1.1 MILLION customers' credit card data was swiped in Neiman Marcus breach US luxury retailer Neiman Marcus has confirmed that details from 1.1 million customers' cards were stolen in a recently detected high-profile breach. Card details were lifted after hackers successfully planted malware on payment systems over a period that ran between 18 July and 30 October last year, far earlier than …
It looks like Easy Solutions don't really understand that much about what chip and pin is and what it isn't.
They seem to go with the "the magstripe can still be cloned even with a chip and pin card" shocker as well as misunderstanding the role of the PED and POS device and where data is and isn't encrypted.
Simply hides fraud and allows the bank to claim the user was at fault.
Also the STUPID bank POS doesn't ask Bank if PIN is correct, but asks card! You can make a fake card that simply replies "yes" for ANY PIN.
Also in Chip & PIN countries the criminals are installing fake readers (in one case actually IN a bank!). As the article points out the issue isn't really Chip & PIN but compromised POS systems, vulnerable Web servers (In Ireland & UK, credit card numbers and rear code pinched from a "reward loyalty card" system that should never have had ANY such information). and even Back Office systems (The Remaindered Stock Retailer).
Fraud is endemic and the Banks admit as little as possible. It's mostly due to incompetently designed systems. People Errors. Computer Error? No Rubbish outsourced systems. Management Errors!
What ? You guyz do not have chip & PIN - wow, amazing !
Of course, chip and pin do not alleviate the problem completely, they just make it that little harder for the villans and should have been made compulsory back in the 80's. Every time I am in the US, I always fear for my card details, I know I can only trust ATM's inside banks and even then.... I always hide the keyboard when I type ... my bank does call me when something fishy happens ... somebody tried to use my "card" to buy $800 dollars worth of clothes in Dallas, when I was in the UK at the time ... canceled card etc - nice when you are abroad.
The other problem being wide-spread use of Windows-based POS software. It would help a lot if you had different OS' out there - the guyz would first have to find out which OS ... with Windows they know the barn door is wide open and tools are readily available. They should probably use openBSD or QNX, but hell, what do you think natural born window cleaners know about IT.
All the POS devices are running windows XP and they likely aren't being patched or maintained.
You see the same thing all over the place. I remember doing work for a metal shop who had a virus box somewhere on the network.
Turned out it was the automated C&C machine, which was running XP SP 0 and according to the manufacturer could in no way be patched updated or even have AV loaded on it.
It got put on it's own little isolated DMZ in a very short order.
You are going to see more and more of these hacks, as XP gets older and older and POS providers drag their feet with the replacements.
I wouldn't necessarily tag it to only the POS providers. There's a fair bit of corporate foot dragging that goes with it, and it becomes a viciously re-enforcing process. A buddy of mine did fast food, learned the POS system, then went to work for the POS vendor. They were constantly looking at new systems and deployments, but customers (the actual POS users) only moved so fast.
But yeah, it's gonna keep getting worse.
"Security researchers at Cisco have published a blog on detecting future payment card compromises and shortening the remediation window for such attacks"
The solution is not to use Windows on ATMs. The original software required a visit from two technicians that required entry of two unique serial numbers from a handheld device. Neither of the technicians had access to the numbers and as such hacking the devices was next to impossible.
@AC: "Linux is no panacea, given it's from them we got the term "pwning" and "rooting" as euphemisms for privilege escalation."
I don't think anyone argues that "Linux is a panacea", but you are utterly wrong about its relation to "pwning" and "rooting". The former apparently derives from adjacency of "p" and "o" on English keyboards. The latter is an Android term not related to security at all (you can argue that rooting an Android device is "privilege escalation", but it is not "hostile privilege escalation" that the context implies).
Sad thing is, a large percentage of the idiots who shop at Needless Markups probably don't actually check their bill, line by line. They just mindlessly pay it.
The crack (not hack![1]) that keeps on giving ...
Corporate America really needs to place the corporate dick back into the corporate pants, and get the corporate security in hand instead.
[1] Lack of knowledge of the difference between "hack" and "crack" is a major symptom of the problem, world-wide. I'm eyeballing you, too, ElReg, but thank you for not using either term in the article.
"For example, we used to use "anachronism" to describe something from the past which hangs on despite its obvious lack of purpose."
That word, anachronism, I don't think it means what you think it means. 1950s computer technology still runs most of today's governmental & banking systems ... You do know what COBOL and Fortran are, don't you?
"Today we just use "jake"
Who is "we", kemosabe? Methinks you are seriously confuzled. I'm not that famous. Except maybe in your eyes, perhaps.
The first four digits are used to identify the card industry and issuer. The rest - typically 12 digits - are the card number and checksum digit. So there are somewhere in the region of 99 billion numbers available to each card provider.
Ad because I use it very rarely, it's quite easy to make a shortlist of companies that have the number - and neither Target or N-M are on that list. It's annoying as it's the second time it's happened in less than a year, but I suppose eventually the costs will add up for the banks and the retailers for them to get their heads out of their asses and fast track Chip and Pin in the US so we can catch up with the rest of the world. It will mean I can actually use my card overseas again as fewer and fewer places outside the US even allow pay by swipe any more (even Canada and Mexico have adopted C&P).
As it is, though, most of the cost and annoyance of card swiping and stealing is born by the customer - I had to call and cancel my card, I have to monitor for additional fake charges, I have to update and notify accounts that have my details, etc etc etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
