Target Confirms Point-of-Sale Malware Was Used In Attack 250
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
Cheap architecture + short cuts = DOOM (Score:5, Insightful)
There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
Really, the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information to begin with. They really only need to know if the transaction was approved.
They already do this for small retailers (those little card reader/tape dispenser thingies sitting next to the register). They need to start forcing a similar system on the big retailers.
Re: (Score:3)
ATM number keyboards are special: they never let a PIN into the RAM of the ATM, only a slated hash of the PIN. (Most of them are also horribly flawed in that they also have a "normal" mode, allowing a hacked ATM to display a UI to harvest PINs in that mode. Sigh.)
Use this same technique for card readers: the magstripe reader doesn't ever put the raw bits on the wire, only a salted hash of those bits, so that's all that's available to a RAM scraper.
Re: (Score:2, Interesting)
ATM keypads don't generate hashes of your pin. They hold a cryptographic key that is dervied form another key from the network and then use the resulting key to encrypt your pin entry, but you are correct. Those keys and your pin number are held in memory on the pin pad.
Re: (Score:3, Informative)
You might be interested in reading:
ISO 8583 [wikipedia.org]
and also, How pin checking generally works [wikipedia.org]
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).
Re: (Score:2)
Wow, smartcards are finally going to become standard, I had one for 2004 to 2009 and the chip was only used twice because there were essentially zero POS readers that supported the chips and the home reader for online banking required IE for an ActiveX control which I felt probably made it less secure than entering my password with an alternative browser.
Re: (Score:3)
What is it with people and thinking that a smartcard = RFID? And it seems to be mainly americans who should know better, damn it this is /. not a chan or reddit. But it sure seems to be devolving into both.
Here, let the learning begin.
Smartcard [wikipedia.org]
RFID [wikipedia.org]
Re: (Score:3)
Can we not spread bullshit and FUD on /. please?
The "tap to pay" interface is linked directly to the smart card. There are some protocol differences to handle the faster nature of the transaction, but it's still EMV, it's still just as secure as the chip itself, it's just contactless.
Even if the terminal itself was compromised and you could read the chip directly, you won't get anything useful from it. Sure, you'll get track2 data (i.e. the magstripe information) but it's
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).
Retailers are 100% liable today. And that's the problem!
EMV offers no additional protection whatsoever in a card present scenario unless the customer is required to enter a PIN. Which as you know.. convenience blah blah, speed blah, reasons. And nobody will. Even "einstein" level smart chips are useless without a PIN. What EMV was designed to do is reverse the precident that banks are responsible for bearing the costs of fraud unless the customer can be proven to have been negligent. All EMV is, is an attempt by the industry to dial things back to the way they were pre-2009 -- which was where they could claim the systems were perfect and infallible, therefore all liability is with the customer. It took an act of Congress, also known as the FSA, to override the courts and provide relief to the customers.It's taken a lot of work on the down-low getting key positions in the Senate filled by sympathetic Republicans, but behold! EMV: Now the courts and congress can be fully aligned in their desire to screw over the customer. It's motto might as well be Enter your PIN: Assume full liability.
Also... I don't know what you think "black box" means, but merely separating the card swiper from the cashier's hands is not "black box" in IT; and that's all EMV does. In IT, black box means that the entire interface is subsumed into an external device, not networked, and not user-programmable, and it provides a pass/fail signal or similar. Retail will never, ever, go for this. Your name and zip code is embedded in the card; that's valuable marketing data. They're not going to reduce transactions to what would essentially be anonymous... this is just common sense.
So I'm going to have to slap on the cliche "Citation Needed" onto your assertion. EMV has but one purpose -- to deprive consumers of any recourse to fraud in a card-present scenario, and to reduce liability to the banks in a CNP scenario as well. Fraud is a multi-billion dollar industry, and businesses like fixed costs. Everything about card transactions is a fixed cost to the bank, except for fraud. Make the customer responsible, and now everything is nice and orderly.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
I'm very surprised that Target thinks that every register in every store was infected. Just getting them all running the same malware is a major feat. And how did this POS malware get ahold of the 70 million "guest" records that weren't on the POS devices?
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
This.
For the attack to happen the way Target says, there must be two MAJOR flaws in their network:
- the POS machines must be accepting software updates from the network - to allow the attackers to download their firmware;
- the POS machines must be able to connect to an arbitrary server not on the Target network - to allow the POS machines to transmit the collected data.
