back to article Crooks target Target: 40 MILLION bank cards imperiled in cyber-heist

Target says 40 million credit and debit card accounts are at risk after crooks infiltrated the US megastore chain's payment systems. It's feared criminals harvested customers' sensitive banking details between November 27 and December 15, right in the middle of America's peak shopping season. The leak leaves shoppers …

COMMENTS

This topic is closed for new posts.
  1. LB45
    Holmes

    Insider Job?

    Since it was a targeted attack (sorry) on the in store registers/scanners sounds like someone had access to a master controller server that updates all the stores registers. Push down a bit of code, install code, run code. Probably sent a copy of the card info to an offsite storage location as each transaction took place.

    Of course I'm guessing since I'm not a talented security bod, but this doesn't strike me as the sort of casual scammer or anon attack vector. Until proven otherwise I'd say at the very least they were very familiar with the inner workings of the POS systems / software.

    For once I guess being dirt poor and unable to obtain credit / bank accounts pays off.

    1. phil dude
      Meh

      Re: Insider Job?

      that was some of the speculation I saw on /. from contributors who asserted they used to work there and gave a pretty detailed account of how it may be done. The was a suggestion that inside job, was played down for "outside gang" (and police involvement) , so that it doesn't cause a fear wave...

      I guess I should check my Target expenses , since I have definitely used Target in the last few weeks.....;-(

      Surely onetime pad payments can't be far off, without the need for a terminal, or needing card information?

      P.

      1. Destroy All Monsters Silver badge

        Re: Insider Job?

        It's called "cash", though with the "war on cash" by our administrative overlords (not averse to kicking in doors to verify 'provenance' if the sum reaches 4 digits), it has become a bit dangerous.

        1. raving angry loony

          Re: Insider Job?

          It's called "cash"

          Yeah, because those of us who lived/worked in Germany, Japan, or other cash centric cultures where you needed to hit up an ATM (that closed during "non business hours") just to buy a fucking pizza would be so happy to return to a system that requires us to carry large quantities of cash with us all the time.

          Rather than pushing for payments systems to actually implement resilent, reliable, secure payment options instead of the crap "cheap is good" bullshit they keep foisting on us.

          Why don't you just fuck off and die instead?

  2. Anonymous Coward
    Anonymous Coward

    lol, magstripes.

    In this day and age when to buy something online I'm supposed to need to have my card details, a second factor (CVV) from my card, my billing address and usually a completely independent password supplied directly to my bank it is absolutely laughable that US retailers still rely completely on magstripes and signatures for authentication. Magstripes, a fifty year old system designed to alleviate the labour burden of transcribing imprint details into paper banking systems.

    Fantastic demonstration of why this technology needs to be abandoned, and pronto. Even in the rest of the world using EMV chip and pin we're all still sporting extremely vulnerable magstripes to support the legacy. I'm amazed this kind of hack doesn't happen more often. Securing your online payments portal is obvious. Securing your 20+ year old payments terminals? Not so much.

    1. Anonymous Coward
      Anonymous Coward

      Re: lol, magstripes. @ AC Posted Thursday 19th December 2013 20:35 GMT

      Downvoted because you think that chip and pin are made for your protection. Wrong, they are made for protecting the merchant and the bank.

      With swipe and signature, if someone gets your card, not a problem, all transactions are cancelled. The merchants are out of pocket for the merchandise. Tough.

      But if someone somehow gets your card and your pin (spy camera, peek over the shoulder or whatever), you are on the hook. Just try to prove it wasn't you.

      1. Anonymous Coward
        Anonymous Coward

        Re: lol, magstripes. @ AC Posted Thursday 19th December 2013 20:35 GMT

        Actually the burden of proof is on the other foot. Banks are required to pay out as soon as they are able in all cases unless *they* have evidence the "fraud" is the fault of the user. That's why over 98% of such cases are covered in their entirity by the bank.

        But please, continue to downvote me and preach upon how chip and pin is nothing but a conspiracy for a bank to screw people out of money they're insured for anyway! Did I mention I have a tin foil stand over there?

        1. Anonymous Coward
          Anonymous Coward

          Re: lol, magstripes. @ AC Posted Thursday 19th December 2013 20:35 GMT

          The burden of proof may be on the bank by law in England, but not on this side of the pond. If they do the same here, I see no problem with chip and pin.

