Forgot your password?
typodupeerror
Security The Courts

Target and Trustwave Sued Over Credit Card Breach 87

Posted by Unknown Lamer
from the kill-the-auditor dept.
jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

Complaint against Trustwave by tbehme8826

This discussion has been archived. No new comments can be posted.

Target and Trustwave Sued Over Credit Card Breach

Comments Filter:
  • by UnknownSoldier (67820) on Wednesday March 26, 2014 @12:46PM (#46585133)

    ... for companies to get their shit together about their lax security policies.

    It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.

    • by sconeu (64226) on Wednesday March 26, 2014 @01:05PM (#46585341) Homepage Journal

      AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.

    • It is sad but hopefully companies (and others) will realize that compliance with things like PCI doesn't really mean all that much, though I think it will take a few more.

  • by hawguy (1600213) on Wednesday March 26, 2014 @12:52PM (#46585201)

    Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

    • by brunes69 (86786) <slashdot@keirstea d . o rg> on Wednesday March 26, 2014 @01:11PM (#46585429) Homepage

      The banks ARE making moves here.

      All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.

      It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.

      • by way2trivial (601132) on Wednesday March 26, 2014 @01:24PM (#46585571) Homepage Journal

        Not precisely correct.

        Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

        Liability shift, will now be on one of two entities.
        The merchant, for not having the terminal, or the consumer, for not protecting their pin.

        the liability also shifts almost 100% OFF the card issuing bank....
        (the real reason)

        • by brunes69 (86786)

          .. and all customers will have chipped cards by October.

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

            Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:

            The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not u

            • All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.

              Got a citation for that? I'm not claiming chip+pin is perfect, but it's a HELL of a lot better than a magnetic stripe you can read with a damned tape recorder head.

              • by Trogre (513942)

                You're joking, right? As another poster has said, anyone with an NFC chip can read those cards.

                The PayWave system is also being pushed as a single factor payment system. Did you get that? Single. Factor. Wave your card at a cash register and you've paid for your meal. Or your colleagues.

                • Chip+pin is NOT tap-to-pay. Chip+pin is the system where you have to physically insert your card into the machine (where metal contacts talk to the chip) and then enter a pin that is verified by the chip.

                  Tap-to-pay is a whole other system whichI personally do not like and am disapointed that it is impossible to get a card without it in Canada (I've checked with multiple places).

                  • by Trogre (513942)

                    Okay, fair call. My bad - I was targeting the ludicrous tap-to-pay system.

                    I'm fine with chip+pin, so long as it preserves two-factor authentication.

          • by whoever57 (658626)

            .. and all customers will have chipped cards by October.

            This simply isn't true. I just looked at a newly issued card and it doesn't have a chip. Furthermore, the one US card in my wallet that does have a chip is a chip and signature card. Not chip and PIN

        • by rsborg (111459)

          Not precisely correct.

          Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.

          Liability shift, will now be on one of two entities.
          The merchant, for not having the terminal, or the consumer, for not protecting their pin.

          the liability also shifts almost 100% OFF the card issuing bank....
          (the real reason)

          I wonder how this will impact online payments - how will chip/pin be supported there?
          Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.

            You key your credit card number in 1 field
            You key your 3 digit "security code" (printed on the back of the card) in a different field.

            You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.

          • by Fnord666 (889225)

            I wonder how this will impact online payments - how will chip/pin be supported there? Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...

            The impact will be that the majority of CC fraud will move to online merchants.

        • by Anonymous Coward

          Chip & pin is not the answer. The answer is a new system that has the pin pad on the card itself and only releases an authorization number that is valid for the merchant in which they are paying for the amount in which the customer has agreed to. Such a system should work regardless of if the merchant is online or off. The responsibility should fall on the purchaser to protect there pin. There is no good reason that stores should have to accept liability for fraudulent purchases when the financial insti

      • by Fnord666 (889225)

        The banks ARE making moves here.

        All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it.

        The banks are not mandating anything. The credit card networks dictate the conditions by which a merchant or a bank can participate in their system.

        One issue that hampers the conversion is the replacement of the card accepting terminals. The US has retailers that have more terminals in a single region than most OECD nations. That's a lot of hardware to replace for merchants who have not been held responsible for anything that happens when they don't.

    • by gewalker (57809)

      Unfortunately, the way the credit card companies work, most of the damage is externalized onto the merchants (via reversed charges) and ultimately the consumers -- via higher prices & fees. Of course, this is hardly accidental. Target is certainly guilty of lots of stupidity, but the real players won't change their ways until they really feel the pain -- the whole system is far too easy for the black players to game. Some much business is depending on CC transactions, most businesses have little choice

    • by EvilSS (557649)

      Banks hold some of the responsibility too...

      Ethically, yes, they do. Legally? Well, they made sure the laws didn't work that way. As for merchants not wanting to ditch magstipes, the national retailers have wanted to ditch them for a while (oddly, around the same time PCI came into existence). It's the banks dragging their feet over it. The cards cost more and there are questions about how Chip and PIN transactions costs will work (as a swipe transaction or a PIN transaction) and what networks they will use.

