A few security Lessons from the Target breach

[Guest LilBambi]

A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com

 

"The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.

 

Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

 

I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.

 

These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards."

 

This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systems, When fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks.

 

I thought it was a must read. I also thought this article from Wired.com was also a must read:

 

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again by Kim Zetter – Wired Threat Level

 

 

 

"A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?"

 

Oh, and just in case you have forgotten them all (I did!), here is a list of all the others:

 

 

 

"Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang.

The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems

, were hit hard."

 

BOLD emphasis mine.

 

Again, much more in the article including sections; What the Target Thieves Got. Inherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.

And as if that wasn’t bad enough, on January 25th, Michael‘s too:

 

Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com

 

 

 

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

…

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

 

I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article noted above was spot on:

 

 

 

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

 

Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.

 

I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.

 

If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.

 

And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they (credit/debit cards) will go the way of the dodo.

 

Fix the problem, not the blame.*

 

* Thanks to the movie, Rising Sun for the quote.

 

BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!

 

EDIT 1-26-2014 8:508PM: @SecurityGarden posted the following and linked to this article; Exclusive: FBI warns retailers to expect more credit card breaches – Reuters:

 

 

 

 

@SecurityGarden Status regarding expanding on this posting on the security breaches

 

===

 

How are you dealing with these issues? Does this stuff bother you? Are you concerned someone will steal your credit or debit cards, or even your identity.

 

We have talked about some of this in other topics but wanted to pull some of this together in one place. I have this topic on Fran's Computer Services Blog.

 

I saw another article up on Reddit that deals with that a bit: How I lost my $50,000 Twitter Account - TheNextWeb:

 

 

 

 

"PayPal and GoDaddy Facilitated The Attack

 

I asked the attacker how my GoDaddy account was compromised and received this response:

 

From: SOCIAL MEDIA KING

To: Naoki Hiroshima

Date: Mon, 20 Jan 2014 19:53:52 -0800

Subject: RE: …hello

 

- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

 

- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

 

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification."

 

 

The entire article is very scary.

Edited January 30, 2014 by LilBambi

[V.T. Eric Layton]

Well, in all honesty, I don't worry too much about fraudulent activities on my credit cards because my liability is /dev/null with all of them. By Federal law, I'm only liable for at most $50 from any fraudulent use of my cards. Furthermore, these days, most card providers (all of mine, actually) are ZERO liability accounts. Meaning that fraudulent usage of my credit card numbers would never cost me anything monetarily.

 

Debit cards are another story, though. I have a debit card, but NEVER use it to make purchases anywhere. I've only ever used it at my credit union's ATM machine; and then very rarely.

 

Also, as far as Internet shopping goes; while I do have numerous credit cards, I only expose ONE of them to the Internet... my PayPal Mastercard. That's it. None of my other VISA, MC, Discover or other cards have ever been used to purchase anything online.

 

I also have email alerts and phone alerts set up with all my card providers. If any unusual charges occur at any time, the card company's fraud departments contact me immediately. As a matter of fact, this became a funny annoyance when I used to ride my motorcycle. If I would go on a long day trip across the state or into neighboring GA or AL, I might have to stop two or three times for gas in a short time span. This is always a RED FLAG for credit card companies; the use of a credit card to buy small amounts of gasoline, cigs, sodas, etc. at convenient stores over a period of a few hours. By the third or forth stop, my credit card was usually locked. It required me calling the fraud dept. from wherever I was to release the card for use again by identifying myself and giving them my password. Oh, all my credit card accounts are locked by password. No information is given out or changes made without that password.

 

Don't forget to pull your credit reports once a year, too. It's free to do so. You can check to see that all is well.

 

So, that's how I handle my credit cards. I don't shop at Target, either. I do shop at a Hannaford Bros owned grocery chain (SweetBay) here in Tampa. I received notice from them that there had been a breach in their system a few months back. I've used numerous of my credit cards there over the years, so quite a few may have been exposed. I haven't had any issues with this yet, though.

[Guest LilBambi]

Not everyone is as fortunate as you have been Eric. But I hear ya.

[V.T. Eric Layton]

Swing it out in the breeze often enough and you're bound to get tagged.

[ross549]

And all the stuff Eric has setup is able to be done by any person.

 

In the end, it falls to the cardholder to keep an eye on the account. Online access makes that a simple thing to do.

