to my debit account, but then again, I used my debit card there in the breach span too. Prolly also my credit card. Considering having all card providers issue new cards which should sort this nicely.

Re:

[justthinkit]

My red card goes to nowhere (i.e. It is their credit card version). So unless the thieves shop at my store and fake my signature, I imagine I'm ok.

I just tried to call Target and got some amusing results. Predictable busy signal on first three tries. Then, for variety, the phone rang two or three times, then dropped into a busy signal. This would not have even been possible in the old analog phone system -- we have progressed indeed. Able to reproduce the ring-becomes-busy on my next few tries.

Oh w

Re:

[azadrozny]

It doesn't have to be an inside job. I have been to countless stores where they have a networked cash register with exposed ports within easy reach of the customer. Someone could connect a small USB device that could be used to capture data, or give that person inside access. I do not understand why these devices are not in locked enclosures. Once your physical security is compromised, there are almost no limits to what an attacker can do.

Re:don't connect everything to the internet!

[JWSmythe]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:

[mysidia]

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

There are perfectly safe ways of doing this -- it's called a VPN, and an isolated network behind the firewall whose only WAN is the VPN connection, to access approved systems; and be monitored by approved systems.

Re:

[sabri]

There are perfectly safe ways of doing this -- it's called a VPN,

Not necessarily true. Not all VPNs are the same.

For example, a simple MPLS-based Layer 3 VPN will separate traffic between network A and network B, but it will not be encrypted. The only relatively safe way of doing it is via a strongly encrypted tunnel.

Re:

[DarkOx]

IPSec would not require a tunnel and should be perfectly safe as well. That has the advantage of not requiring any separate routing, vlans, etc.

  Honestly if you are building an IP based CC scanning device why you'd support anything other than IPSec I don't know.

Re:

[ruir]

IPsec is the tunnel creating mechanism and it is very unwise not to isolate sensitive equipment in their own vlans.

Re:

[DarkOx]

IPSec *can* tunnel but does not require a tunnel, I don't disagree isolation would be better but most of the time that isolation ends at the next hop router anyway. It isn't as if a retail box store is going to have a layer2 network back to HQ.

If you have some port security in place like 802.1x so you can have some at least low level of assurance that the only things on the network are supposed to be there, there isn't nearly as much value in isolation in this type of situation.

Frankly tunneled IPSec is we

Re:

[Anonymous Coward]

I've heard from a couple sources, which I'm trying to find citations for again, the breach was due to a pushed update from the POS provider. It isn't mentioned in the majority of the reports, so I don't know if it's because there's no truth in that or the information was not in the official release to prevent potential backlash before coming to a solid finding.

Re: don't connect everything to the internet!

[rickb928]

No, they can use dedicated links to their processors. Even MPLS is better than SSL.

Re:don't connect everything to the internet!

[Charliemopps]

About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

Re:

[Jawnn]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

First of all, to GP, what makes you think that the PoS terminals are attached to the Internet? Nothing in TFA even hits at such a thing. To parent, GP is right. The Internet is not required for the things we're talking about. Private networks, including VPN's (running through the Internet) are a much better choice. That said, if properly secured, credit card transactions can be safely processed across the Internet. An entire industry has been built around just that.

No. I think we're going to find that th

Re:

[noc007]

They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Target's communication with CC Networks (Visa, MC, Disc, Amex) don't need to go over the internet. They either connect to a Front End Processor (FEP) via a private network, function as their own FEP with direct links to the Networks, or own their own FEP as a subsidiary company. As big as they are, I'd expect it to be one of the latter two. While working for a Merchant Acquirer/Gateway that wanted to become a FEP, our expensive ($10k/mo) test connection with MC was a direct private link and obviously encryp

Re:

[account_deleted]

Comment removed based on user account deletion

Re:don't connect everything to the internet!

[girlintraining]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.

Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.

There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras i

Re:

[ruir]

You are spot on sir. And this is why at my bank, I always have refused their multiple suggestions to do Internet banking. I tell them flatly I work in the field, and know how weak the process is.

