Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Target's Christmas Data Breach
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/9/2014 | 6:28:01 PM
re: Target's Christmas Data Breach
All the criminals got for PIN is the encrypted PIN block. It's encrypted using TDES which is impractical to crack (http://www.voltage.com/blog/cr.... Brute force guessing the PIN to crack it doesn't work. Guessing at the plain text doesn't allow them to compare against the encrypted PIN block and get back a yes/no answer. That would be considered a known plain text attack which TDES isn't vulnerable to last I checked.

The criminals only hope for decypting the encrypted PIN blocks would be to get the key from the payment processor Target uses. As you said, there is no reason to believe they breached the payment processor. If that were the case, we'd all be in a world of hurt, similar to the Heartland and Global Payments breaches.
User Rank: Moderator
1/9/2014 | 6:21:22 PM
re: Target's Christmas Data Breach
The CVV is separate from CVV2/CID printed on the card. The CVV is embedded in track data which is not supposed to be stored post-authorization just like CVV2/CID. There is no proof Target was storing track data or CVV2/CID. Criminals steal this data as it passes through compromised POS networks. They've been doing this for many years. Track data and CVV2/CID can both be stolen this way.

Only the PIN usid in Debit transactions is actually encrypted from PIN Entry Device (PED) all the way to the payment processor where it's decrypted with US payment processing the way it is today. This is why point to point encryption provided through payment processors for magstripe and manually keyed in cards has been catching on. It reduces the PCI card data environment tremendously for merchants just like debit PINs are protected.

Even EMV is no magic bullet. The value in EMV is they can't make EMV card clones if they sniff an EMV transaction, thereby eliminating card-present transaction fraud at merchants that only accept EMV (as opposed to also accepting magstripe reads or manually keyed in card data). When a transaction is run using EMV, track equivalent data including the card number and expiration date are handled by the POS systems in plain text. The CVV normally found in real track data is changed to something false meaning criminals wouldn't be able to make working magstripe cards from the sniffed EMV transaction to commit fraud. They'd have to resort to card-not-present fraud such as phone ordering using the card number and expiration date, hoping the cashier doesn't ask for CVV2/CID which the criminals wouldn't have.
User Rank: Apprentice
1/8/2014 | 4:32:56 PM
re: Target's Christmas Data Breach
Who said they are storing the CVV? Not knowing all of the facts about this breach, we are all left to surmise based on what is provided. Given the things that reportedly were accessed such as CVV number and PINs for debit cards, it certainly leads us to think of either a POS breach or something in the flow of this data from the register to their payment processor (i'm not saying the payment processor itself was breached!). These would be possible points where these highly sensitive attributes could be present.
User Rank: Apprentice
1/3/2014 | 5:56:44 AM
re: Target's Christmas Data Breach
The question you should actually be asking is why is Target storing the CVV number. Which is in direct violation of the PCI standard.
User Rank: Apprentice
12/31/2013 | 2:21:14 PM
re: Target's Christmas Data Breach
I agree...enough with the lawsuits because as you mentioned all that does is focus the company on protecting ITSELF from lawsuits rather than fixing the core problem..security of their systems. Let's hope Target learns lessons and tightens down their systems to avoid this in the future...my trust in them is shaken and I will only spend cash or use their own credit card going forward..no more using my personal credit cards now....
User Rank: Apprentice
12/30/2013 | 3:10:51 PM
re: Target's Christmas Data Breach
The byline of this article ("Why, oh, why would Target be storing debit card PINs?") is misleading. There is nothing to conclude that Target is storing PINs.

The Target intruders may have merely grabbed copies of the magstripe as they passed through the Target network. And perhaps the magstripe was not protected by encryption as it was transmitted through the internal Target network - well, that is not a PCI violation, though I wish it was. In my opinion, card numbers should be encrypted when transmitted through internal networks, but PCI still does not require that practice.
User Rank: Ninja
12/29/2013 | 1:11:15 PM
re: Target's Christmas Data Breach
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
User Rank: Ninja
12/29/2013 | 1:08:10 PM
re: Target's Christmas Data Breach
anyone interested in this issue should read this article


related to Whitfield Diffie's testimony in TQP v Newegg. particularly the "Brief history of public key cryptography" which starts under that heading

Mr. Diffie notes that he and others involved in the development of public key cryptography recoginzed early on that a method of authentication transactions of all sorts that would work in a digital networtk environment was going to be in important need.

PCI has done nothing except to port the pen and ink process used with credit card embossers to the network.

it hasn't worked and it isn't going to. i don't know if the Target embarrasment will turn the trick; perhaps it will. if we adopt the European method of using smart-cards with PINs we may be able to correct one major defect -- that being that the card holder should authorize each transaction individually. as things stand -- anyone with your account number can initiate a transaction.

PCI doesn't care -- "it's just part of the cost of doing business". but we the people do care. if you cave 900 bucks charged on your card for a new gizzie and you call the bank to get the charge reversed -- you are likely to get the run-around.

it's time for reform.

I've gone back to cash.
User Rank: Strategist
12/28/2013 | 6:33:23 PM
re: Target's Christmas Data Breach
Magnetic stripes are dinosaur-like. They should be abandoned in favor of on-card chips like those found in mass transit smartcards and enhanced drivers licenses. Smartphones with NFC would be better also. BTW: its the POTUS abusing the Constitution, not Congress.
User Rank: Apprentice
12/27/2013 | 11:46:00 PM
re: Target's Christmas Data Breach
I too would support Sen. Menendez in his efforts to grant authority for the FTC to impose fines.

However, the story I wish more people were made aware of is how payment card fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (7+?) years. Just ONE of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly. This is simply NOT TRUE.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode the one-time-use card number onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer card technology. A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

See Dynamics Inc.'s webpage (/Corporate/Products) + their "Dynamics Inc. - Enabling Payments 2.0-" Dynamic Credit Card via web.archive.org [http://bit.ly/19fbXKb] (last archived Oct. 1st, 2013).

The single most frightening thing anyone could say that _should_ be the catalyst for the card industry to move toward changing the 1950's card technology that we currently endure is: "I'm just going to pay cash and stop using credit cards". Of course that'll never happen and as long as everyone continues to believe the myth that "all we can do" is to cancel compromised cards and pay extra for "account monitoring", "recover" from identity theft best we can, yada, yada, yada.

What consumers should be hearing is the truth, that card skimming fraud could have been eliminated years ago. I believe Target, or any merchant that gets compromised, is simply a victim themselves -a victim of our current card technology that hasn't changed significantly since it was first introduced.

Target is partially to blame, in that its network was compromised, but then being "PCI" compliant these days means about as much as the US Constitution does to Congress right now... close to nothing!

I say SOLVE THE PROBLEM instead of sweeping the problem under the rug (again) by not holding the card issuers responsible for their lack of innovation -or lack of bringing to mass-market the innovation that has existed for years.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-25
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template sy...
PUBLISHED: 2022-06-25
Raytion 7.2.0 allows reflected Cross-site Scripting (XSS).
PUBLISHED: 2022-06-25
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the serve...
PUBLISHED: 2022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated A...
PUBLISHED: 2022-06-25
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can resul...