There is no valid reason for either of these. Need to update firmware? Have the IT guy at each store do it manually. And, install a decent firewall so that random machines inside your store can't talk to the outside world. (This will both prevent security breaches, *and* stop the employees in the photo department from surfing the web when they're supposed to be working).
Re:Cheap architecture + short cuts = DOOM (Score:5, Informative)
Need to update firmware? Have the IT guy at each store do it manually.
Wait, what? That's exactly the opposite of how a large shop runs their operations. You create an image that you want applied to all machines that match a certain profile, and then let the machines do the updates at a preconfigured time.
Re: (Score:3)
Indeed. But if you read the case study linked from here [slashdot.org], you'll see that a major Target initiative over the past decade has been centralizing all of their internal systems, from inventory to pharmacy to in-store security to point-of-sale, into a single physical server per store running Microsoft Server 2008 and Hyper-V virtualization. Furthermore, the virtualization, OSes (some are AIX) and applications are all maintained and updated centrally, not by anyone physically in each store. (Target employs local c
Re: (Score:2, Interesting)
I build and support retail management systems, supply chain management, CRM, ERP for retailers, for suppliers, for shipping, logistics and such. The simplest way to use a bank terminal is NOT to connect it to a POS in the first place. But this means lack of integration and possible errors by a POS operator, if for example they have to indicate in the POS system whether the it was a cash or a card transaction, etc. We provide our own Linux based solutions for all parts of the business management, includin
Re: (Score:2)
I think the problem is that the card terminals the banks issue aren't that great from a UI standpoint, and big businesses want to design that hardware, too. Target actually has a great UI as far as button sizes and ease of use. They should rethink integrating them at that level, but it's much harder to make their own black box. I think they'll have to look into that now.
Re:Cheap architecture + short cuts = DOOM (Score:5, Informative)
You're on the right track. Keep going! Don't stop yet.
How about black boxing the cards?!!!
AKA, Smart Cards. The card itself has a complete computer running Java just like the SIM card in your GSM phone. The computer on the smart card is black boxed. That computer has a private certificate. When transactions are signed by the processor in the card itself, the certificate chain can be verified that the certificate within the smart card is genuine and signed the transaction. Attempting to learn the secret data within the smart card destroys the data, or at least is extremely expensive -- and would only compromise that card making the attack not economically attractive.
Re:Cheap architecture + short cuts = DOOM (Score:5, Insightful)
Re: (Score:3)
Yes, I'm not sure why the unencrypted card stripe data needs to be anywhere except in the little black box (LBB) that swipes the card and the bank's computer.
The interface between the cash register and LBB could/should be.
What bank? Here is the basic process:
User (swipe)-> Merchant (dial)-> Front-End Processor (T1) -> card issuer.
At least the first 6 digits need to be unencrypted so the transaction attempt can be routed to the correct bank. Of course, with terminals accepting Amex (15 digits), and proprietary cards - it's probably not even that easy.
As it is, (though I've been out of the biz for 5 years), there are no terminals that encrypt the transaction end to end. The front-ends only accept unencrypted d
Re:Cheap architecture + short cuts = DOOM (Score:4, Interesting)
Seriously? Unless they radically alter how these things are built and networked, all it would take is one disgruntled cashier (or one willing to accept a percent of the take) + one register that isn't quite visible from the cameras + one appropriately-loaded USB stick (or similar device).
Re:Cheap architecture + short cuts = DOOM (Score:5, Insightful)
I'm sure it all looked great, until this happened, then they get 200% more wise.
Experience is learning from mistakes you make
Wisdom is learning from the mistakes other people make
Re: (Score:3)
Experience is learning from mistakes you make
I thought experience was something that you get right after you need it.
Re: (Score:3)
Re: (Score:2)
Support for XP embedded runs longer than XP, and other than smalltime operations POS systems should be running XPe, though it's still only supported through January 30, 2017. PCI DSS will force the replacement of any XPe systems with Windows Embedded POSReady 2009 which is supported through 2024 or Windows Embedded POSReady 7 which is supported through 2026.
Re: (Score:3)
Windows XP? If only. I haven't seen a Target POS machine reboot, but the ones I've seen in other stores display the Windows 98 splash screen.