          In Canada we have chip and pin since 2008 and I am not aware of any law that would force the bank to pay if someone is stealing my card and pin. I am not aware of any similar law in the States as well, where we do most of our business.

          Did I mention some people make fulez out of themselves believing what works for them works for anyone in the world?

    2. kain preacher

      Re: lol, magstripes.

      Pssssssssst. The card readers at target does chip and pin.

      1. Number6

        Re: lol, magstripes.

        That's only useful if your bank has issued you with a chip and pin card.

        I just checked, unfortunately I bought something at Target in the dodgy window so I'll be one of those keeping an eye on things.

      2. Anonymous Coward
        Anonymous Coward

        Re: lol, magstripes.

        "Pssssssssst. The card readers at target does chip and pin."

        That's not really much use when all but a handful of the billion cards in use in the united states are still swipe-and-sign.

        The evidence is damning. Payment card fraud in the united states clocks in at $8.6bn per year. Payment card fraud in the EU clocks in at €1.5bn. Card skimming losses in particular (and this is, at the end of the day, a glorified skimming attack), have fallen about 50% since the rollout of EMV commenced. The vast majority of EU-impacting card fraud now takes place in the United States. European data is swiped and then used in the United States, with its far lower barriers to authenticate a transaction.

        EMV (coupled with "3D Secure" etc. for CNP transactions) is now considered to be so suitably secure by the ECB that their main objective - their most productive action - to reduce card fraud in the EU is to lobby the US to adopt the standard. They're not wrong, either.

  3. Anonymous Coward
    Anonymous Coward

    Please target (no pun) the CORRECT retailer

    Starbucks.

    Yes, please, Starbucks.

    Please target the usually too pompous, overpaying, so chic fashionistas who wantonly whip out their credit cards to pay for a five dollar / 4 Euro item.

    Because they are simply too important to actually have, gasp!, CASH on hand to pay for small items. Everything has to be charged to they get their frequent flyer miles...or, more simply, just be able to whip out that Gold card to that low paid barista.

    If they are willing to give their credit card companies just about every single detail of their lives - where they frequent, what they purchase there, when they visit their favorite lunch bars, what brand of chocolates they prefer - I don't see any reason why they can't share their information with needy others. Because even cybercrooks have to have their Bitcoin accounts topped off in time for Christmas shopping.

    1. Steven Raith

      Re: Please target (no pun) the CORRECT retailer

      I'd rather they use cards than pull out a wallet/purse and fish around for change TBH, for practically any retail situation.

    2. DainB Bronze badge

      Re: Please target (no pun) the CORRECT retailer

      Considering that tax is not advertised in price and added on checkout and the fact that i could not care less to remember state taxes across all states let alone calculate how much will be 6.85% of 3.57 dollars and do not want to deal with useless copper 1 cent coins afterwards paying by card is the only sensible way.

      1. Stevie

        Re: Please target (no pun) the CORRECT retailer

        Please punctuate if you want to be read. It is the only sensible way.

        And if you can't multiply 6.85 by three and a half and add a bit in your head for a quick guestimate in Mr Head I'm not letting you loose with a hex/ASCII card and a low-level editor near any machines I'll be blamed for. (It comes to 25 cents in round numbers from Mr Brain in about eight seconds - but I haven't had my morning coffee yet).

        I'm ancient, lazy and addled from years of alcohol abuse, but even I can do that sort of arithmetic in the time it takes 'em to make the coffee.

        Fair disclosure: I don't drink at Starbux because I don't think coffee should taste like fermented battery acid. I have no problem with others doing so, and I have waited in line to buy gift cards for them that do.

        Tools used to figure the tax: Three and two times tables and the insight that percentages applied to dollar amounts sort themselves out.

  4. chris lively
    Holmes

    What does "crims had lifted data from the magstripes on victims' cards." even mean?

    You can't pull the data from the mag stripes of 40 million cards across 1800 stores. You pull it from the systems the reader communicates with. In other words the register or the back end systems it connects to.

    Inside job or not they are obfuscating the hell out of this.

  5. Hud Dunlap
    FAIL

    Target pushes debit cards

    The usual x% off if you get one of our debit cards. This probably means the PIN was slurped too. At least with a credit card you can challenge a purchase and don't have to pay until it is resolved. My crystal ball says a lot of people will have empty bank accounts for Christmas. I know too many people that this has happened to even without something like this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Target pushes debit cards

      You can challenge debit transaction as well. If you live in NY and transactions from WA start showing up, your bank will believe you especially if you used your card before and after those suspect transactions. If you made a purchase in NY at 2PM and crook used it in WA within a few hours; the chance of you hopping on a plane to just to make a transaction that you will dispute is far fetched.

