Target investagating data breach

wes allen

Could be in the millions of cards exfiled:

Sources: Target Investigating Data Breach — Krebs on Security

Bokeh

This could be ugly.

colemic

This WILL be ugly - almost all stores nationwide, on Black Friday... pretty sure I (or at least my wife) will be getting new debit cards in the mail.

Mrkali

I'm very interested to see how this plays out, yet very annoyed that we need new debit cards

cknapp78

wes allen wrote: »

Could be in the millions of cards exfiled:

Sources: Target Investigating Data Breach — Krebs on Security

Just heard on CNN News Radio that it is now up to over 40 Million accounts that were hacked. Thankfully I haven't been to Target in quite some time. Agreed with everyone....this is going to get very ugly really fast. Everyone make sure you keep a close eye on your bank and credit card accounts over the next few weeks.

Corey

tpatt100

I saw a lot of banks are just going to reissue debit cards. I went to check Chase and saw a news story that a Chase server was compromised this week.

phoeneous

Who's the Target now? Zing!

YFZblu

cknapp78 wrote: »

Just heard on CNN News Radio that it is now up to over 40 Million accounts that were hacked. Thankfully I haven't been to Target in quite some time. Agreed with everyone....this is going to get very ugly really fast. Everyone make sure you keep a close eye on your bank and credit card accounts over the next few weeks. Corey

I wouldn't be waiting - If you shopped there in the (ever expanding) timeframe of the compromise, be proactive and get new cards issued.

W Stewart

Heard about this a few days ago. Glad I don't shop at target. The problem that I see that this article points out is that the hackers were able to access the systems storing payment information from a wireless network. I've worked on point of sales systems that had to be pci compliant and you don't ever allow the wireless network to have access to the same network that the credit card information is being processed or transmitted to the merchant service provider on. They should be completely segregated networks for this particular reason.

Edit: On a side note, I agree with YFZblu. Don't wait around to see if your account actually gets compromised. If you shopped at target, report your card lost or stolen so it gets cut off immediately and you'll get a new one in the mail.

N2IT

It has created awareness, at least in the meantime. Our waitress asked to see my drivers license tonight. That was a first (The back of the card is not signed).

the_Grinch

When will they learn? TJMax all over again and this will probably end up being worse. As a side note, technically they are suppose to refuse to accept a card that is not signed. Visa, Mastercard, etc have a policy that the card is not valid if it is not signed and "Please See ID" doesn't count either. Obviously, no one enforces this rule (which tells us why these situations of cards being stolen keeps arising), but that is technically how it should work. PCI Compliance is important, but the issue is they don't spend any money actively enforcing it. They'll levy fines after the fact, but that doesn't help those 40 million consumers.

Working in a regulatory position it amazes me what companies will do to skirt regulations. We're actively working to have monitoring in place for exactly situations like this. Someone checks a box, signs their name, and then prays that nothing happens. The burden is on us to make sure what they said they've done and signed is in fact what was done.

I'd also like to point out that their reporting time for this sucked big time. You report it after you fixed the issue? There was a couple day lagged time which will be very costly to the consumers.

tpatt100

I heard Target upgraded their POS machines 5 months ago so it might have been an inside job.

MSP-IT

Anyone else surprised that Target stock hasn't really been affected? I'm pretty sure there is going to be quite a hefty bill for fines, security contractors, etc.

the_Grinch

tpatt100 - I literally said that to my dad last night! Anything with the POS screams inside job.

MSP-IT - It really comes down to the fact that this is a common occurrence now. When we were talking about it at work the general consensus was there really isn't anything you can do about it so why get upset? Besides, any fines and investigative costs won't amount to a whole lot when compared to what they bring in.

tpatt100

Well if anything stories like this that hit the mainstream media helps bring awareness to security. Awareness to security means companies need to pay more attention to detail and actually acknowledge they need to invest some time and money into IT and IT security. Unfortunately from my personal experience it means management listening to sales people and spending money on "magic bullet" solutions rather than employees and having enough people to properly handle the work load needed to properly monitor and review their IT systems.

If this was an inside job then it is a failure in the process and procedures for software/hardware upgrades I guess. I often see projects being outsourced with limited auditing of the contractors involved.

colemic

Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security Even more good info on this from Krebs.

MSP-IT

My bank is recommending the users do not cancel their cards. That was very surprising.

colemic

Indeed it is - do you have any more information on their rationale for that?

MSP-IT

They said that their systems can detect fraud and will block it immediately. I don't know if they know that the information is being sold by the location of the theft and thus can be used in close proximity to the account holder. I posted a warning on the community forum.

tpatt100

Anytime my bank detects something they suspect is fraud that means disabling my card until I call to unlock it. So if you see where this is headed that means every single time this happened it happened when I needed to use my card and I was the one who caused the "suspicious activity". One time I was driving to Fort McCoy Wisconsin and the bank saw two debits for gas in two different states so they disabled my card, they disabled it when I was trying to get gas the second time.... Glad they have 24 hour customer service to unlock it.....

mog27

What if you used the target "red card"?

lsud00d

I've had 2 friends affected by this breach so far.

YFZblu

tpatt100 wrote: »

Well if anything stories like this that hit the mainstream media helps bring awareness to security. Awareness to security means companies need to pay more attention to detail and actually acknowledge they need to invest some time and money into IT and IT security.

There is no shortage of security awareness. Infosec people are practically screaming from mountaintops. This will continue to happen unfortunately.

colemic

lsud00d wrote: »

I've had 2 friends affected by this breach so far.

Not affected yet but I have confirmed that we used a card at Target during the time frame... usaa's mobile app has a statement to the effect that they are monitoring the situation, no need to call, and they will reissue cards as necessary. Thankfully not enough personal info compromised for identity theft, this is just good ol'fashioned monetary theft/fraud.

1vs1n

problem is in the cryptography underlying the EMV technology

phoeneous

mog27 wrote: »

What if you used the target "red card"?

Well then you're twice as screwed. Might as well move to Syria. Just kidding, don't do that.

headshot

ummmmm why the hell hasn't the USA switched to cards with chips yet?

that would make it hell of a lot harder for the perps to reproduce their own cards with the stolen ****.

Ruminus

phoeneous wrote: »

Who's the Target now? Zing!

BOO!!! lol

DoubleNNs

headshot wrote: »

ummmmm why the hell hasn't the USA switched to cards with chips yet?

that would make it hell of a lot harder for the perps to reproduce their own cards with the stolen ****.

You'd still be able to make online purchases regardless.

JDMurray

MSP-IT wrote: »

My bank is recommending the users do not cancel their cards. That was very surprising.

Each payment card costs the financial institution $3-5 to re-issue. When a bank is looking at a possible million+ of its customers being immediately affected by fraud, slowing the stampede of "Cancel my card!" is a cost control for it.

headshot wrote: »

ummmmm why the hell hasn't the USA switched to cards with chips yet?

There is too much revenue being made by credit card protection and insurance services to allow that to happen. There is much more money being spent on payment card protection services than there is being lost to fraud (realize that Target, TJXX, and Heartland incidents happen only once in a blue moon). If you introduce a cheap, simple security solution that makes it almost impossible to defraud a payment card then you would be killing a few "golden geese" of revenue streams for the financial and insurance industries.

wes allen

Brian Krebs has an update. Some amazing work to dig up some killer info.

Who’s Selling Credit Cards from Target? — Krebs on Security