Target says 110 million accounts accessed, not just 40 million.

Started by jimmy olsen, December 19, 2013, 06:58:11 AM

Previous topic - Next topic

DGuller

I feel like it's only a matter of time before we realize that information security is serious business, and individual actors cannot be relied to consistently provide it, either out of incompetence or out of greed.  This is a problem that requires centralization and standardization to solve.  It also requires people to not have a fucked up attitude about the government, so of course it won't fly, and all sorts of organized and unorganized hackers will continue accessing private information as it it were publicly available.

DontSayBanana

Quote from: KRonn on January 21, 2014, 09:25:16 AM
US credit card issuers need to catch up with the newer technology. Yeah it's expensive but how much is the Target theft, plus the many others that occur daily, cost the credit card companies and retailers?
Quote

http://abcnews.go.com/blogs/business/2014/01/new-demands-for-smart-chip-credit-cards/
Will the massive security breach at Target lead to new chip technology and pin numbers for U.S. credit cards? Target CEO Gregg Steinhafel wants banks and retailers to approve changes.
In Europe and Canada cards already have smart chips installed and readers are used at retailers and restaurants, making it harder for thieves to profit from the sort of massive data breach that hit Target during the holiday shopping season.

The attack led to the theft of tens of millions of credit card numbers. Hackers appear to have stolen many phone numbers and e-mail addresses.

Despite previous calls to update U.S. cards, retailers and banks have feuded for years over card-swipe fees and the cost of making security upgrades.

"Computer networks are vital to American capitalism and society, but they remain surprisingly vulnerable to thieves and hijackers," says an editorial in today's Washington Post. The newspaper, owned by Amazon CEO Jeff Bezos, says "Congress must now get serious about cybersecurity. The private sector has much at stake but may not be able to cope on its own."

A South Texas police chief says two Mexican citizens who were arrested at the border used account information stolen during the Target security breach to buy tens of thousands of dollars' worth of merchandise. But a federal official said later there currently was no connection between the arrests and the retailer's credit card data theft.
Asked about the arrests, a Target spokeswoman said the investigation was active and ongoing. McAllen Police Chief Victor Rodriguez says the pair had used fraudulent cards containing the account information of South Texas residents to make purchases at Best Buy, Wal-Mart and Toys R Us. McAllen police began working with the Secret Service after a number of area retailers were hit with fraudulent purchases last week.

Yahoo is still America's most visited website, according to numbers from comscore.com. The report comes as Yahoo struggles to increase advertising growth. Google's search engine, AOL and Faceback all lagged behind Yahoo.
It's back to work for traders on Wall Street after the long holiday weekend. There are a slew of earnings reports due out today. Stock futures rose this morning after overnight gains on Asian markets. China's central bank pumped more credit into the system after concerns about slowing growth in the world's second largest economy.

Business is bad for Sochi games. With less than three weeks to go until the opening ceremony at the Winter Olympics, hundreds of thousands of tickets remain unsold, raising the prospect of empty seats. There are signs that many foreign fans are staying away, turned off by terrorist threats, expensive flights and hotels, long travel distances, a shortage of tourist attractions in the area, and the hassle of obtaining visas and spectator passes.
"Some people are scared it costs too much and other people are scared because of security," senior International

Olympic Committee member Gerhard Heiberg of Norway told The Associated Press. Sochi organizers announced last week that 70 percent of tickets have been sold for the games, which run from February 7-23. But it's not clear whether the remaining 30 percent of seats will be filled. 


Er, chipped cards are not exactly new.  In fact, the major convenience store chain around here, Wawa, just got rid of all of their NFC card terminals.  They're actually even more of a security risk because contactless cards could lead to contactless pickpocketing.  Unless you stick your card in a Faraday sleeve, but good luck finding a producer, since the only difference between protecting your card and making a booster bag would be size.
Experience bij!

CountDeMoney

Quote from: KRonn on January 21, 2014, 09:25:16 AM
US credit card issuers need to catch up with the newer technology. Yeah it's expensive but how much is the Target theft, plus the many others that occur daily, cost the credit card companies and retailers?

I doubt it costs them much at all, other than PR value. 

Quoten Europe and Canada cards already have smart chips installed and readers are used at retailers and restaurants, making it harder for thieves to profit from the sort of massive data breach that hit Target during the holiday shopping season.

Wrong.  RFI technology is just as easy to snatch, if not easier, than from point-of-sale hard swiping. 

Quote"Computer networks are vital to American capitalism and society, but they remain surprisingly vulnerable to thieves and hijackers," says an editorial in today's Washington Post. The newspaper, owned by Amazon CEO Jeff Bezos, says "Congress must now get serious about cybersecurity. The private sector has much at stake but may not be able to cope on its own."

It isn't ttat the private sector is unable to cope on its own, it's simply unwilling to do it. 
Security is not a revenue-generating aspect of companies, provides no real ROI number for MBA types to fap over during the quarterly spreadsheets, and does not increase shareholder value.

And if Amazon was truly serious about security, they'd have fucking hired me by now.   <_<

CountDeMoney

Quote from: DontSayBanana on January 21, 2014, 10:18:29 AM
They're actually even more of a security risk because contactless cards could lead to contactless pickpocketing.

Yup.  Some cards can project a RF field as far out as 10 feet away.

KRonn

Quote from: CountDeMoney on January 21, 2014, 10:38:52 AM
Quote from: DontSayBanana on January 21, 2014, 10:18:29 AM
They're actually even more of a security risk because contactless cards could lead to contactless pickpocketing.