Re:

[ruir]

Actually it has. No activated account until I request so, not using it in any terminal at all also (in the case it was activated by default), and plausible deniability. If in any case at all, anything is ever lifted via the Internet banking mechanism, I never had access to it, nor any password. From what I have seen in projects I have been indirectly involved, I would not want this guys to design my home network, much less a bank network. And then I dont trust their choice of Internet facing operating syste

Re:

[smpoole7]

@girlintraining:

Very, very interesting. My only observation would be that the police would be likely to accept what Target told them; I wouldn't think there is active collusion between them.

But if we accept the premise that this is a coverup, I have a rather pertinent question.

I don't shop at Target stores. I don't like them. But sometimes, my wife and I *do* use their online site. During the dates in question, we may have sent a Target gift card (via said Website) to a family member.

If this is a coverup, i

Re:

[torkus]

FBI will do the actual investigating here. The po-po are just the unwitting hacks who get face time.

Protip: your information is always at risk. Social engineering, datamining, and a myriad of other techniques make it all out in the open. What you can do is try to *limit* that risk. Credit protection or locking your credit checks is one. Unique passwords is another. A really helpful thing is watching how you answer security questions - never use REAL information. I hope everyone realizes how easy it

Re:

[sunderland56]

here's the more likely scenario: They hacked their wifi

Let's say they did hack or otherwise gain access to the wifi. Shouldn't a credit card transaction be encrypted over SSL/TLS?

Re:

[omnichad]

The attack on the POS system would change that or cause a second transmission of data.

Re:

[Baloroth]

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public.

Where, exactly, was this story released to the public? I've read two articles on the subject, neither of them say that anyone has made any such claims whatsoever. Target's press release [target.com] certainly makes no such claims. All they've said is that they've fixed the immediate problem and they're hiring a forensics company to figure out how it happened.

Re:

[Nethead]

I can verify that GIT is correct. I've done POS refreshes, Pharm terminal installs and general field tech work at Targets. Their helpdesk is Compucare and trouble tickets come through Telaid.

Re:

[Havokmon]

Those protocols are there to protect the vendors, not you.

Of course they are, they're meant to protect the Card Issuers. Having implemented PCI at a credit card processor, I'm not even sure it applies to debit transactions - and it surely doesn't apply to private label cards.

If you want to be protected as a card holder, use CREDIT not DEBIT. Credit card transactions are protected by Visa/MC regulations - you as the user are not liable for ANY loss. If you use debit, you are subject to your banks regul

Re:

[torkus]

Retail and almost any large scale enterprise are going to have many things in common. At the end of the day it's large-scale, lowest-cost that affords security. Add in senior management having 'great ideas' or a vendor selling some 'amazing product' ... you get the idea. The store manager insists on using an XYZ tablet instead of his company issues 'portable desktop' so he gets an exclusion from half the security measures. And of course forgets the tablet almost every time he walks through the store...e

Re:

[Albanach]

NBC report [nbcnews.com] that, according to Target, the data includes CVV information. Is this even stored on the magnetic strip? I thought it was kept separate for this very reason.

Re:don't connect everything to the internet!

[Anonymous Coward]

CVV is on the magnetic strip.

CVV2 is only printed on the card.

Do not confuse them. One of them is used to validate a swiped transaction, one is used to validate a keyed transaction. Any transaction that has both is invalid. A transaction that has neither is ripe for an audit.

Re:

[Albanach]

Thank you for that reminder. It's been a while since I worked with this stuff, and your answer makes the statement from Target clearer.

Re:

[AK Marc]

They do direct-authorization. The two common ways of doing that are having an analogue line per terminal and every terminal dial in. You remember hearing the dial in sounds for cards, right? That takes 20 seconds per card, and more if it has trouble (and is prone to trouble). Or, you have it connect to the same database, but over a VPN or private network. VPNs are cheaper, so more common. sub-5 second authorization. More reliable. The Internet wins. But that doesn't excuse lax physical security of

Re:

[Cramer]

It almost always takes more than 20sec. And it requires a real (circuit switched) phone line. For small retailers, this works. For a big chain store, with dozen of lanes, individually processing each CC transaction would be complete murder; no one is going to wait even 30s for a CC authorization these days. How long did your last CC purchase take? Under 5s? Now imagine standing there for 45s.

Re:don't connect everything to the internet!

