Target investagating data breach
Could be in the millions of cards exfiled:
Sources: Target Investigating Data Breach — Krebs on Security
Sources: Target Investigating Data Breach — Krebs on Security
Comments
-
colemic Member Posts: 1,569 ■■■■■■■□□□This WILL be ugly - almost all stores nationwide, on Black Friday... pretty sure I (or at least my wife) will be getting new debit cards in the mail.Working on: staying alive and staying employed
-
Mrkali Member Posts: 105I'm very interested to see how this plays out, yet very annoyed that we need new debit cards
-
cknapp78 Member Posts: 213 ■■■■□□□□□□Could be in the millions of cards exfiled:
Sources: Target Investigating Data Breach — Krebs on Security
Just heard on CNN News Radio that it is now up to over 40 Million accounts that were hacked. Thankfully I haven't been to Target in quite some time. Agreed with everyone....this is going to get very ugly really fast. Everyone make sure you keep a close eye on your bank and credit card accounts over the next few weeks.
Corey -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I saw a lot of banks are just going to reissue debit cards. I went to check Chase and saw a news story that a Chase server was compromised this week.
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□Just heard on CNN News Radio that it is now up to over 40 Million accounts that were hacked. Thankfully I haven't been to Target in quite some time. Agreed with everyone....this is going to get very ugly really fast. Everyone make sure you keep a close eye on your bank and credit card accounts over the next few weeks. Corey
-
W Stewart Member Posts: 794 ■■■■□□□□□□Heard about this a few days ago. Glad I don't shop at target. The problem that I see that this article points out is that the hackers were able to access the systems storing payment information from a wireless network. I've worked on point of sales systems that had to be pci compliant and you don't ever allow the wireless network to have access to the same network that the credit card information is being processed or transmitted to the merchant service provider on. They should be completely segregated networks for this particular reason.
Edit: On a side note, I agree with YFZblu. Don't wait around to see if your account actually gets compromised. If you shopped at target, report your card lost or stolen so it gets cut off immediately and you'll get a new one in the mail. -
N2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■It has created awareness, at least in the meantime. Our waitress asked to see my drivers license tonight. That was a first (The back of the card is not signed).
-
the_Grinch Member Posts: 4,165 ■■■■■■■■■■When will they learn? TJMax all over again and this will probably end up being worse. As a side note, technically they are suppose to refuse to accept a card that is not signed. Visa, Mastercard, etc have a policy that the card is not valid if it is not signed and "Please See ID" doesn't count either. Obviously, no one enforces this rule (which tells us why these situations of cards being stolen keeps arising), but that is technically how it should work. PCI Compliance is important, but the issue is they don't spend any money actively enforcing it. They'll levy fines after the fact, but that doesn't help those 40 million consumers.
Working in a regulatory position it amazes me what companies will do to skirt regulations. We're actively working to have monitoring in place for exactly situations like this. Someone checks a box, signs their name, and then prays that nothing happens. The burden is on us to make sure what they said they've done and signed is in fact what was done.
I'd also like to point out that their reporting time for this sucked big time. You report it after you fixed the issue? There was a couple day lagged time which will be very costly to the consumers.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I heard Target upgraded their POS machines 5 months ago so it might have been an inside job.
-
MSP-IT Member Posts: 752 ■■■□□□□□□□Anyone else surprised that Target stock hasn't really been affected? I'm pretty sure there is going to be quite a hefty bill for fines, security contractors, etc.
-
the_Grinch Member Posts: 4,165 ■■■■■■■■■■tpatt100 - I literally said that to my dad last night! Anything with the POS screams inside job.
MSP-IT - It really comes down to the fact that this is a common occurrence now. When we were talking about it at work the general consensus was there really isn't anything you can do about it so why get upset? Besides, any fines and investigative costs won't amount to a whole lot when compared to what they bring in.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Well if anything stories like this that hit the mainstream media helps bring awareness to security. Awareness to security means companies need to pay more attention to detail and actually acknowledge they need to invest some time and money into IT and IT security. Unfortunately from my personal experience it means management listening to sales people and spending money on "magic bullet" solutions rather than employees and having enough people to properly handle the work load needed to properly monitor and review their IT systems.
If this was an inside job then it is a failure in the process and procedures for software/hardware upgrades I guess. I often see projects being outsourced with limited auditing of the contractors involved. -
colemic Member Posts: 1,569 ■■■■■■■□□□Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security Even more good info on this from Krebs.Working on: staying alive and staying employed
-
MSP-IT Member Posts: 752 ■■■□□□□□□□My bank is recommending the users do not cancel their cards. That was very surprising.
-
colemic Member Posts: 1,569 ■■■■■■■□□□Indeed it is - do you have any more information on their rationale for that?Working on: staying alive and staying employed
-
MSP-IT Member Posts: 752 ■■■□□□□□□□They said that their systems can detect fraud and will block it immediately. I don't know if they know that the information is being sold by the location of the theft and thus can be used in close proximity to the account holder. I posted a warning on the community forum.
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Anytime my bank detects something they suspect is fraud that means disabling my card until I call to unlock it. So if you see where this is headed that means every single time this happened it happened when I needed to use my card and I was the one who caused the "suspicious activity". One time I was driving to Fort McCoy Wisconsin and the bank saw two debits for gas in two different states so they disabled my card, they disabled it when I was trying to get gas the second time.... Glad they have 24 hour customer service to unlock it.....
-
mog27 Member Posts: 302What if you used the target "red card"?"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin
"The internet is a great way to get on the net." --Bob Dole -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Well if anything stories like this that hit the mainstream media helps bring awareness to security. Awareness to security means companies need to pay more attention to detail and actually acknowledge they need to invest some time and money into IT and IT security.
There is no shortage of security awareness. Infosec people are practically screaming from mountaintops. This will continue to happen unfortunately. -
colemic Member Posts: 1,569 ■■■■■■■□□□I've had 2 friends affected by this breach so far.Working on: staying alive and staying employed
-
1vs1n Registered Users Posts: 2 ■□□□□□□□□□problem is in the cryptography underlying the EMV technology
-
phoeneous Member Posts: 2,333 ■■■■■■■□□□What if you used the target "red card"?
Well then you're twice as screwed. Might as well move to Syria. Just kidding, don't do that. -
headshot Member Posts: 77 ■■□□□□□□□□ummmmm why the hell hasn't the USA switched to cards with chips yet?
that would make it hell of a lot harder for the perps to reproduce their own cards with the stolen ****. -
Ruminus Member Posts: 56 ■■■□□□□□□□WGU Classes Finished: GAC1, WFV1, UBC1, EUP1, EUC1, TCP1, COV1, CJC1, CUV1, CQV1, IWT1, TPV1, CTV1, C173, C185, ABV1, C179, C697, C698
Program (BSIT-NA) completion: 80% -
DoubleNNs Member Posts: 2,015 ■■■■■□□□□□ummmmm why the hell hasn't the USA switched to cards with chips yet?
that would make it hell of a lot harder for the perps to reproduce their own cards with the stolen ****.
You'd still be able to make online purchases regardless.Goals for 2018:
Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
To-do | In Progress | Completed -
JDMurray Admin Posts: 13,093 AdminMy bank is recommending the users do not cancel their cards. That was very surprising.ummmmm why the hell hasn't the USA switched to cards with chips yet?
-
wes allen Member Posts: 540 ■■■■■□□□□□Brian Krebs has an update. Some amazing work to dig up some killer info.
Who’s Selling Credit Cards from Target? — Krebs on Security