Yup.  Some cards can project a RF field as far out as 10 feet away.

I wonder why then that technology is being touted as the latest and greatest?  :hmm:  Seems just as many issues with it, and maybe worse since a card can be stolen without hacking into anything.

CountDeMoney

It's being touted as the latest and greatest only because of the convenience of use, s'all.

CountDeMoney

QuoteTarget Knew About Credit Card Hack For 12 Days Before Reacting
Posted 7 hours ago by John Biggs @ TechCrunch



In a scathing bit of reportage from Bloomberg Businessweek we discover that retailer Target had received word that its security system had been compromised nearly two weeks before it moved to act on the information.

In fact, last year Target hired FireEye, a security firm, to watch their servers for malware. The firm, which has a Bangalore-based response team, informed Target HQ in Minneapolis that someone had hacked the company on November 30. And no one did anything about it.

In short, according to Bloomberg, "for some reason, Minneapolis didn't react to the sirens."

The piece, as a whole, is delightfully detailed. It describes Target's security system as well as FireEye's "honeypot" servers that fooled attackers into thinking they had dropped into running servers but instead let them fool around in a sandboxed environment while FireEye watched. Then things got a little hairy.
The breach could have been stopped there without human intervention. The system has an option to automatically delete malware as it's detected. But according to two people who audited FireEye's performance after the breach, Target's security team turned that function off. Edward Kiledjian, chief information security officer for Bombardier Aerospace, an aircraft maker that has used FireEye for more than a year, says that's not unusual. "Typically, as a security team, you want to have that last decision point of 'what do I do,' " he says. But, he warns, that puts pressure on a team to quickly find and neutralize the infected computers.

What this points to, in the end, is inaction on the part of Target and a clear effort by FireEye to shore up its reputation. If Target couldn't be bothered to delete the malware, this piece suggests it's not FireEye's fault. While it never devolves into throwing anyone under the bus, it's clear Target's CIO Beth Jacob, who resigned last week, bore the brunt of the blame.

It just goes to show you that the best laid plans of mice and men gang aft agley.

CountDeMoney

QuoteMissed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack March 13, 2014

The biggest retail hack in U.S. history wasn't particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target's (TGT) security and payments system designed to steal every credit card used at the company's 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper's credit card number, and store it on a Target server commandeered by the hackers.

It's a measure of how common these crimes have become, and how conventional the hackers' approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target's security operations center in Minneapolis would be notified.

On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data's escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then ...

Nothing happened.

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#p1

derspiess

Quote from: CountDeMoney on January 21, 2014, 10:36:11 AM
Quote from: KRonn on January 21, 2014, 09:25:16 AM
US credit card issuers need to catch up with the newer technology. Yeah it's expensive but how much is the Target theft, plus the many others that occur daily, cost the credit card companies and retailers?

I doubt it costs them much at all, other than PR value. 

:lol:  I know many banks that took a beating in fraud related to the breach, not to mention the cost of reissuing all those cards. 
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

CountDeMoney

Quote from: derspiess on March 13, 2014, 08:49:10 PM
Quote from: CountDeMoney on January 21, 2014, 10:36:11 AM
Quote from: KRonn on January 21, 2014, 09:25:16 AM
US credit card issuers need to catch up with the newer technology. Yeah it's expensive but how much is the Target theft, plus the many others that occur daily, cost the credit card companies and retailers?

I doubt it costs them much at all, other than PR value. 

:lol:  I know many banks that took a beating in fraud related to the breach, not to mention the cost of reissuing all those cards.

That's why they charge those nifty little service fees, and the minimum account balance fees that make Yi cream his shorts over.  They're not sweating it.

Caliga

0 Ed Anger Disapproval Points

derspiess

Quote from: CountDeMoney on March 13, 2014, 08:50:54 PM
That's why they charge those nifty little service fees, and the minimum account balance fees that make Yi cream his shorts over.  They're not sweating it.

No.  They're charging those fees because of that amazing Frank-Dodd legislation limited their interchange revenue.  They're losing money on this breach, big time.  But hey, you're the industry insider here.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

CountDeMoney

Quote from: derspiess on March 13, 2014, 08:54:01 PM
No.  They're charging those fees because of that amazing Frank-Dodd legislation limited their interchange revenue.  They're losing money on this breach, big time.  But hey, you're the industry insider here.

Oh, I'm pretty sure we were getting charged those fees long before Frank-Dodd threatened the financial fabric of America.

derspiess

Quote from: CountDeMoney on March 13, 2014, 09:06:16 PM
Quote from: derspiess on March 13, 2014, 08:54:01 PM
No.  They're charging those fees because of that amazing Frank-Dodd legislation limited their interchange revenue.  They're losing money on this breach, big time.  But hey, you're the industry insider here.

Oh, I'm pretty sure we were getting charged those fees long before Frank-Dodd threatened the financial fabric of America.

Not me.  But if happened to you, then you chose the wrong bank.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

CountDeMoney

Quote from: derspiess on March 13, 2014, 09:09:57 PM
Quote from: CountDeMoney on March 13, 2014, 09:06:16 PM
Quote from: derspiess on March 13, 2014, 08:54:01 PM
No.  They're charging those fees because of that amazing Frank-Dodd legislation limited their interchange revenue.  They're losing money on this breach, big time.  But hey, you're the industry insider here.

Oh, I'm pretty sure we were getting charged those fees long before Frank-Dodd threatened the financial fabric of America.

Not me.  But if happened to you, then you chose the wrong bank.

Don't let ideology get in the way of the history of banking fees dating to the 1970s or anything, dersurcharge.