[blincoln]

Who said anything about these devices being compromised by an attack from the internet? There are all sorts of ways to attack them indirectly:

- Compromise the system that manages them, then use that management system to push out compromised firmware or OS updates (depending on the device type - the newer payment terminals are often little Linux machines).
- Compromise the POS registers and capture the data there instead of directly on the terminals.
- Compromise the centralized back-end systems that Target uses for payment authorization. PCI-compliant retailers aren't supposed to capture full track data from the cards, but it might be possible to enable some sort of legacy mode that does just that.
- Compromise the network devices (routers, etc.) that the data is transmitted over. PCI only requires network-level encryption for transmission over untrusted networks, not internal corporate networks.

Etc. etc. Magnetic-stripe cards are a security nightmare, and everything that retailers do related to them is just a band-aid. We (the US) need to move to systems that use one-time codes - like chip-and-PIN - like the entire rest of the world is either in the process of doing or has done already.

Re:

[NJRoadfan]

EMV Chip cards are being issued in the US now. The major processors are pushing to move liability of charges to the retailer starting in 2015 for mag stripe transactions. The only problem is that US based processors aren't going for the full "chip and PIN", but "chip and signature". The EMV terminals will have a PIN pad, so hopefully card issuers will give the option of PIN security to those that want it.

Re:

[wiredog]

Apparently you don't realize that not every network is part of the public internet.

Re:

[Havokmon]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

So you think they were able to access card readers, and NOT plant a 3g device on the same network?

Re:

[mcgrew]

Not connecting them to the internet wouldn't have helped. From what I heard on TV, the card readers themselves were physically compromised. It looks to me like a large criminal organization has infiltrated Target's employee ranks.

Chip and Pin

[the eric conspiracy]

You would think that these breaches would get the US to update it's security practices.

1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.

Re:Chip and Pin

[Tanktalus]

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. [slashdot.org] It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Re:

[Tanktalus]

And my other link got squashed. Another time chip-and-pin was discussed here. [slashdot.org]

Re:Chip and Pin

[Mashiki]

Considering you need the pin for it to work, it becomes a bit more difficult. And it's either going to be 4 or 6 numbers long, so unless at every terminal they're recording the pin, you're talking about brute forcing all known pin's against the card. Most cards lock after 5 failed attempts, plus at least with the Interac system here in Canada, if the otherside doesn't authorize the pin, the chip doesn't authorize the pin you get squat.

It's massively cut down on the bank card, and CC fraud we've been dealing with up here. I'm sure it'll be an arms race again in a few years, but right now it is an improvement in security albeit a small one.

Re:

[mcgrew]

Considering that (TFA didn't mention but GMA did) the readers themselves were what was compromised, a PIN wouldn't have helped at all.

Re:Chip and Pin

[blincoln]

Chip-and-PIN isn't perfect, but it's about a thousand times better than the archaic mag-stripe cards that are still in use in the US.

Mag-stripe cards are a relic of 30-40 years or more ago - similar to social security numbers - where your identification is the same as your authentication. It's a "secret name"-type system where as soon as you tell someone what your account number is, they can do whatever they want with it.

Mag-stripe cards can be cloned easily with a ~$100 reader/encoder that you can order from China on eBay (I have one - it's pretty neat). All you need to do is swipe the card through it once (or through a cheap reader, which you save the data from and then write to a card using the bulkier encoder later). AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Also, AFAIK, with Chip-and-PIN, you can't clone the card solely by intercepting network or device-to-device traffic. You have to compromise the reader itself. If you can intercept unencrypted network traffic from a mag-stripe transaction, then at a minimum you've got everything you need to use that card fraudulently online, and depending on how bad the system is that's involved, you probably have everything you need to create a full clone of the card.

Re:Chip and Pin

[IamTheRealMike]

AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

Re:

[makomk]

In practice, those obscure protocol attacks that could be detected by the bank weren't detected by the bank - they didn't bother looking for them and deleted the logs which would indicate if they were used. Some people in the UK had fraudulent transactions that were likely caused by this attack being used in the wild (in fact that's why researchers went looking for it in the first place), but the customers ended up liable for them because they couldn't prove it since the bank had deleted the logs.

Re:

[IamTheRealMike]

If you're thinking of the RNG thing, actually some banks did still have the logs which is why they were able to identify the problem in the first place. But yes not all banks are so careful.

