back to article Hackers slurp credit card details from US luxury retailer Neiman Marcus

Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details. Neiman Marcus confirmed a security breach in a series of updates to its official Twitter account and apologised, without detailing the extent of the problem or …

COMMENTS

This topic is closed for new posts.
Silver badge
Black Helicopters

Okay.

I feel an NSA charm offensive ripening ...

Sources in the information security industry are telling El Reg that the Target breach involved installing malware on point-of-sale systems, a theory that's consistent with media statements by Target chief exec Gregg Steinhafel over the weekend.

Will the quick-to-call-for-the-gallows-crowd tone down this time, please?

0
2
Silver badge

THAT Crowd.

"Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details. "

*giggles*

Well at least that crowd can afford it!

Maybe these guys aren't all bad...

1
2

comes with a $7,500 setup fee and $2,500 annual fee

comes with a $7,500 setup fee and $2,500 annual fee

whaaat?

well if i get that invite i think I'll decline

2
0
Silver badge

You think of $7500 and compare it to your revenue per month, and your jaw drops. The people who get this kind of invite see $7500 and think in terms of revenue per day and they don't even blink.

If you get that invite you'll be thinking about it in your mansion by the fire, playing a game of snooker on your own snooker table. You'll finally accept during one of your weekly $1000 dinners.

At that point, the fee is the last item on the list of your worries.

0
0

well yeah , I know Davd Beckham pays about that amount to get his car valeted, but it least he's getting some sort of service.

i guess they chuck other un-credit card like services in with that one:

like blackjack and hookers!

0
0

I felt the same at first

But if you read through the benefits, a lot of the freebies thrown in could probably end up canceling that out. (especially as it's $2500 after the first year).

Still, you know a lot of the desire for this card is simply its exclusivity and bragging rights. That's reason enough to avoid, imo.

0
0
Anonymous Coward

Re: you'll be thinking about it in your mansion by the fire,

Usually, but not necessarily.

I actually received one of those invites about 10 years back. At the time I was handling finances for an NPO and our budget for the year was around $750,000. But we did run most of our bills through Amex including some hefty hotel bills* and international travel. It was cool reading it, but it immediately went through the shredder. I got the impression they though I was worth as much money as the corporation was. I can see where they would be beneficial cards for a company with that sort of cash flow, especially if they traveled internationally.

*First time we used it to pay the hotel bill our card was cutt-off in the middle of the weekend, so never let them tell you there isn't a limit. They just do a constantly rolling evaluation of it, and since it is a charge card instead of a credit card, the limit is a great deal higher than it would be for a credit card. After that we'd pre-pay $100,000 or so before our big event, and let them know the big event was happening so they'd be seeing our typical yearly surge in charges.

1
0
Silver badge

Re: least he's getting some sort of service.

Oh you get service for that kind of cash.

Top of the line concierge service wherever you are.

If you don't know what an appropriate gift for a business meeting is, they'll let you know even if it is meeting an ambassador.

Need an emergency trip to Japan or Russia? No problem, they'll book the flights and the hotel, just tell them what your specific destination and departure locations and times are.

1
0
Anonymous Coward

Posh My Arse

That's a first name, not a surname, did they drop a comma from an entry in a German school roll, or something?

How about they rename themselves "Numan, Gary", and do a suitable style makeover? I hear Electro is fashionable again? ;)

0
1
Bronze badge

Re: Posh My Arse

Interesting. So one or both of 'Neiman' and 'Marcus' aren't surnames, eh? You sure about that? 'cause I'm pretty damn sure that the store was started by a Mr. Marcus, partnering with his sister and her husband, the Neimans. And a quick google says... yep. https://en.wikipedia.org/wiki/Neiman_Marcus.

Hint: pretty much any 'first name' can end up being a 'surname'. Examples include Joseph, John, James, Patrick, William, Steven, Donald, Gregory, Dennis, Jacque, Jean, Erich, Rahman, Ali... further examples available at your local elementary school. An awful lot of 'surnames' _are_ first names, because many of them derived from 'so-and-so son/daughter of name' or 'so-and-so of the family/clan/sept of name'. This kind of thing tends to be really common in Germanic languages, such as, oh, _English_. And _German_. And is also well-known in non-Germainic languages including Arabic and Hebrew and Zulu.

damn, boy, why didn't you just do a quick Google before making an idiot out of yourself?

0
0
Silver badge

Re: Posh My Arse

Ha! Reminds me of a guy named "Bill Paul" who ended up being "the man with two first names" - and his full name was "Bill Andrew Paul"....