Re: (Score:3)
There isn't much we can do until there is end-to-end encryption in the purchasing process. The POS device should never even know your pin or credit card number.
Yes. Inside job without a doubt. (Score:5, Informative)
I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.
First, this was an inside job. POS systems are too stupid to connect to the Internet.
Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.
In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.
And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.
Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.
Re:Yes. Inside job without a doubt. (Score:5, Insightful)
It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).
It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.
Re:Yes. Inside job without a doubt. (Score:4, Interesting)
It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).
It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.
I'm not so sure. I happen to know of a certain well-known vendor of POS systems that is A) sloppy about a lot of things. B) pushing more and more of people's business onto their servers in their cloud. If their customer is also getting Lower Prices Everyday on their IT, so much the easier.
And I do suspect the Cloud. Because infecting store-local systems in enough physical locations to capture 70 million or more accounts would be very labor-intensive. It's far easier to infect the Mothership and let it corrupt the local systems.
Re: (Score:3)
I think your info's a little out of date. Most stores run embedded Windows XP on their Point Of Sale equipment (Althouth the other meaning of POS is perfectly suitable here). It's trivial to connect them to the internet. But all you really have to do is connect t
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
I worked for a MAJOR retailer that was involved with a credit card crisis. The only reason the registers didn't get raped was the fact they ran linux. The actual POS servers ran Windows 2000 so that is what got cracked. Management was working hard to get away from these solid state linux computers for the "cost savings" in administration of the Windows platform. I can tell you that a multipurpose platform is not appropriate for a specialized task.
Re: (Score:2)
I worked for a MAJOR retailer that was involved with a credit card crisis. The only reason the registers didn't get raped was the fact they ran linux. The actual POS servers ran Windows 2000 so that is what got cracked.
I know this is Slashdot, but that's a bit ridiculous, isn't it? Linux exploits are not exactly impossible to come by, and someone only need acquire one of these devices to start looking for them. The reason the registers didn't get hacked was because the information that they wanted was on the POS system. If there are millions of dollars that can be taken, and someone wants to take them, they're going to find a way whether it's Linux/Windows/Whatever else, so long at the POS network isn't secured.
Or are you
Re: (Score:3)
Or maybe it is because the exploits they were using were made specifically for Windows, and not Linux .
You miss the point entirely. Of course they were exploits made for Windows. They were targetting Windows-based devices. They didn't attack the devices because they ran Windows. They attacked them because they wanted the data. They would have attacked them if they had ran Linux, too.
If the entire system was Linux it may have been harder all around to get the data.
Why, because Linux is magic? They would need to find just one exploit that let's them get enough privileges to read the memory. That exploit could be in Linux, that exploit could be in the POS software that runs on Linux.
I'm no W
Re: (Score:3)
DOOM is one of the most ported pieces of software in history, so it's only natural...
http://www.techdigest.tv/2013/10/10_gadgets_that.html [techdigest.tv]
it gets worse. (Score:3, Interesting)
First, target has NOT wiped and re-installed. As such, there are Trojans waiting to come alive and look for other malware to install.
but it gets better. Everybody is missing the fact that all of the companies having this malware offshore their IT. What is happening is that Indians are paid $8-10k, and are then offered 100-200k to release the malware. Of course they do it. They are set up for life and do not hurt their peers.
this will continue as long as American companies are dumb enough to offshore.
Re: Cheap architecture + short cuts = DOOM (Score:2, Interesting)
Nope. But they all offshored their IT to India.
Somebody should be by soon (Score:3, Insightful)
Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....
"We did you a service, now you know." Of course they won't give up anything they managed to steal.
Brace yourself for new laws.
Re: (Score:2)
IIRC "Lulzsec" did both. Hacktivism publicly and money secretly.
Inside job? (Score:5, Interesting)
"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...
What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.
And how the shit does one gain access to an ATM's RAM?
All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.
Re:Inside job? (Score:5, Insightful)
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
Re: (Score:2)
Oh I get it. You run a POS software on a POS operating system on a POS hardware? And that's why the system stinks!!
Re: (Score:2)
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
Once you've crossed the "root" security boundary, its just as easy to access the raw memory in Linux as it is in Windows.
And its not hard to elevate to those rights on either platform. Vulnerabilities exist on everything.