Don't get me wrong. It's good that people research EMV, and the task isn't easy. I respect the Cambridge team for that reason. But when they talk to the media or about their work in general, they act as if friendly fraud doesn't exist and EMV is just one giant scam by banks. That's ridiculous. "Friendly fraud" (that's th

Re:

[gl4ss]

it's harder to copy the chip.

certainly harder to do it whilst maintaining a normal transaction happening.

but in usa, all you need is the magstripe. then you can buy shit with it. just go to a pharmacy and load up on whatever and use the self-checkout counter and scribble something on the touchscreen joke signature area...

Re:

[jedidiah]

In an attack of this kind, the mag stripe is likely entirely irrelevant. So it doesn't matter what security features are embedded in the card. Sooner or later, the card is going to have to be verified against a remote system and everything you need is going to be pure information past that point.

Same goes for those stupid electronic signatures.

Perhaps the greatest aid to counterfeiting ever.

Re:

[weilawei]

One time pads suffer from the problem of key sharing, which reduces their security to that of the key sharing/shared generation scheme.

Inside job

[Spy Handler]

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

Re:

[blincoln]

I disagree. It's certainly possible that there was inside help, but I think it's a lot more likely someone compromised a system in Target's corporate offices and used it to pivot to capturing the data in question.

Re:

[ruir]

You are assuming they are not so misers as to maintain and pay proper IT admins...

Paying proper admins?

[swb]

Target appears to be a massive H1B user, at least based on the people I see streaming in and out of their office buildings. So I'm not sure that paying for proper IT admins is part of their business plan.

Re:

[cdrudge]

Target appears to be a massive H1B user

Please state which Fortune 100 (or even 500) doesn't hire a significant number of H1B workers. Or for that matter, why it needs to be an incompetent H1B worker and not a incompetent US citizen if it even was incompetency.

Re:

[swb]

Please explain how a desire to suppress wages and import cheap workers leads you to the conclusion that competency is the principal value of Target hiring and IT systems.

Glad I paid cash a few days ago

[sandytaru]

I only paid cash because it was such a trivial amount - under ten dollars - but I should make a point of doing it more often. I've been a victim of this before, when they targeted Office Max several years ago. Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Re:

[couchslug]

That's why prepaid credit cards are better than debit cards if you have no regular credit card. They reduce potential damage by not being linked to your bank account. My regular card isn't paid by automatic draft either, and my PayPal account links to a small, separate bank account I keep for that purpose.

Re:

[whoever57]

Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Which is exactly why you should get and use a credit card if you can. I have had credit card fraud on my card of over $3k. Impact to me: nothing (well, I did have to fill in a form stating that the items on the statement were fraudulent).

Re:

[sandytaru]

I do now - just one, a Delta AmEx that I'm using at every opportunity to get crazy amounts of frequent flier miles.

Re:

[philip.paradis]

You should have switched to a better bank, or rather a decent credit union. When this happened to me, Navy Federal Credit Union returned all the funds to my account within four hours.

Re:

[sandytaru]

Well, Wachovia was eventually eaten by Wells Fargo. They did return my money after about two weeks - it just took going through their fraud investigation stuff.

Re:

[McKing]

This is why I have 2 checking accounts: one for paying bills and one for daily spending. I direct deposit my paycheck in the billpay account, pay all of my months bills at the beginning of the month, and then as I need to spend money I transfer the amount from billpay to spending and use my debit card. This way there is only like $20 in the spending account (for emergencies like gas or something) and if someone gets my card then they can't spend up my entire paycheck at once.

Target has always HAD a major breech

[turkeydance]

so has Walmart, etc. no cash-register software is secure.

Re:

[ruir]

The problem is not the software per se, but that everyone and his dog "glues together" a network. I have seen as consultant unbelievable things, and unfortunately, not talking about pa & mom shops.

I hope no one loses money, but...

[cervesaebraciator]

the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.

Our Target just installed new card readers

[NixieBunny]

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:Our Target just installed new card readers

[SeaFox]

This must mean something, or not.

...those would be the choices

Re:

[SleazyRidr]

I went there on Black Friday and my card was locked out in an hour. I called the next day and they said that everyone who went to Target was locked out.