1
0
Silver badge

Re: "the man with two first names"

That's ok, I knew his balancer when I was in high school: the man with two last names. I still call him by the name I learned then, but it is quite understandable why he routinely goes by "Jim" these days instead of Gerheart.

0
0

Encryption?

"The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store."

So the lifted detail was not encrypted in any way? Anyone? El Reg?, a little detail that is so important to this story and its possible repercussions.

1
0
Bronze badge

Re: Encryption?

Apparently they sold their credit card business to HSBC.

No more need be said.

Yes, i used to (please note the past tense) have accounts with HSBC.

1
0
Silver badge

Re: Encryption?

I'm wondering about this, too, since IIRC PCI-DSS standards require end-to-end encryption using the clearinghouse's Triple-DES key, which not even the store is supposed to be able to decrypt.

1
0
Silver badge

Re: Encryption?

Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period.

1
0
Silver badge

Re: Encryption?

Found it:

Target ran into a problem, Eric Chiu, president and co-founder of cloud control company HyTrust said, where point-of-sale and customer database systems connect to networks. Chiu said hackers can access that point and sneak undetected inside a corporate network. Ominously, he also added because of the density of information available on today’s networks, hackers don’t just get some data, they get a lot of it.

http://www.foxbusiness.com/industries/2014/01/10/target-guest-info-also-stolen-in-black-friday-breach/

1
0
Silver badge

Re: Encryption?

"Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period."

If the exploit was made in the POS system, then that smacks of an inside job of some sophistication. Based on what I know of modern retail POS systems, they're (a) trade secrets with tons of secret sauce, (b) rolled out in very controlled and restricted ways to minimize disruptions, and (c) deployed on a closed intranet.

Therefore, to get an exploit onto a modern POS system would involve (a) Tampering with a very secret program code (How many people have code access for the POS system?) (b) Slipping the exploit into a scheduled software rollout, passing any testing that would've occurred before then, and (c) Either bridge the intranet with the Internet or extract the siphoned details locally in some other manner.

I don't think any outsider could achieve a feat of the scale we're talking about.

I suspect PCI will have to look into reducing the trust level of the POS system as a result of this. Based on what I've read, the standards as they are mean the POS can obtain the card data unencrypted, and that may have to change. Newer equipment may mandate the use of encrypting magstripe readers and the use of PKI where not even the store knows the decryption key (IOW, only the payment processor would be able to receive the magstripe data). This may also be considered as Chip-and-PIN is considered for American rollout (because despite its increased security, it has been shown to have holes that can be exploited at the POS level as well).

0
0
Silver badge

HSBC Credit card processing?

Don't know what's left of it, but in the US, HSBC sold off the Credit Card biz a while back to Capital One.

As to security and such... when you hire under-qualified staff and off shore your IT development, you get what you paid for.

2
1
Silver badge
Facepalm

Apparently I'm going to have to stop thinking those snide comments to myself.

I saw the headline on the main page and immediately thought "wonder if they used the same people as Target" only to get to the last paragraph.

Not that my cc info is at risk from either store.

0
0
Anonymous Coward

Target relies on a Virtual Solution ..

"In 2004, Target joined the Microsoft Technology Adoption Program (TAP) for virtualization and found the solution it was looking for. During the TAP, the Microsoft team worked closely with Target Technology Services team members to virtualize the Linux-based pharmacy solution and run it successfully in a Microsoft Virtual Server 2005 environment"

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

0
0
Bronze badge

Re: Target relies on a Virtual Solution ..

Relevance, nil. One does not virtualize POS systems. The majority of store POS systems are *not* the pharmacy systems.

1
0

Why are we talking about 'people'? This isn't going to cost any one 'person' a penny. Credit Card companies need to sort their POS. Fast, I would suggest,

0
0
Bronze badge

Erm, the POS systems belong to the store, not the credit card company.

Now, how did the POS systems, aka cash registers, manage to have a path out, which is required for that information to leave the system and land in someone outside's computer?

POS systems should not be able to route traffic to each other, especially not offsite in another store. They should also not have the ability to route traffic to the internet at all. To and from the transaction servers only.

0
0
Silver badge

What normally happens is that the POS units link to a back-office server for that store, which in turn is connected to the company headquarters or some midway point, depending on the scales involved. And it's headquarters that also tells the back-office machines who to contact on the corporate net in regards to credit card transactions and so on (if they don't route the transactions themselves, another possibility).

AFAIK, these all run on closed networks (most of the ones I've seen use Class 1 10.x.x.x private net addresses).

0
0
Silver badge
Devil

Missed it by that much

"The security of our customers' information is always a priority..." the retailer said,

Just not on that day...

1
0
This topic is closed for new posts.

Forums