PCI Is Cheap And STUPID! (Score:3, Informative)
Getting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan. How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet. Litterally nothing between your card data and the internet beyond a 10 year old $50 Linksys router.
But, God
Re:PCI Is Cheap And STUPID! (Score:5, Insightful)
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan.
That is PCI compliance for a network, not an application. If you have an application that allows credit card swipes, and goes to a clearing house, it needs to be certified as well, and that ain't cheap.
How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet.
It also shows that you exercised due diligence in securing your network, and prevents you from being sued for gross negligence. You don't need real security if you can show that you had some and therefore can't be sued.
Re: (Score:2)
Re: (Score:2)
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
Um...everyone uses Windows on POS PCs. Usually a customized WinXP embedded install. Windows devs are cheap, and a lot of the POS app work is outsourced to places it seems are more comfortable with windows.
Retailers aren't tech companies. There is usually a small group of IT people who are part POS engineers, part vendor management. Most retailers rely on vendors or other companies to provide them with complete systems and support/installation services.
Re: (Score:2)
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
So you're saying that you're a security by obscurity advocate then.
Not running on an embedded Windows installation might seem like a safe bet, but as TFA mentions, this vector had to do with processing the payments in the clear -- simply running another OS doesn't necessarily give you that for free.
Re: (Score:2)
but how'd they know the executable binary that was running?
It was scanning the RAM. They didn't need to know what binary. They were likely just looking for credit card data using the luhn algorithm against ALL of the RAM for any string of 15 or 16 digits. With a hit, they can widen the net and grab all of track 1 and track 2 data. RAM is very fast.
To gain access to the RAM, you only need a privilege escalation exploit.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Get a better bank/credit union.
I've had issues with my Visa debit card several times over the years. I've never once had an issue where funds were not immediately deposited into my account on a provisional basis during the investigation of the transaction(s). It was a hassle while the bank sent out a new card when the old card was deactivated to prevent further further transactions, but hardly life ruining.
Re: (Score:2)
Testing Methodology vs Cost Effectiveness. (Score:2)
For Retailers and Credit card providers both, it appears their ability to understand the validity of robust security testing and practices revolves around cost. Not having to pay any perceived penalty due to a data breach means these corporate types can assign a relatively low risk to data breaches. Low risk usually means low test efforts as well. And this is what we as consumers appear to be satisfied with. I'm more of the opinion that if you have a data breach, it should cost you as a company X dollar
Re: (Score:2)
and start X somewhere above 5 figures. Each person would get that payout. How serious then would corporations take data security?
What businesses would be left? $10,000 x 70,000,000 puts Target out of business. And overall, I'd rather see them survive than Wal-Mart.
Well, then. (Score:3)
> [...] that malware was used in attacks that compromised the company's point of sale registers.
See?? There is still a market for Windows 98 programmers!
PCI DSS? (Score:2)
Details aren't really that clear, but do we know if Target was in violation of the requirements? Or is this a case of PCI-DSS compliance not guaranteeing security? From what I remember of PCI-DSS, it was a good start but not comprehensive. It seemed more focused on preventing someone from swapping out a legitimate credit card processing device with a compromise
Quick fix for the POS POS machines ... (Score:2)
Assuming these POS POS machines suck when it comes to security ... why not
- Install them on their own VLAN in stores
- Deny the VLAN internet access
Simple n'est–ce pas?
Re: (Score:2)
Re: (Score:2)
... why not
- Install them on their own VLAN in stores - Deny the VLAN internet access
An insider (private "security" or janitor) could yet attach an infection device to the private network (which is a likely infection vector in any case). The only "simple" solution leveraging XP that I can envision is one where each and every POS is physically isolated from the network via a very locked down BSD or Linux machine (Pi's?).
Re: (Score:2)
you forgot:
3:???
4:profit
where 3 is http://en.wikipedia.org/wiki/VLAN_hopping [wikipedia.org]
Surely they mean "*outgoing* CEO"...? (Score:3)
I must be having some rendering issue in my browser. No matter how many articles I read mentioning "Target Chairman and CEO Gregg Steinhafel", I can never make out the word "outgoing" in front of the title. Not even "embattled". It must be a browser problem. I can imagine some weird bug that would cause such words to be rendered as hidden text; I can't imagine a world where a CEO would emerge unscathed from a screw-up of this magnitude. Right?