      • by Misch (158807)

        Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

        See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com].

        Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

        • by hawguy (1600213)

          Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.

          See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did [forbes.com].

          Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.

          If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".

          It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.

    • by Trogre (513942)

      Erm, banks are issuing cards with 2010's era paywave right now, and it's a major step backwards in security. We've gone from two-factor (swipe and PIN) to single-factor wave. Nothing safe about it.

    • by mjwx (966435)

      Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.

      I hate to break it to you, but brand new cards are coming out with NFC technology (Paywave and Paypass) that is even easier to steal your card details from than from the magstripe.

      Magstripes aren't a huge security flaw because they require physical access to the card (and yes, the card holder should be responsible for the cards physical security), but NFC allows card details to be stolen wirelessly so even if the user is taking all due care to physically protect the card, the details can still be stolen

    • by Trogre (513942)

      why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen?

      Do you have shares in a card-chipping business?

  • SSDD (Score:4, Insightful)

    by Wookact (2804191) on Wednesday March 26, 2014 @12:53PM (#46585207)
    I am surprised it took this long for the lawyers to get geared up
  • I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

    SCOTUS has consistently ruled that these mandates are legal and binding.

    • "We're so sorry we allowed your credit card to be used to facilitate theft. Fortunately the arbitrator has come up with an equitable payment; a Jelly of the Month Club membership. It's the gift that keeps on giving."

    • Nah. It's only CONSUMERS who are forced into these binding arbitration contracts, i.e. the card holders. There's zero probability that the card issuing bankers will be forced to put up with what they inflict on the public.
    • by devman (1163205)
      The article indicates that the plaintiffs are card issuing banks, which probably have no direct agreements with Target at all, thus no opportunity to cover ass with a binding arbitration clause.
    • by Sloppy (14984)

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      That sounds like something Target's customers might have agreed(*) to. But the banks? If they didn't sign(*) the agreement, then I don't know how they'd be bound to it.

      (*) I am trying to use technical jargon versions of "agreed" and "sign," not the layman's, and I might not be up-to-date on the jargon definitions. Yet if it looks like I'm saying the exact opposite of what I appear to be sayin

    • by gstoddart (321705)

      I would not be surprised if Target's credit card purchasing process mandates that all disputes must be arbitrated.

      Is that even something they could do? When I use a CC in a brick and mortar store, I don't think you can claim there's a click-through agreement in place.

      Though, I wouldn't put it past the lawyers to have done something like this.

      However, since it's the banks filing the class action suit, and storing that stuff the way they did violated both state and federal laws .... good luck with the EULA/a

  • I wish there were better ways of reporting broken sites. I just tried to inform quicksilver.com that there SSL was messed up, but the told me to reset my cookies. Lol.

    How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

    • by gstoddart (321705)

      How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues.

      If you're a customer, you call up and cancel and tell them that since they seem to be unqualified to do security, you are no longer willing to use them.

      If you're not a customer, make sure you can't be brought up on charges of "hacking" their stuff which was secured by chimps and move on.

    • How do you report something like this, if their own "support" is either ignorant or not prepared to deal with these issues. Obviously, someone at Target new of the problems, but couldn't get upper management to listen.

      You don't.

      And you don't leave ANY trails showing that you knew about it.

      It's too easy for them to drag YOU into court on "hacking" charges.

      They'll be looking for ways to cover their incompetency later. Do not be their victim.

  • âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

    • âoeâ¦â"FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then â¦Nothing happened.âoe

      What is missing from quote this is not that Bangalore sent them a flagged alert, but how many alerts had Bangalore sent in the past, and how high of a priority were they? How much did Bangalore cry wolf in the past?

      I am with teams from Bangalore that sent me reams and reams of "alerts". Most of these high-priority alerts were garbage. I spent 4 hours the other day tracing down a "critical" alert because a router on the other side of the world from me had not sent logs in the last 8 hours. Turns out that thi

    • by khasim (1285)

      I've worked for a company that used Trustwave.

      I hate them.

      They did NOTHING except forward
      EVERY
      SINGLE
      ALERT
      FOR
      EVERY
      SINGLE
      SERVICE
      ON
      EVERY
      SINGLE
      SERVER
      that was in scope.

      I understand WHY Trustwave did that. It is so that they cannot be blamed for when YOU miss something. So you are buried in their reports.

      But you do get to check off the box labelled "24/7 monitoring of all systems".

      Which is why "compliance" is NOT the same thing as "security".

      I don't care if it is the same fucking dictionary attack as yesterday. R

  • by Anonymous Coward

    so, only credit cards were affected? not debit cards or American Express cards? Cool.

  • Retailers a Top Target for Attackers in 2012, Trustwave Says
    http://www.securityweek.com/re... [securityweek.com]

Programmers do it bit by bit.

Working...