Jump to content

Target says hackers likely accessed 40 million cards


Guest

Recommended Posts

Guest LilBambi
The statement from the retailer Thursday follows reports that thieves had accessed data stored on the magnetic stripe on the back of credit and debit cards during the Black Friday weekend through card swiping machines that could have been tampered with at the retailer's stores, a practice known as card skimming.
Link to comment
Share on other sites

V.T. Eric Layton

Modern technology has its weaknesses, it seems.

 

I didn't do any shopping at Target. Actually, I probably haven't even walked into a Target since sometime around 1998, I think. Not that I have anything against Target. It's just that Kmart, Walmart, Family Dollar, and Dollar General are all more conveniently located to me. :)

Link to comment
Share on other sites

Isn't that a simplistic response? Sure there are software holes, but these sites are not being hacked all using the same method. They are exploiting various methods and holes, some known, some unknown.

 

Adam

Link to comment
Share on other sites

Guest LilBambi

From the article:

 

The statement from the retailer Thursday follows reports that thieves had accessed data stored on the magnetic stripe on the back of credit and debit cards during the Black Friday weekend through card swiping machines that could have been tampered with at the retailer's stores, a practice known as card skimming.

 

The data could have been used to create counterfeit cards that could even be used to withdraw money at an ATM, according to the reports.

 

The card information that may have been compromised includes the name of the customer, credit or debit card number, the cards expiration date and the three-digit CVV security code, Target said in a note to customers. Shoppers at its online store Target.com or at physical stores outside the U.S were not affected, it added.

 

Edited by LilBambi
Link to comment
Share on other sites

Putting enough skimmers out there to capture 40 million cards? I find that at least improbable.

 

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

 

Investigators are still trying to understand how the attack was carried out, including whether hackers found a weakness at Target's own computer network or through credit card services vendors. It was not immediately clear what percent of the transactions at its brick and mortar stores had been compromised but the company said its online business had not been affected.

 

http://bits.blogs.nytimes.com/2013/12/18/target-looking-into-security-breach/

 

Point-of-sale systems have become a major target for cybercriminals in recent years. To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.
Link to comment
Share on other sites

Good that fraudulent charges are covered under the cardholder's agreement... :)

 

It's a hassle to get a new card, but better than having to pay several hundred dollars for something that is not your fault.

 

Adam

Link to comment
Share on other sites

Good that fraudulent charges are covered under the cardholder's agreement... :)

 

It's a hassle to get a new card, but better than having to pay several hundred dollars for something that is not your fault.

 

Adam

On Credit Cards, yes you're protected. On Debit Cards, not necessarily in most cases!

Link to comment
Share on other sites

  • 2 months later...

Target Missed Alarms in Epic Hack of Credit Card Data - Businessweek

 

It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.

 

On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …

 

Nothing happened.

 

More at the source.

Link to comment
Share on other sites

#1: I still find it pathetic that POS attached to the world wide web

#2: no explanation as to why the automatic cut off routines were disabled, ie: what was the cost of a false positive?

#3: Who decided not to respond in any way , shape, manner or form to the alerts?

Link to comment
Share on other sites

 

#3: Who decided not to respond in any way , shape, manner or form to the alerts?

 

No one knows as they were all asleep at the time. :fish:

Link to comment
Share on other sites

I was thinking slow moving bureaucratic wheels in this case. Also, I bet they have many network incidents that have to be dealt with, and the "powers that be" must deliberate on wether it is something they should publicly disclose or not. I bet those discussions/arguments took place a few days after the breach was discovered.

 

Adam

Link to comment
Share on other sites

I was thinking slow moving bureaucratic wheels in this case.

Seems the manager of security operations had resigned in Oct and hadn't yet been replaced when this mess occurred. Still, you'd think someone else would have had the authority to take action on those alerts from FireEye.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...