Target and Trustwave Sued Over Credit Card Breach 87
jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards."
The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."
Complaint against Trustwave by tbehme8826
Sad to see it takes a lawsuit ... (Score:5, Insightful)
... for companies to get their shit together about their lax security policies.
It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.
Re:Sad to see it takes a lawsuit ... (Score:5, Informative)
AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.
Re: (Score:2)
The context is a little different in that case though. If no one is around, and you can visibly see that, no one gets hurt if you blow through the stop.
In Target's case, vulnerabilities were found, were reported, were ignored, and then thousands of people's personal financial information are open to be abused.
Re: (Score:3)
In Target's case, vulnerabilities were found, were reported, were ignored,
In Target's case the intrusion was found, automatically reported, and ignored, weeks before the actual theft of CC numbers.
This has all the makings of a "gross negligence" tort, which is the criminal justice system for corporations.
Re: (Score:2)
Thanks for the clarification.
Re: (Score:2)
Watch drivers at a stop sign in the middle of nowhere. Way too many will roll the stop sign - if they don't just blow right through it.
Middle of nowhere? I see it in the middle of town all the time. Worse yet, it's pretty frequent to see the cops do it, too (lights/siren off).
Re: (Score:2)
No kidding. I can't count how many times I've been proceeding through a green light on a road and the idiot coming to the red light is half way into the intersection to turn right before he turns to look to see if there's any oncoming traffic.
I can't even begin to understand how "I'll decide if I should stop 20 feet past the stop line when I'm already in the intersection and then look" becomes the way people drive.
They half run the light to tu
Re: Sad to see it takes a lawsuit ... (Score:2)
It is sad but hopefully companies (and others) will realize that compliance with things like PCI doesn't really mean all that much, though I think it will take a few more.
Banks are responsible too (Score:5, Insightful)
Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.
Re:Banks are responsible too (Score:4)
The banks ARE making moves here.
All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.
It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.
Re:Banks are responsible too (Score:5, Interesting)
Not precisely correct.
Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.
Liability shift, will now be on one of two entities.
The merchant, for not having the terminal, or the consumer, for not protecting their pin.
the liability also shifts almost 100% OFF the card issuing bank....
(the real reason)
Re: (Score:3)
.. and all customers will have chipped cards by October.
Re: (Score:2, Interesting)
All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.
Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:
The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not u
Re: (Score:2)
All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.
Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.
Re: (Score:2)
What needs to happen is end to end encryption, the card reading device needs to be a self contained device that encrypts the transaction right away and pass that information on to the credit card processing people, instead of the card data being placed on a computer in between the reader and the processing center
Actually no. The new chip+pin cards are actually smartcards that do their own processing on the card itself. I recommend doing some research before spouting false information about the chips being glorified memory cards.
Re: (Score:2)
You're joking, right? As another poster has said, anyone with an NFC chip can read those cards.
The PayWave system is also being pushed as a single factor payment system. Did you get that? Single. Factor. Wave your card at a cash register and you've paid for your meal. Or your colleagues.
Re: (Score:2)
Chip+pin is NOT tap-to-pay. Chip+pin is the system where you have to physically insert your card into the machine (where metal contacts talk to the chip) and then enter a pin that is verified by the chip.
Tap-to-pay is a whole other system whichI personally do not like and am disapointed that it is impossible to get a card without it in Canada (I've checked with multiple places).
Re: (Score:2)
Okay, fair call. My bad - I was targeting the ludicrous tap-to-pay system.
I'm fine with chip+pin, so long as it preserves two-factor authentication.
Re: (Score:2)
This simply isn't true. I just looked at a newly issued card and it doesn't have a chip. Furthermore, the one US card in my wallet that does have a chip is a chip and signature card. Not chip and PIN
Re: (Score:2)
Not precisely correct.
Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.
Liability shift, will now be on one of two entities.
The merchant, for not having the terminal, or the consumer, for not protecting their pin.
the liability also shifts almost 100% OFF the card issuing bank....
