# Target confirms leak of 40mil CC data



## wlanboy (Dec 19, 2013)

Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.



> Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.
> 
> Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.
> 
> Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.


A phone call from my sister just raised my attention to this.

Why does no company care about PCI DSS?


----------



## MannDude (Dec 19, 2013)

Yikes! Shows that even the big boys can be *target*ed (har). At least they're working with law enforcement and their financial institutions to get it resolved.

I really like Target, I wish I had one around here.

So did your sister get her CC# stolen or..?


----------



## SkylarM (Dec 19, 2013)

At least Target notifies their customers. Unlike some VPS companies I shall not name....


----------



## nunim (Dec 19, 2013)

wlanboy said:


> Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.
> 
> A phone call from my sister just raised my attention to this.
> 
> Why does no company care about PCI DSS?


For once I'm glad to live in Canada, we just got Target , and I've been doing quite a bit of holiday shopping there.


----------



## wlanboy (Dec 19, 2013)

MannDude said:


> So did your sister get her CC# stolen or..?


Maybe. She was informed that the bank will send her a new card out of security reasons.

After some small talk and asking the name Target was dropped.


----------



## Damian (Dec 19, 2013)

My bank cancelled and issued me a new card today because of this.


----------



## WebSearchingPro (Dec 19, 2013)

wlanboy said:


> Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.
> 
> A phone call from my sister just raised my attention to this.
> 
> Why does no company care about PCI DSS?


PCI DSS compliance does not mean hacker proof.


----------



## drmike (Dec 19, 2013)

SkylarM said:


> At least Target notifies their customers. Unlike some VPS companies I shall not name....


Give me some downtime and I'll notify the customers of said VPS companies.   Right at Christmas time too 

Ho ho ho!


----------



## drmike (Dec 19, 2013)

They figure it out after exposing 40 million accounts?  Too little and too late.

Unsure why they were storing the motherlode in one big pile to be picked at like that. 

Glad I don't partake in Target.  Looks like they just made a huge percentage of the US population potential victims.


----------



## SrsX (Dec 19, 2013)

I suspect that the database is floating around somewhere, I'll see if I can dig it up.


----------



## tchen (Dec 19, 2013)

wlanboy said:


> Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.
> 
> A phone call from my sister just raised my attention to this.
> 
> Why does no company care about PCI DSS?


PCI DSS compliance only covers best-practices, but won't stop stupidity.

It seems track data was stolen over the course of a few weeks, suggesting a snooper was installed on the point of sale network.


----------



## tchen (Dec 19, 2013)

SrsX said:


> I suspect that the database is floating around somewhere, I'll see if I can dig it up.


Please don't post it here.  This isn't HF.


----------



## vRozenSch00n (Dec 19, 2013)

tchen said:


> PCI DSS compliance only covers best-practices, but won't stop stupidity.
> 
> It seems track data was stolen over the course of a few weeks, suggesting a snooper was installed on the point of sale network.


In my country a skimmer and blank magnetic cards can be easily bought in computer spare parts shops.


----------



## wlanboy (Dec 19, 2013)

tchen said:


> PCI DSS compliance only covers best-practices, but won't stop stupidity.
> 
> It seems track data was stolen over the course of a few weeks, suggesting a snooper was installed on the point of sale network.


But it would help alot:



Short snipplet from the link:



> There are no indications at this time that the breach affected customers who shopped at Target’s online stores.
> 
> The type of *data stolen* — also known as “*track data*” — *allows crooks to create counterfeit cards* by encoding the information onto any card with a magnetic stripe.
> 
> If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.


----------



## trewq (Dec 20, 2013)

"I thought we told you not to use these servers for torrents."


But seriously it's a shame this has happened.


----------



## peterw (Dec 20, 2013)

tchen said:


> It seems track data was stolen over the course of a few weeks, suggesting a snooper was installed on the point of sale network.


All around the states?



drmike said:


> Unsure why they were storing the motherlode in one big pile to be picked at like that.


Me too.


----------



## drmike (Dec 20, 2013)

SrsX said:


> I suspect that the database is floating around somewhere, I'll see if I can dig it up.



Yeah no posting it here... it won't fit in the post form


----------



## tchen (Dec 20, 2013)

wlanboy said:


> But it would help alot:


The PCI-DSS requirements don't address POS equipment other than the cursory 'change the default passwords' and some generic network security/filtering requirements 1-2 meant to contain any breaches on the system level.  Requirement 3 (from which the screenshot refers to), controls only the long term storage of partial track data - either in a database or log.