Re: (Score:2)
Well, the blink tag has be deprecated for a while...
Re: (Score:2)
Don't worry, Steinhafel is already making speeches about his victimization and firing scapegoa^W^W^W^W^W^W^W^WShowing Leadership and Getting To The Bottom Of This.
You know, like that Christie guy [nbcnews.com].
Re: (Score:2)
CEO doesn't work in IT. No reason to believe he was presented with enough details to even take the blame. Besides, this security failure attacks what was once standard practice. Attacks are getting more sophisticated.
Firing everyone who is even remotely involved is just going to delay the company's recovery.
Got email from Target offering free credit monitor (Score:5, Interesting)
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.
I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?
Re: (Score:3)
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
Re: (Score:3)
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
Yes, it is through Equifax they say.
The website is here. https://creditmonitoring.target.com/ [target.com]
Why not thin clients using PCoIP or RDP? (Score:3)
Why are they not using thin clients like VMware, Citrix, with PCoIP? I recently visited a Bob's furniture store and all their POS terminals were thin clients using either RDP, Citrix, or bus virtualization protocols like PCoIP. Same with the terminals at all the centers at another firm.
With the current generation thin clients, particularly the nifty PCoIP ones, local performance is very attainable even though it isn't really needed for POS terminals. VMware has offered PCoIP since 2008 and Amazon has just released their implementation.
I think Target deserves what they got for having POS terminals that are allowed to be locally modified in any way.
Re: (Score:2, Interesting)
I'm curious, if you find security so important, why the hell do you have a link in your sig that directs people to pictures of your entire family? As much as I'm sure we're all thrilled to see your daughters piano recital I can't imagine I'd ever put pics of my kids on the net like that. I guess that's up to you but the slashdot crowd is not who I'd want having every intimate detail of my home life. I'm pretty sure your link would let me steal your identity a lot quicker than any data they got from target.
Re: (Score:2)
It just goes to show you how much you think you know about security, which is quite a tiny bit.
POS (Score:4, Insightful)
Re: (Score:2, Interesting)
It's the only answer to limit exposure to mass fraud.
Yeah, because there were no fraud before electronic transactions.. Last report I saw (admittedly around a year ago), old style "manual" money fraud (counterfeit, impersonating, etc.) was still estimated to exceed electronic fraud by order of magnitude.
Re: (Score:2)
It's the only answer to limit exposure to mass fraud.
Yeah, because there were no fraud before electronic transactions.. Last report I saw (admittedly around a year ago), old style "manual" money fraud (counterfeit, impersonating, etc.) was still estimated to exceed electronic fraud by order of magnitude.
The difference is in Efficiency. A counterfeiter can only attack a limited number of victims due to the physical requirement to pass the actual cash. A one-off identity thief is likewise limited.
But when you can harvest millions of identities in one operation, it can potentially impact the entire economy and at a minimum put a major hurt on the invaded business.
But dealing with cash can get you on government watchlists.
Re: (Score:2)
Currently, I keep at least $1000 dollars in cash with me at all times.
Where do you live? ;)
However, no one yet has a method for taking cash over the phone or internet. It could end up being cash and Bitcoin, or cash and something else, but cash does not solve all problems.
Re: (Score:2)
Better not let cops know that you carry that much cash with you or it will get seized.
Re:Cash only economy (Score:4, Interesting)
...then they better start patting down everyone entering or exiting casinos.
As a degenerate gambler and poker player (two different things), I've regularly got plenty of cash on me, and it's never, ever, been a problem. Thousands of people show up to the WSOP every year and pay for buy-ins in cash. Every poker forum gets the same question asked to it ever year before the WSOP, "How do I bring 10-20k in cash with me to the WSOP?" ...and the same answer gets given every year. If you don't want to just wire your entry fee to the tournament cage (or your bankroll to a casino host), or you plan on just playing cash games, call your bank, tell them you're going to withdraw a bunch of cash - so they can have a bunch on hand - then take it with you to the event. If someone says, "Hey's what's all this cash," you say, "I'm a poker player." Works for thousands of us every time.
Of course, I don't wander crack alleys with it, so, YMMV.
Re: (Score:3)
Of course cops outside of casinos wouldn't do that as it would destroy the local economy. I'm referring to getting pulled over at a traffic stop.