  6. MarkSitkowski

    Magstripes? Passwords? You're kidding, right?

    You may think that we, Down Under, wear hats with corks on them, but that kind of scam can't happen here.

    Picture the scene:

    •A skimmer on the ATM records your name and PIN code

    •Your ATM card is stolen, on the back of which you have written your PIN number.

    •Together with this, they stole the piece of paper, on which you wrote your online banking User ID and password.

    •To make things worse, a spy camera watched your last access.

    •A keylogger also recorded each keystroke

    •So did a network snooper

    Guess what? The thieves still can't access your cash.

    There's a tolerably good description of a fraudproof authentication system at www.designsim.com.au/What_Is_SteelPlatez.ppsx, which I would recommend to Target, and all of your banks, wringing their little hands, each time their ATM's get hacked.

    Get into the 21st Century....

    1. Stevie

      Re: Magstripes? Passwords? You're kidding, right?

      You might have taken a second or two between swigs of Fosters to point out that your link points to a registration required website, you shorts-and-hobnail-boot-wearing boomerang merchant.

      1. MarkSitkowski

        Re: Magstripes? Passwords? You're kidding, right?

        At least, we consider ourselves to be computer-literate.

        Let me explain how copy'n'paste works:

        1. Highlight the link

        2. On a Billyware box, right click and select 'Copy'. On a decent computer, do nothing else.

        3. Point the mouse at the address bar, and right click, then select 'Paste' - or press the middle mouse button

        4. Optionally, hit the Return key.

        Lo! A document is dowloaded to you. Ain't high-tech fun...?

        Alternatively, if you go to the website, look at the panel at the left side of the registration page, you'll find a thing saying 'Walkthrough', which gets you a page with another link, which you just need to click (no need for the above complications).

        If you're feeling really brave, try the 'Fraudproof ATM' link.

  7. TheFatMan

    "Guests"

    "Guests" (Customers)

    Seriously.

    How about diverting your attention away from bullshit policies of what to call people and upgrade your security?

    Makes me laugh that some people wont shop on the internet because they are worried about security – been saying for years you're more at risk in over the counter transactions

    1. Anonymous Coward
      Anonymous Coward

      Re: "Guests"

      "Makes me laugh ...."

      Does it really make you laugh? Out loud?

  8. Grumpy Fellow
    Headmaster

    Just to clarify

    Please be aware that those of us who shop at Target regularly pronounce the g as a Voiced palato-alveolar sibilant.

  9. Mark 85
    WTF?

    Pffftttttt

    The day after this news broke, the checkers were still asking if you'd like to save 5% by having a store debit card (the Red Card). When I pointed out that they had been hacked, all was denial and some BS about how secure everything is. The assistant manager standing there, echoed about how secure everything was even though he admitted to knowing that they had been hacked.

    I know they don't want to scare off custom..er... guests, but this is very scary thinking on their part.

  10. OldWarrior

    Let the banks pay for my Shopping post Target Charge

    Actually in the US, your liability on Credit Cards is limited to $50, and Zero after you report it;but on a debit card you are on the hook for your entire bank balance. I never use a Debit Card for anything. If you only used Credit cards, it's up to the issuer to catch fraudulent charges. It would be worth the $50 to me to not report it and let the Hacks hit my bank for all they can on my CC, while I dispute every transaction after my Target charge and make the Bank or Visa prove me wrong. Chances are good that they can't without a thumbprint verifier.

    Sadly, I didn't shop at Tgt.

  11. Rick Giles
    Linux

    It is easy

    for me to laugh at all the suppositions in the comments, but I won't.

    When I first heard about it, I was ready to jump on the "This Is Why You Don't Use Microsoft Windows In a Critical Business Function" bandwagon, but I decided to get the facts and I'm glad I did.

    One of my friends is a former Target corporate employee that still knows people in the orginization and without going in to detail lets just say you always need to upgrade your crap. Still having a legacy system built before the internet and wi-fi is a no-no.

    With that being said, I still think "You Don't Use Microsoft Windows In a Critical Business Function" but I know you are all gluttons for punishment.

This topic is closed for new posts.

Other stories you might like