Security Vendors Self-Censor Target Breach Details 115
angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."
One thing they are keeping quiet (Score:5, Interesting)
Re:Target just couldn't handle this any worse (Score:4, Interesting)
Target just couldn't (and can't) handle this FULL-STOP
My guess: the fix is expensive to apply, it will take some time and Target hopes that not-everybody-and-their-dog will know they are still vulnerable.
Because otherwise nobody would buy anything from Target on card any more - which would be quite wise for the potential customers but disastrous for Target.
I think is understandable, when it comes to survival, the "better your mama mourn you than mine" applies. So hush... "jobs are at risks", "share market may crash" and what-not will keep hax0rs happy for a while.
Re:Target just couldn't handle this any worse: ?? (Score:3, Interesting)
Well, this seems worse: I did an online order with store pickup at Target yesterday, and their Id "requirement" for pickup included scanning some kind of QR/barcode off the back of my driver's license! I could not figure out at first why the clerk was wanting me to take the card out of my wallet see-through holder when most clerks just glance at it for my birth date for buying booze (keep asking for the senior citizen discount, but it's never the right day...), or just to see that my name matches that on a CC, but before I understood what he was doing, he held the back up to his register screen. So now I need to call the DMV to ask just how much PII I just let Target dump into their leaky DB to hand out to the hackers.
Although the cat is likely out of the bag, there will be no more of those online/in-store pickup deals with those bozos!
Re:Credit cards are stupid. (Score:4, Interesting)
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.
That was the old security system, they've made it even worse since adding NFC. They dont even need access to your card to get enough information to use it without your knowledge or permission. There's even an app for it for any Android phone with NFC
https://play.google.com/store/apps/details?id=com.samj.CardTest&hl=en [google.com]
NFC on phones have no range due to low power but NFC has max range of 5 metres, so it's just a matter building the right antenna. Even though you wont get the max range of 5 metres, even a radius of 1 metre is enough in a crowded shop.
Also anyone who believes the bank will simply adsorb the cost of the fraud instead of passing it onto you and merchants who'll just pass it back to you (banks are likely to use the merchants, they don't have a choice but to suck up additional fees and look like the bad guy raising prices), well, I have a bridge to sell you.
Re:Your data is in everyone else's hands (Score:5, Interesting)
Even if you take every security precaution imaginable, you still remain with a system that can be broken into. I think the idea that you can hold companies criminally liable is a stupid one (and am glad they don't do it) much in the same way that it would be stupid to hold a bank criminally liable in the event of an armed heist.
That said, I think the problem isn't that our systems aren't secure enough, rather the problem is that the way we identify and authenticate is now inadequate.
Let's take credit cards for example: All the person needs to obtain is the numbers written on it, and they can buy things in your name. Unfortunately that means each time you make a purchase with that card, you are handing it over to somebody who can abuse it. We have the technology to avoid this, so why don't we? Something like this would be great:
Make the credit card number be a public key, and the private key is contained ONLY in the card itself using ISO 7816. The bank doesn't even have the private key, only the card itself does. If you want to make a purchase, the merchant generates a random 128-bit number and asks your card to sign it. If it signs it, it has proven its identity, and the merchant can go ahead and bill that card. No internet communication is necessary, so the business can still operate even in the event of a network outage.
If the card is stolen, it can be reported and the merchant can see that its stolen so long as they have network connectivity. Keep existing laws so that the consumer is only liable for up to $50 (most banks already waive that to zero.) Require the merchant to retain the original 128-bit number as well as the signed response to verify that the merchant actually saw the real card and can prove that they didn't fraudulently bill a customer. The card itself stores each 128-bit number and doesn't ever sign the same number twice. If the same 128-bit number happens to be generated twice (this borders upon a statistical impossibility, by the way) then the card is to interpret that as a hack attempt and zero out its private key.
Now if the merchants database is compromised, all the attacker has gained is the public key. They can't sign messages with that, so the information is useless. If another merchant tries to bill based on having a stolen 128-bit number, signed result, and public key, then they'll be caught as being linked to the conspiracy so fast that it'll make their head spin off of its shoulders.
There, you've just defeated about 99.99% of the credit card fraud out there; no more posts spammed to your favorite web boards of people offering to sell credit cards because that information is now useless. All that remains is somebody physically stealing your card and buying gas with it, which could be prevented in 90% of the cases with a PIN system.
Online purchases could easily be done with a $10 USB smart card reader. Add NFC support and your existing smartphone could be the reader.
Set up a similar scheme with social security numbers (the SSA issues smart cards instead,) and identity theft would only exist in stories you tell to your grandkids.