If you get pulled over and a cop finds out that you are carrying $10-20k, there is a likely chance it will get seized. Just google "cash seized on way to buy car". Boats, planes, homes can be substituted for "car".
Re: (Score:3)
I'm not sure what you mean by "likely a chance."
It's certainly not likely that it'll get seized, but of course there's a chance -- it happens.
I did your Google search, and the first article I read referenced The New Yorker as its source. Reading it, I got:
I'm not a fan of broad asset seizures for drug busts, but it wasn't carrying cash
Re:Cash only economy (Score:5, Insightful)
let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue
used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime
Re: (Score:3)
The people who have been pushing gold and silver on us for a while have said the same thing. However, there are a few problems with that:
1: If someone even got an inkling that someone was carrying a large amount of cash for a purchase, they likely would be mugged. Someone nearby seeing someone at McDonalds having a large wad in their wallet might make them a prime target. The reason why muggings are down is because it is a lot harder to make any useful money from a pile of credit cards. It can be done,
Re: (Score:3)
Re: (Score:2)
Right. With credit cards, you're basically getting free insurance paid for by people who keep loads of interest-bearing debt.
Re: (Score:2)
Nothing - they called us (Visa branded gas card). Sent a new card automatically, called ot let us know why our current card wasn't good any more, the fact that someone tried to run a $1500 purchase on it an hour ago, and that a new card was in the mail.
Kinda impressive as far as customer service goes in my opinion.
Re: (Score:2)
..an amazon prime subscription here. What have you [unlucky ones] had to phone the fraud department about?
Damn that's seriously stupid thief. You buy actual goods and gift cards with stolen credit cards.. Or better, you sell the data to some stupid people.
Why not buy an amazon prime subscription if it saves him money? The card thief likely wants to ship as many packages as possible as quickly as possible to whoever is fencing or forwarding the goods for him, so an Amazon Prime membership might make sense to get the $3.99 one-day shipping.
Re: (Score:2)
Re: (Score:3)
The Card Readers they used should have been encrypted making all sensitive data only decipherable to the processor.
It sounds like it was encrypted, and the malware was on the processor.
There would have been no data "in the clear" even if they were RAM Scraping.
The article claimed it had to be decrypted in memory in order to process it. I think this is a fundamental limitation of the credit system.
Re: (Score:3)
These Russian hackers know their shit.. almost as good as the NSA.
There's a good case to be made for the NSA to go after them at this point.
Who's against the NSA now??
Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.
Re: (Score:2)
These Russian hackers know their shit.. almost as good as the NSA.
There's a good case to be made for the NSA to go after them at this point.
Who's against the NSA now??
Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.
I certainly hope they're snooping on unsuspecting people. Otherwise they're not likely to get much useful data.
Say, rather, that they're snooping on far more people than they can reasonably justift as suspects. And on people who are supposed to be completely beyond their jurisdiction.
Re: (Score:2, Offtopic)
They have no idea who to target, so they literally target the whole world.
If the NSA was any good, they would have seen this attack coming.
The utter failure speaks of their competence.
Re: (Score:3)
Re:NSA-level shit (Score:4, Insightful)
This is where the "fusion centers" are supposed to come into play. The NSA is not law enforcement, but the FBI is (was) and so are other Federal and State agencies. As others have pointed out, the NSA should have seen this. They have taps in all of the backbone routers. Surely they have a decent algorithm that highlights data going to (Eastern Europe, China, etc). We know that they are analyzing plain text and decrypting SSL/TLS when plain text is not available.
They should absolutely have a map of legitimate financial networks, payment authorization data flows, etc. Anything outside of that known universe should be flagged and investigated. They are already doing this to combat money laundering, and to enforce the economic sanctions that the State Department and other Federal agencies enact.
The reality is that the NSA is not all about protecting our economy or predicting crime. They are there to uncover and crush any opposition to the government. Sure, they "cannot" catch these massive frauds, or pay attention to intelligence about terrorists planning on blowing up marathons. But trust you me, as soon as any of us start talking about armed insurrection or forcefully removing Senators, we will quickly figure out that the NSA has no problem acting upon what they want to act upon.