 

Adam

[Guest LilBambi]

None of that helps when something like the Target breaches happens, or other breaches mentioned happen and your data, including but not limited to your card number, etc.gets out there and can make stealing someone's identity so much easier.

 

I understand what you both are saying. I fully understand that and I watch my cards like everyone else with half a brain, but that will not prevent someone from using the data gotten in one or more data breaches.

 

They are building databases out there; from all these breaches. More and more data gets compiled on users as time goes on and more and more breaches happen.

 

Just something to be aware of. And even credit monitoring will not prevent identity theft using data that is out there to get new cards, buy a house or car, etc. etc.

[V.T. Eric Layton]

Hey! I'm a gnat's breath away from bankruptcy. They can have my identity, if they want it.

[ross549]

How do we stop the breaches? I don't think we can at this point.

 

Identity theft is something that is becoming more mainstream. As such, the authorities are taking it much more seriously than they had in the past. Having your card number stolen is not a big deal anymore. Many times, the bank calls you and lets you know it happened. When it happens (not if), the old card gets shut down, and you get a new card right away.

 

Sure, that guy who had his @N twitter handle stolen is an extreme case. It was not caused by hacking, but social engineering.

 

What can we do at this point? Good, strong passwords are a must, and not using the same password on different sites is important. I like Eric's suggestion to use one card for online only. That might be smart for many folks.

 

Other than that, http://www.annualcreditreport.com is an important place to look to get a glance at your credit history and make sure nothing is there that shouldn't be. You get one free report from each of the big three bureaus each year.

 

In the end, I try not to stress about these breaches. They are inevitable, and the best thing I could do would be to take reasonable steps to protect myself.

 

Adam

[Guest LilBambi]

Much true there as in Eric's posting. It may not be good to stress or it, but it is extremely important to know it is a possibility and mitigate it as much as you can. However that might be for you to not have to stress about it. Each person is different and has to handle these things as they see fit of course. And my answer may not be yours, and yours may not be Eric's and Eric's may not be someone else's but we do all need to be aware and deal with it as best we can.

 

We can't afford to not be aware, regardless.

[ross549]

I was not particularly shocked by the Target breach. It was more of a "Huh... I wonder if I will get some credit monitoring out of it?" kind of response. I could probably go for quite a while with little interruption from the credit monitoring offered as a result of these breaches. In most cases, it is credit cards or user/password breaches. I don't have the stats, but that's the way it feels to me.

 

When stuff like this comes up, the folks I interact with on a daily basis may ask about it. I usually tell them the same thing- keep up on monitoring your accounts, check your credit at AnnualCreditReport.com, and change the password, if affected.

 

Adam

[V.T. Eric Layton]

Once we get that mark-of-the-beast on our palms or foreheads, we won't need plastic cards, cash, of checks. We can purchase anything anywhere by just waving our hand or forehead over the scanner. No one can steal your mark unless they have your head or hand.

 

“He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name.” Revelation 13:16-17

 

Be the first on your block to get the GOOGLE Debit Chip Implant.

 

Don't laugh... http://www.creditcards.com/credit-card-news/rfid-chips-convenient-but-creepy-1273.php

[ross549]

I am shuddering to think of the security implications. What if your tag is skimmed somehow? Replacement is easy- just implant a new one!

 

Adam

[V.T. Eric Layton]

Once we're all sucked into the Google Matrix, it won't matter.

[abarbarian]

Hey! I'm a gnat's breath away from bankruptcy.

 

I was born that way

[V.T. Eric Layton]

Not me. My financial situation was much better at the time I was born. There were no worries about diapers or milk or a warm crib back then. Nowadays, those are constant worries.

[zlim]

Getting back on track for Security Breaches, I got this link in a newsletter https://www.privacyrights.org/data-breach/new

You can search for various types of losses and also types of organizations.

[Guest LilBambi]

Awesome, Liz! I have that link near the bottom of my blog posting (first posting in this thread) .. I have been watching Privacy Clearinghouse since they started. Great site! And that list is something else.

[Corrine]

Can anyone say, "Its about darn time we caught up with the rest of the world!"

 

October 2015: The End of the Swipe-and-Sign Credit Card - Corporate Intelligence - WSJ

 

Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.

[V.T. Eric Layton]

But... But... I can easily remember my signature. I'd have a hard time remembering the PINs for all my VISA, MC, Discover, dept store cards, and gas cards.

[ross549]

An interesting question will be how mobile payment providers (Square, for example) will handle the transition.

 

Adam

[Guest LilBambi]

Yes, very true.