P.S. Target has to be third-party DSS audited yearly given they're a Level 1 merchant.



peterw said:


> All around the states?


Reports so far says yes.  Or at the very least it's regional.


----------



## wlanboy (Jan 12, 2014)

Next one:



> Responding to inquiries about a possible data breach involving
> customer credit and debit card information, upscale retailer
> *Neiman Marcus* acknowledged today that it is working with
> the *U.S. Secret Service* to investigate a hacker break-in that
> has exposed an unknown number of customer cards.





> Neiman Marcus spokesperson *Ginger Reeder* said the company
> does not yet know the cause, size or duration of the breach, noting
> that these are details being sought by a third-party forensics firm
> which has yet to complete its investigation. But she said there is
> ...


----------



## peterw (Jan 27, 2014)

Another retailer:



> Multiple sources in the banking industry say they are tracking a pattern of
> fraud on cards that were all recently used at *Michaels Stores Inc.*, an Irving,
> Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.


----------



## drmike (Jan 27, 2014)

The Target breech at last check was north of 100 million accounts snagged.

Reason again to move to cash and anonymous pre paid cash and carry style cards.


----------



## tchen (Jan 27, 2014)

Except your prepaid cash card can be drained with no recourse, while the CC is locked and refunded by the issuing bank (at least in instances like this)  

Privacy issues matter of course.  But you of all people know how easy it is to dig up address and name information these days   Nobody is an identity-virgin.


----------



## dano (Jan 27, 2014)

Cash is so much easier to use, and I don't have to worry about anything happening after, as the sale is done, closed. I was taken for about 3k in 2008-2009, and since I hate filling out police reports to get my money back, I decided that cash was the only way to go. Since then, I have not had a single issue, as I only have to watch for a few transactions a month, versus hundreds when auditing a credit/debit card account.


----------



## wlanboy (Jan 27, 2014)

If you order something from another country you have one single option: Credit Card.

It is secure because I am able to get my money back.

So Paypal is not an option for me.

I would use bitcoints if the exchange rate would be cool down to a level of $ to €.


----------



## maounique (Jan 27, 2014)

You can still pay to the bank account. Taxes are higher, though, at least outside EU.


----------



## joepie91 (Jan 28, 2014)




----------



## kaniini (Jan 28, 2014)

joepie91 said:


>


Well, that is not 100% true really.  Chip-and-PIN transactions have the capability of being push very easily... the transaction can be initiated at the POS terminal.

The problem with magstripe is that there's no proof of authenticity, so it pretty much _has_ to be a pull system.


----------



## peterw (Jan 28, 2014)

That is not true for credit cards in the EU. It is a pain to pay something online.

Everything has to match. Even the telephone number. After the CVV you have to enter a online password on a Visa popup too. One information not equals to stored information and the transaction is declined.


----------



## tchen (Jan 28, 2014)

The distinction that matters between bitcoin, cash, cheques, direct deposits, and CC is in how settlement is conducted - not the form of conveyance.


----------



## joepie91 (Jan 28, 2014)

peterw said:


> That is not true for credit cards in the EU. It is a pain to pay something online.
> 
> Everything has to match. Even the telephone number. After the CVV you have to enter a online password on a Visa popup too. One information not equals to stored information and the transaction is declined.


That would be a typical example of making something a pain for users, while barely adding any additional security.


----------



## drmike (Jan 29, 2014)

tchen said:


> Privacy issues matter of course.  But you of all people know how easy it is to dig up address and name information these days


I do?   I need to let my mom know I am good at something (other than being a jerkoff).


----------



## wlanboy (Jan 30, 2014)

kaniini said:


> Well, that is not 100% true really.  Chip-and-PIN transactions have the capability of being push very easily... the transaction can be initiated at the POS terminal.
> 
> The problem with magstripe is that there's no proof of authenticity, so it pretty much _has_ to be a pull system.


Yup the magnetic stripe of the credit card is outdated and risky.

But paying compensations is cheaper than rebuilding the system in a safe way.


----------



## tchen (Jan 30, 2014)

wlanboy said:


> Yup the magnetic stripe of the credit card is outdated and risky.
> 
> But paying compensations is cheaper than rebuilding the system in a safe way.


