... and that's why I stick to the folding stuff.
When ZOMBIES go shopping: 40m Target customer breach? That's NOTHING!
Malware linked to fraud in the retail sector may be a bigger problem than even the recent revelation about the compromise of systems US retailer Target suggests. Shopping giant Target and luxury retailer Neiman Marcus both announced significant data breaches during the 2013 holiday shopping season. The Target breach at least …
-
-
-
Thursday 23rd January 2014 12:43 GMT Irongut
Re: Security through oblivion?
Hell even in a technical business and as an IT person I know that my bosses think I'm some kind of paranoid survivalist whackjob because I point out our many security failures. No one listens because they think it will never happen to them. I look forward to the day it does.
-
Thursday 23rd January 2014 17:26 GMT BillG
Re: Security through oblivion?
Because anyone who brings up security issues inside a non-technical business is at best branded a "troublemaker", and quite likely to be fired for "hacking" the systems.
Totally, completely, 100% correct. Plus, the IT guy that uncovers the security hole will only be able to talk to, at best, two levels of management above him. And those managers want to stay silent out of fear that they will be blamed by top management for the flaw.
IT Guy: "We have a huge security hole"
Manager: "Have we been hacked? No? Then shut the f**k up"
Fast-forward a year later and they are hacked by the same flaw. IT Guy is asked to submit a WRITTEN analysis of the flaw (he will not be allowed in face-to-face meetings) that will only be seen by his two levels of management, who will take credit for "discovering" the flaw. "We need you to cooperate and only work on the fix, don't tell anyone else" he's told. "We will reward you later", they lie.
-
-
-
-
Thursday 23rd January 2014 12:38 GMT Pascal Monett
Re: 40 MEELLION? Now that, is incredibly hard to believe
No it isn't. Every family unit needs to shop for food at least once a week. The latest census states that US population has hit 315 million.
Even if only one in ten of those 315 million people go shoppping, that's 31.5 million cards right there.
Now, if what you're saying is that you find hard to believe that 40 million high-rate cards were lifted, I tend to agree with you. But 40 million bank details ? That's easy to believe.
What I find difficult to believe is that they didn't get more.
-
Thursday 23rd January 2014 17:46 GMT Tom 13
Re: How many???
Not misinformation per se and certainly not for the advertisers.
If it is overstated, it is only as is necessary to protect them legally. Let's say you think the bad guys only got 70% of the terminals in a store. Do you report only the 70%, or the whole store? If you report only 70% and it turns out they got 72%, you're really are on the hook for disseminating misinformation.
And other posters are correct, most people here use multiple credit cards. Right now I have two debit cards, and three credit cards that I can think of in my wallet. Theoretically I have another two at home on accounts I'm working to pay off because I misused them in the past. The accounts are in good standing, but I don't actively use them.
-
Thursday 23rd January 2014 11:33 GMT frank ly
Have I got this right?
Why do Target (and others, I assume) have to store the card details on their system at all. I thought that the CC transaction was authorised by the CC issuer company, via the POS link, and then given a unique ID that pointed to a record in the CC company servers. After that, the retailer has no need to keep a record of the customer CC number, just the authority ID in case of future queries/refunds/etc.
-
Thursday 23rd January 2014 12:43 GMT phil dude
Re: Have I got this right?
in the same vein, is there a reason we even need a number that can be copied?
Surely a system where you enter the pin on YOUR card to give a code for them is possible? Not unlike those things banks use, but a nice one...
It would certainly make store theft harder, though I would not advocate it for ATMs as it makes you a target...
P.
-
-
Thursday 23rd January 2014 22:02 GMT Mark 65
Re: Have I got this right?
"If the POS terminal at the register was hacked, you're hosed no matter what. Card details and PIN, the bad guy has them."
Which is why, in most other countries, the card hardware is separate from the POS terminal and is a closed system. It gets passed the amount and passes back information on verification. If the POS terminal is hosed then who cares?