I Stopped Shopping At Target

[Anonymous Coward]

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

Re:

[ruir]

You were buying a terrorist training kit, what do you expect? Glad you told them to sod off, we need more people like you.

Re:

[tlhIngan]

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

It doesn't matter these days - a lot of stores end up with policies of "we card everyone" even if you're definitel

I don't believe you could resist the headline

[Chrisq]

I don't believe you could resist the headline:

Target Hit by Credit Card Breach

NPR: Brian Krebs broke this story

[McGruber]

National Public Radio (http://www.npr.org/blogs/thetwo-way/2013/12/19/255415230/breach-at-target-stores-may-affect-40-million-card-accounts) says that the story was first reported by Brian Krebs, who writes the "Krebs on Security" blog. (http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/)

NPR and other news outlets are only reporting the story because Target put out a press release (http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-sto

Just another example. . .

[smooth wombat]

of private industry doing it better than the government.

POS Hacked?

[deKernel]

If the story does have the details correct meaning their POS terminals were somehow compromised, then Target must have some type of central server that the terminals call into to see if there are software updates because don't see any physical way so many terminals could be compromised. With that, the terminals could be reprogrammed to first send the authorization request, but then send a second message out with all the needed information which indicates an inside job.

What if it wasn't the credit card auth?

[ai4px]

I see in many of the comments that the probable method of attack was sniffing the outbound traffic... but w hat if the hack was embedded in a firmware update on all the cash registers? The cash register gets the CC number from the POS keypad, right?

Re:

[ediron2]

From what I understand (IANA PCI Expert) POS gets the card number less and less.

Some POS magnetic heads now come with encryption literally built into the head elements. The cardswipe heads encrypt card data, then send the encrypted chunk to the card processor. The card processor sends back confirmation data. Newer systems are capable of making it so that the closest that Target gets to your data is a token that is not the card data: it can be reused by the business (adjustments, additional charges if you'

Naughty, naughty...

[ysth]

Naughty, naughty, Amazon

Re:

[aaarrrgggh]

The problem with chip and pin is that it still isn't impervious to hacking, yet the customer is now responsible for preventing fraud. At least with the US system systemic fraud is a problem for the banks, even if transactional risk is placed on the merchant.

You have to establish where the endpoint of trust is for the user, and where that point is for the merchant. Everything in between is untrusted. One approach is escrow, and the other extreme is mutual authentication and authorization.

Re:

[ai4px]

Bingo.... when I buy gas and pay at the pump, I *always* use credit option. If a skimmer got my PIN code I'm on the hook for all charges. With a credit card, the skimmer can still nab me, but I'm not on the hook. Funny thing is, if someone stole my wallet, they'd have the zip code that the CC auth wants. Not secure at all.

Re:

[JWSmythe]

But security is hard. {sigh}

Re:

[SpzToid]

Hello AC. It is extremely noticeable you have cited nothing to support your inflammatory anecdote.

Re:

[Kagato]

Recent? Target has put it's eggs in the offshore and "prevailing wage" H1-B workers years ago. They have a bit of a reputation in the market as a result. Their divorce from Amazon onto their own web platform turned out pretty poorly and it resulted in the CIO abruptly exiting the company.

Re:

[DaHat]

It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.

Re:

[noh8rz10]

USA is exceptional, and has been so since at least 1776.

http://en.m.wikipedia.org/wiki/American_exceptionalism [wikipedia.org]

Re:

[redmid17]

Slashdot is an American website. Might as well get used to it.

Re:

[omnichad]

sick and tired of having my credit card numbers stolen every few months

You must have been doing something wrong. That's not the normal experience.

Re:

[Todd Knarr]

One thing though: your direct financial liability is $0, but that doesn't help much when you need to use your card and a crook's run it over-limit with a fraudulent charge. Take a real example from my life: I'm a full day's drive from home, I had to have several hundred dollars of repairs done to the coolant system on my car, if I can't pay for them the dealership won't release my car to me so I can get home and since it's at the tail end of the trip I don't have nearly that much in emergency cash in my wal

Re:

[ysth]

http://www.target.com/ [target.com]
http://en.wikipedia.org/wiki/Target_Corporation [wikipedia.org]