Target confirms leak of 40mil CC data

[drmike]

The Target breech at last check was north of 100 million accounts snagged.

Reason again to move to cash and anonymous pre paid cash and carry style cards.

 

[tchen]

Except your prepaid cash card can be drained with no recourse, while the CC is locked and refunded by the issuing bank (at least in instances like this)  

Privacy issues matter of course.  But you of all people know how easy it is to dig up address and name information these days  Nobody is an identity-virgin.

 

[dano]

Cash is so much easier to use, and I don't have to worry about anything happening after, as the sale is done, closed. I was taken for about 3k in 2008-2009, and since I hate filling out police reports to get my money back, I decided that cash was the only way to go. Since then, I have not had a single issue, as I only have to watch for a few transactions a month, versus hundreds when auditing a credit/debit card account.

 

[wlanboy]

If you order something from another country you have one single option: Credit Card.

It is secure because I am able to get my money back.

So Paypal is not an option for me.

I would use bitcoints if the exchange rate would be cool down to a level of $ to €.

 

[maounique]

You can still pay to the bank account. Taxes are higher, though, at least outside EU.

 

[joepie91]

 

[kaniini]

Well, that is not 100% true really.  Chip-and-PIN transactions have the capability of being push very easily... the transaction can be initiated at the POS terminal.

The problem with magstripe is that there's no proof of authenticity, so it pretty much has to be a pull system.

 

[peterw]

That is not true for credit cards in the EU. It is a pain to pay something online.

Everything has to match. Even the telephone number. After the CVV you have to enter a online password on a Visa popup too. One information not equals to stored information and the transaction is declined.

 

[tchen]

The distinction that matters between bitcoin, cash, cheques, direct deposits, and CC is in how settlement is conducted - not the form of conveyance.

 

[joepie91]

That is not true for credit cards in the EU. It is a pain to pay something online.

Everything has to match. Even the telephone number. After the CVV you have to enter a online password on a Visa popup too. One information not equals to stored information and the transaction is declined.

That would be a typical example of making something a pain for users, while barely adding any additional security.

 

[drmike]

Privacy issues matter of course.  But you of all people know how easy it is to dig up address and name information these days 

I do?   I need to let my mom know I am good at something (other than being a jerkoff).

 

[wlanboy]

Well, that is not 100% true really.  Chip-and-PIN transactions have the capability of being push very easily... the transaction can be initiated at the POS terminal.

The problem with magstripe is that there's no proof of authenticity, so it pretty much has to be a pull system.

Yup the magnetic stripe of the credit card is outdated and risky.

But paying compensations is cheaper than rebuilding the system in a safe way.

 

[tchen]

Yup the magnetic stripe of the credit card is outdated and risky.

But paying compensations is cheaper than rebuilding the system in a safe way.

Canada's field testing the chip-and-pin  There's a whole slew of liability shifts that are involved from customers to merchants to banks.  But that said, the CVV2 code serves more or less the same purpose.  That code isn't embedded in the magnetic stripe and any authorization that's done against it requires card-in-hand.

It falls on the merchant to use the most appropriate level of authentication.  Your merchant agreement in part also spells out whether you have to do card-in-hand.  The problem is that not all merchants run at that level (and thus take the fraud risks and pay more for their merchant account).  For a card to remain convenient and usable at those merchant levels, chip-and-pin cards still fallback to mag stripe or are allowed to be verified against such things as just address.  The liability shifts to the merchant as expected.  I'm not convinced the pin-and-chip system is any stronger simply because it needs the fallback.

The pin system is only slightly more secure than the CVV2 just because it takes a new level of stupidity to post your PIN than it does your CVV2 in plain-text somewhere insecure.  Granted, lost and physically stolen cards are also easier to deal with.  MITM attacks however are still the same.

 

[Francisco]

So what came of this all?

Did they find the attack vector?

I'm assuming this was more to hurt Target than it was to just steal CC's.

I know a family member of one of our staffers had their card cut up because of this.

Francisco

 

[tchen]

So what came of this all?


Did they find the attack vector?


I'm assuming this was more to hurt Target than it was to just steal CC's.


I know a family member of one of our staffers had their card cut up because of this.


Francisco

The official investigation's still ongoing.  Although from various accounts they say a vendor credential was compromised, then it went laterally within the network to the point of sale system.  A control/exfiltration server was also installed within the network so its likely they managed to get some numbers out.

sources: 

http://online.wsj.com/news/articles/SB10001424052702303973704579350722480135220?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303973704579350722480135220.html

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

 

[Francisco]

That's rough.

Francisco

 

[tchen]

I actually missed the bit where there was a dump of 2million CCs offered for sale*... so um... yes - they were exfiltrated successfully.  Rough indeed.

The sad part was 

Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases datingback to at least 2011, and that these attacks are likely to continue for some time to come.

* the analysts verified with some banks that those cards were indeed used at Target during those dates.

 

[joepie91]

The pin system is only slightly more secure than the CVV2 just because it takes a new level of stupidity to post your PIN than it does your CVV2 in plain-text somewhere insecure.  Granted, lost and physically stolen cards are also easier to deal with.  MITM attacks however are still the same.

There are actually a few notable differences (assuming it works the same as the Dutch chip + pin system):

• Your 'secret key' (CVV2 for a credit card, PIN for a chip card) is never transmitted to a third party that is not a bank. You would, for example, never enter your PIN on an e-commerce site (the Dutch system works through a 'random reader' kind of deal; you are redirected to the payment gateway for your bank, use the keyfob-like random reader along with your card and PIN to get a unique session key, and enter that disposable session key instead).
• Your PIN is not printed/embossed on your card. This means that if somebody physically steals your card, they still cannot do anything with it. This also disarms the putty-under-the-counter trick that is (was?) popular with credit cards.
• If you suspect your PIN of being compromised, it can be changed.

Overall, a PIN works much more like a password than a CVV2 does. It retains most of the classic issues with passwords, but gets rid of all the security issues that are unique to CVV2s.

 

[tchen]

There are actually a few notable differences (assuming it works the same as the Dutch chip + pin system):

• Your 'secret key' (CVV2 for a credit card, PIN for a chip card) is never transmitted to a third party that is not a bank. You would, for example, never enter your PIN on an e-commerce site (the Dutch system works through a 'random reader' kind of deal; you are redirected to the payment gateway for your bank, use the keyfob-like random reader along with your card and PIN to get a unique session key, and enter that disposable session key instead).
• Your PIN is not printed/embossed on your card. This means that if somebody physically steals your card, they still cannot do anything with it. This also disarms the putty-under-the-counter trick that is (was?) popular with credit cards.
• If you suspect your PIN of being compromised, it can be changed.

Overall, a PIN works much more like a password than a CVV2 does. It retains most of the classic issues with passwords, but gets rid of all the security issues that are unique to CVV2s.

Regarding PIN on card and resettability its the same.  The CVV2 for us though fall under the card network guidelines. 

* CVV2s can be transmitted to a third party but PCI compliance dictates that it never touches ground and is only used during auth on the card network. PINs are only direct hardware POS accessible.  eCommerce falls back to CVV2 or whatever auth level you're prescribed as a merchant.  Consumers typically aren't provided a fob or any 2-factor device for online transactions.

For online, there's a separate voluntary Verified by Visa or Mastercard SecureCode that's tackles some of the same issues as the fob - namely replay attacks.  It's still vulnerable to compromised end-user workstations though.