Re: (Score:3)
The NSA is an intelligence gathering agency; they are not law enforcement. They have no jurisdictional boundaries to their operations. As a U.S. government agency they are supposed to have to observe some niceties insofar as operating in the U.S. and targeting U.S. citizens what with the Constitution and all. Their failure to always do that is where they've gone wrong. And, as you've indicated, they've probably collected so much information that its getting in the way of useful intelligence analysis. Too much can be worse than not enough. The other fun fact is that they and their allied agencies in other countries seemed to get around some restrictions by letting the "foreigners" do the spying on the domestics for them and then exchanging what they collected.
Some of us don't consider the 4th Amendment to be a "nicety". That's what warrants are for.
Re: (Score:2)
Who's against the NSA now??
ME
use bitcoin (Score:2)
they should have used bitcoin in the stores.
Re:use bitcoin (Score:5, Insightful)
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
heh, all oursourced at the stores (Score:4, Informative)
the link is interesting reading. click it.
Re:use bitcoin (Score:4, Informative)
They're trying to pull it. Here's the text:-
4-page Case Study
Posted: 3/17/2011
Rate This Evidence:
[Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study]
Target Corporation Large Retailer Relies on a Virtual Solution to Deliver Optimal Shopping Experience
With its attractive stores offering trendy merchandise at affordable prices, Target changed how consumers think about discount shopping. To help Target deliver on its “Expect More. Pay Less.” brand promise, Target chooses reliable, scalable, and cost-effective technology. That’s why the company is deploying Windows Server 2008 Datacenter and its Hyper-V virtualization technology to retire 8,650 servers and implement a two-servers-per-store policy. By 2012, Target’s entire store server infrastructure will be running on Hyper-V, which will support a total of 15,000 virtual machines running mission-critical applications. Target also deployed Microsoft System Center data center solutions to manage more than 300,000 endpoints across its retail network. With its Microsoft Virtualization solution, the company will save millions of dollars in hardware, electrical, and maintenance costs.
Situation
The first Target store opened in 1962 in the Minneapolis suburb of Roseville, Minnesota, with a focus on convenient shopping at competitive discount prices. Today, Target remains committed to providing guests with the right merchandise mix—from everyday commodities and grocery offerings to trend-right home and apparel lines—at outstanding value. Target continually reinvents its stores, including layout, presentation, and merchandise assortment, to create an engaging shopping experience.
*
* It’s not hyperbole to suggest that most of our guest shopping experiences are affected by our Microsoft Virtualization solution. That’s a good thing for Target, and it’s a good thing for our guests. *
Brad Thompson
Director, Infrastructure Engineering, Target
*
To continue offering merchandise at appealing prices, Target looks for ways to control its operating costs. Consequently, the company’s IT department, called Target Technology Services, chooses technology that’s cost-effective and delivers real business value. “Target Technology Services is considered a strategic enabler for just about everything we do in retail strategy,” says Brad Thompson, Director of Infrastructure Engineering at Target. “That said, we are still a cost center, and so we are always looking to drive down costs where possible, as long as we meet the requirements of our guests, our application development teams, and our business partners.“
Amy Reilly, Spokesperson for Target, points out that technology also underlies the customer experience at each Target store: “When our guests come into our stores, they have a certain expectation of their experience. They expect clean, wide aisles and to find what they need and check out quickly because they lead busy lives. So reliability in our technology, including our POS [point-of-sale] and replenishment applications, is very important to helping us deliver on our ‘Expect More. Pay Less.’ brand promise.”
Distributed IT Infrastructure
Target has a highly distributed IT infrastructure with more than 300,000 endpoints, including servers, computers, POS registers, kiosks, and mobile devices dispersed among its 1,755 retail stores. Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit. “Every one of our stores has its own control room, with its own network and compute capacity inside the store,” says Thompson. “So if you think of our infrastructure across all those stores, we have to get very crea
uh, don't use Windows based POS systems? (Score:3)
all the bad boys know the ins and outs of Windows APIs. read the Visa alert, it's only Windows registers that get fooled and compromised.
this is one of those things where using commodity software in any stripe is probably not advised. like, for instance, cars. airplanes. hope to God not nuclear reactors.
embedded Windows is a freakin' end of civilization waiting for the right malware...
Re: (Score:2)
Who's against the NSA now??
Me.
Re: (Score:2)
Only shop at $0.99 stores
What do you eat? Canned tuna and generic oreos?