(the real reason)
I wonder how this will impact online payments - how will chip/pin be supported there?
Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...
Re: (Score:2, Insightful)
Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.
You key your credit card number in 1 field
You key your 3 digit "security code" (printed on the back of the card) in a different field.
You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.
Re: (Score:2)
I wonder how this will impact online payments - how will chip/pin be supported there? Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...
The impact will be that the majority of CC fraud will move to online merchants.
Re: (Score:1)
Chip & pin is not the answer. The answer is a new system that has the pin pad on the card itself and only releases an authorization number that is valid for the merchant in which they are paying for the amount in which the customer has agreed to. Such a system should work regardless of if the merchant is online or off. The responsibility should fall on the purchaser to protect there pin. There is no good reason that stores should have to accept liability for fraudulent purchases when the financial insti
Re: (Score:1)
It improves security by preventing card cloning, which is one of the key ways the US card system is defrauded. It is not "broken" in Europe, so your latter question is irrelevant. You are probably thinking of academic papers which did what academics do: probe the system for weaknesses and published their research, which often led to fixes (except when their attacks were so convoluted nobody actually does them in practice). This is common to all security systems everywhere and is one way they get better. How
Re: (Score:2)
The banks ARE making moves here.
All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it.
The banks are not mandating anything. The credit card networks dictate the conditions by which a merchant or a bank can participate in their system.
One issue that hampers the conversion is the replacement of the card accepting terminals. The US has retailers that have more terminals in a single region than most OECD nations. That's a lot of hardware to replace for merchants who have not been held responsible for anything that happens when they don't.
Re: (Score:1)
Unfortunately, the way the credit card companies work, most of the damage is externalized onto the merchants (via reversed charges) and ultimately the consumers -- via higher prices & fees. Of course, this is hardly accidental. Target is certainly guilty of lots of stupidity, but the real players won't change their ways until they really feel the pain -- the whole system is far too easy for the black players to game. Some much business is depending on CC transactions, most businesses have little choice
Re: (Score:2)
Banks hold some of the responsibility too...
Ethically, yes, they do. Legally? Well, they made sure the laws didn't work that way. As for merchants not wanting to ditch magstipes, the national retailers have wanted to ditch them for a while (oddly, around the same time PCI came into existence). It's the banks dragging their feet over it. The cards cost more and there are questions about how Chip and PIN transactions costs will work (as a swipe transaction or a PIN transaction) and what networks they will use.
Re: (Score:2)
Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.
See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com].
Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.
Re: (Score:3)
Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.
See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com].
Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.
If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".
It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.
Re: (Score:2)
The readers cost $1000 in NZ. Probably $500 in the US. If your small business can't afford that, it probably cant afford the stock to sell either, making the whole point moot.
Re: (Score:2)
Erm, banks are issuing cards with 2010's era paywave right now, and it's a major step backwards in security. We've gone from two-factor (swipe and PIN) to single-factor wave. Nothing safe about it.
Re: (Score:2)
Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.
I hate to break it to you, but brand new cards are coming out with NFC technology (Paywave and Paypass) that is even easier to steal your card details from than from the magstripe.
Magstripes aren't a huge security flaw because they require physical access to the card (and yes, the card holder should be responsible for the cards physical security), but NFC allows card details to be stolen wirelessly so even if the user is taking all due care to physically protect the card, the details can still be stolen
Re: (Score:2)
why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen?
Do you have shares in a card-chipping business?
SSDD (Score:4, Insightful)
Mandatory arbitration? (Score:2)
I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.
SCOTUS has consistently ruled that these mandates are legal and binding.
Re: (Score:2)
"We're so sorry we allowed your credit card to be used to facilitate theft. Fortunately the arbitrator has come up with an equitable payment; a Jelly of the Month Club membership. It's the gift that keeps on giving."
Re: (Score:2)
Re: (Score:2)
Groan...