-
-
-
Thursday 23rd January 2014 17:52 GMT Tom 13
Re: Have I got this right?
I don't think the malware was attacking the data storage. Remember, the reports say they also got people's PINs (needed for debit cards). Retailers might store CC info for the transaction in case the buyer disputes the purchase*, but they'd never have call to store the PIN.
*If the buyer disputes you need to be able to find a signed copy of their receipt or the CC company sides with the buyer. That means you'll want the CC number (probably by last 4 digits), the day of the sale, and the register where the transaction was recorded. Then you find the cashier and the right storage box to pull the receipt. Electronic records aren't usually enough. Online transactions will of course differ.
-
Thursday 23rd January 2014 23:39 GMT MarkSitkowski
Re: Have I got this right?
The short answer is - they don't. Why would you need to tell the CC company your card details? They already know them. What they actually need to do, is to prove you are you. If they installed a system to do that, there would be no records worth stealing on the retailer's systems.
Too easy, man..
-
Friday 24th January 2014 10:11 GMT Anonymous Coward
Re: Have I got this right?
No you haven't.
As I have done PED replacement programs for some of the largest retailers, I actually know how POS systems work.
The PED reader will send to the TILL (which is a basically a PC) any information asked of it.
So if the POS terminal is "hosed " it will have your details, inc Card number. In most systems it it the POS software that them encrypts the transfer of information back to the Payment system.
In most major retailers the PED/POS do not talk directly to the credit card system. They talk to a payment gateway in the retailers environment.
The basic flow is PED reads card, sends info to POS, POS creates charge record which contains card number, details and amount, POS sends info to payment gateway, payment gateway sends to correct bank (acquirer). ( there can be one acquier for all cards (visa, amex, mastercard) or multiple acquiers if you get better inchange rates).
Obviously there are lots of other stages such as authorisation, anti fraud, etc but that is the basic flow.
The only true solution is if the PED device encrypts the card details on itself and only the encrypted information is seen by the POS. Very few systems do this. I only know of one major highstreet retailer in the UK that does this (because I architected the solution) and speaking to the PED providers and payment software suppliers they know of few that do this.
-
-
-
Thursday 23rd January 2014 15:58 GMT steve 124
all ex CCCP countries... hmmm
Has no one noticed that the majority of these attacks are coming from Russia or old Soviet block countries? (of course, China too but at least they are government sponsored so they aren't looking to run up CC bills).
I think it's time we, as a planet, agree that if you can't play nice you can't be part of our interwebs. I added all the old Soviet country subnets to my firewall block list (at home and work) several years ago and my life is better because of it. I urge everyone to do the same. Just block everything from those criminal countries and we can just pretend they don't exist!
I can think of a few African countries that need to be included too (yes I'm looking at you Nigeria).
BTW, there is no sarcasm in this post, I really do this and I really believe this. Follow me into a brighter internet experience, block class A subnets. You'll feel better. :)
-
-
Friday 24th January 2014 16:35 GMT steve 124
Re: I work for a major retailer.
Wow man that's scary. Sure wish you'd let us know which one. Regardless, I'm planning on using only cash after May 1st at brick and mortar stores. We started migrating to w7 over 2 months ago and will probably just barely make the cut off date.
BTW, jackofshadows, you're right and unfortunately it won't stop botnets controlled by those countries (and p2p traffic). But just imagine if it was implemented on an ISP level. That would amazing. Our security issues and spam would all but dry up. It's be easy to just put a loopback DNS entry for those subnets in the internet root DNS servers. A guy can dream can't he? :)
-
-
Sunday 26th January 2014 16:04 GMT Dropper
Re: I work for a major retailer.
"But just imagine if it was implemented on an ISP level."
The movie and recording industries would probably be the place to start.. they seem to have more than their fair share of clout when it comes to deciding all things internet. Shouldn't be too hard of a sell either, after all these are countries where copyright, patents and intellectual property are considered (to paraphrase) guidelines rather than rules.