Canada's field testing the chip-and-pin   There's a whole slew of liability shifts that are involved from customers to merchants to banks.  But that said, the CVV2 code serves more or less the same purpose.  That code isn't embedded in the magnetic stripe and any authorization that's done against it requires card-in-hand.

It falls on the merchant to use the most appropriate level of authentication.  Your merchant agreement in part also spells out whether you have to do card-in-hand.  The problem is that not all merchants run at that level (and thus take the fraud risks and pay more for their merchant account).  For a card to remain convenient and usable at those merchant levels, chip-and-pin cards still fallback to mag stripe or are allowed to be verified against such things as just address.  The liability shifts to the merchant as expected.  I'm not convinced the pin-and-chip system is any stronger simply because it needs the fallback.

The pin system is only slightly more secure than the CVV2 just because it takes a new level of stupidity to post your PIN than it does your CVV2 in plain-text somewhere insecure.  Granted, lost and physically stolen cards are also easier to deal with.  MITM attacks however are still the same.


----------



## Francisco (Jan 30, 2014)

So what came of this all?

Did they find the attack vector?

I'm assuming this was more to hurt Target than it was to just steal CC's.

I know a family member of one of our staffers had their card cut up because of this.

Francisco


----------



## tchen (Jan 30, 2014)

Francisco said:


> So what came of this all?
> 
> 
> Did they find the attack vector?
> ...


The official investigation's still ongoing.  Although from various accounts they say a vendor credential was compromised, then it went laterally within the network to the point of sale system.  A control/exfiltration server was also installed within the network so its likely they managed to get some numbers out.

sources: 

http://online.wsj.com/news/articles/SB10001424052702303973704579350722480135220?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303973704579350722480135220.html

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/


----------



## Francisco (Jan 30, 2014)

That's rough.

Francisco


----------



## tchen (Jan 30, 2014)

I actually missed the bit where there was a dump of 2million CCs offered for sale*... so um... yes - they were exfiltrated successfully.  Rough indeed.

The sad part was 



> Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases datingback to at least 2011, and that these attacks are likely to continue for some time to come.


* the analysts verified with some banks that those cards were indeed used at Target during those dates.


----------



## joepie91 (Jan 31, 2014)

tchen said:


> The pin system is only slightly more secure than the CVV2 just because it takes a new level of stupidity to post your PIN than it does your CVV2 in plain-text somewhere insecure.  Granted, lost and physically stolen cards are also easier to deal with.  MITM attacks however are still the same.


There are actually a few notable differences (assuming it works the same as the Dutch chip + pin system):


Your 'secret key' (CVV2 for a credit card, PIN for a chip card) is never transmitted to a third party that is not a bank. You would, for example, never enter your PIN on an e-commerce site (the Dutch system works through a 'random reader' kind of deal; you are redirected to the payment gateway for your bank, use the keyfob-like random reader along with your card and PIN to get a unique session key, and enter that disposable session key instead).
Your PIN is not printed/embossed on your card. This means that if somebody physically steals your card, they still cannot do anything with it. This also disarms the putty-under-the-counter trick that is (was?) popular with credit cards.
If you suspect your PIN of being compromised, it can be changed.
Overall, a PIN works much more like a password than a CVV2 does. It retains most of the classic issues with passwords, but gets rid of all the security issues that are unique to CVV2s.


----------



## tchen (Jan 31, 2014)

joepie91 said:


> There are actually a few notable differences (assuming it works the same as the Dutch chip + pin system):
> 
> 
> Your 'secret key' (CVV2 for a credit card, PIN for a chip card) is never transmitted to a third party that is not a bank. You would, for example, never enter your PIN on an e-commerce site (the Dutch system works through a 'random reader' kind of deal; you are redirected to the payment gateway for your bank, use the keyfob-like random reader along with your card and PIN to get a unique session key, and enter that disposable session key instead).
> ...


Regarding PIN on card and resettability its the same.  The CVV2 for us though fall under the card network guidelines. 

* CVV2s can be transmitted to a third party but PCI compliance dictates that it never touches ground and is only used during auth on the card network. PINs are only direct hardware POS accessible.  eCommerce falls back to CVV2 or whatever auth level you're prescribed as a merchant.  Consumers typically aren't provided a fob or any 2-factor device for online transactions.

For online, there's a separate voluntary Verified by Visa or Mastercard SecureCode that's tackles some of the same issues as the fob - namely replay attacks.  It's still vulnerable to compromised end-user workstations though.


----------