Re:Mandatory arbitration? (Score:4, Insightful)
I would have thought a coupon for a free pizza a drink would have been enough. It's not like Target blew up a town, they just lost some CC#s. On second thought, maybe just a free drink with your next purchase.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That sounds like something Target's customers might have agreed(*) to. But the banks? If they didn't sign(*) the agreement, then I don't know how they'd be bound to it.
(*) I am trying to use technical jargon versions of "agreed" and "sign," not the layman's, and I might not be up-to-date on the jargon definitions. Yet if it looks like I'm saying the exact opposite of what I appear to be sayin
Re: (Score:2)
Is that even something they could do? When I use a CC in a brick and mortar store, I don't think you can claim there's a click-through agreement in place.
Though, I wouldn't put it past the lawyers to have done something like this.
However, since it's the banks filing the class action suit, and storing that stuff the way they did violated both state and federal laws .... good luck with the EULA/a
Re: (Score:2)
We are going to be seeing (and have been seeing), more and more posts like this the closer we get to midterms. They know it's ludicrous, but the more people read something (in this case the same general theme,) the less crazy it sounds and eventually some people will believe it.
As shown during the last elections, Democrats are very good at social engineering/conditioning. Look at most of the "hot" topics on this site this month and you will see a post like this.
Re: (Score:2)
You do realize, don't you, that Target associates itself more with the left wing, and that lots of their customers got upset when they found Target donated money to Republicans?
Sad that it might take a lawsuit... (Score:2)
I wish there were better ways of reporting broken sites. I just tried to inform quicksilver.com that there SSL was messed up, but the told me to reset my cookies. Lol.
How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.
Re: (Score:2)
If you're a customer, you call up and cancel and tell them that since they seem to be unqualified to do security, you are no longer willing to use them.
If you're not a customer, make sure you can't be brought up on charges of "hacking" their stuff which was secured by chimps and move on.
You don't. (Score:2)
You don't.
And you don't leave ANY trails showing that you knew about it.
It's too easy for them to drag YOU into court on "hacking" charges.
They'll be looking for ways to cover their incompetency later. Do not be their victim.
Re: (Score:2)
I'm assuming your volume is small, and you don't actually get PAN details right? Because if you did, then you wouldn't be able to get away with SAQ-A and would have to submit to actual audits, which is a whole lot harder. Target, undoubtedly, was the much stricter PCI-DSS probably at level 2 or above. Major auditing. Theoretically.
Best quote I read about this (Score:2)
âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe
Re: (Score:2)
âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe
What is missing from quote this is not that Bangalore sent them a flagged alert, but how many alerts had Bangalore sent in the past, and how high of a priority were they? How much did Bangalore cry wolf in the past?
I am with teams from Bangalore that sent me reams and reams of "alerts". Most of these high-priority alerts were garbage. I spent 4 hours the other day tracing down a "critical" alert because a router on the other side of the world from me had not sent logs in the last 8 hours. Turns out that thi
Re: (Score:2)
I've worked for a company that used Trustwave.
I hate them.
They did NOTHING except forward
EVERY
SINGLE
ALERT
FOR
EVERY
SINGLE
SERVICE
ON
EVERY
SINGLE
SERVER
that was in scope.
I understand WHY Trustwave did that. It is so that they cannot be blamed for when YOU miss something. So you are buried in their reports.
But you do get to check off the box labelled "24/7 monitoring of all systems".
Which is why "compliance" is NOT the same thing as "security".
I don't care if it is the same fucking dictionary attack as yesterday. R
credit cards? (Score:1)
so, only credit cards were affected? not debit cards or American Express cards? Cool.
Wonder if TW techs read marketing's whitepaper? (Score:2)
Retailers a Top Target for Attackers in 2012, Trustwave Says
http://www.securityweek.com/re... [securityweek.com]
Re: (Score:2)
Re: (Score:2)
Banks are bound by a very different set of rules - they have to stick to PCI-DSS sure, but since they literally have to store credit card data...
The problem would be that Target failed to comply with PCI-DSS correctly, Trustwave verified that they were in compliance (when they were not), and many states now have laws on the books mandating PCI-DSS compliance.