Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Target Confirms Hackers Stole 40 Million Credit Cards
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
billmosby
billmosby,
 User Rank: Apprentice
12/19/2013 | 3:53:53 PM
Credit card theft is getting to be pretty normal.
Thank goodness I have never actually found anything I was looking for at Target in recent years. lol.
cbabcock
cbabcock,
 User Rank: Apprentice
12/19/2013 | 3:28:58 PM
Yes, bring the miscreants to justice
This just plain hurts Target, and confidence in credit card use at retailers everywhere. Target's line about bringing the miscreants to justice was a brave one. If they and law enforcement can do that, maybe there's hope this won't become a commonplace. On the other hand, if they can't, that's a clue to why they couldn't prevent this break-in in the first place.
midmachine
midmachine,
 User Rank: Apprentice
12/19/2013 | 1:51:46 PM
Re: Must have been Microsoft servers that got hacked
That is today's most idiotic comment so far...sheesh...
pmoore520
pmoore520,
 User Rank: Apprentice
12/19/2013 | 1:40:38 PM
Re: Nice Holiday Present
A recent article I read clued me in to another scam where the cashier (could be any store) will indicate a 'cash back' was included in the transaction when in fact, the buyer did not want any cash back.  The cashier then pockets the extra money.  Check your receipts anytime you use plastic before walking away from the register.  It only takes a moment....
Somedude8
Somedude8,
 User Rank: Apprentice
12/19/2013 | 1:39:51 PM
Re: Yikes.
The PCI spec is far from 100% secure. Its really just a minimal starting point.
Exit to Shell
Exit to Shell,
 User Rank: Apprentice
12/19/2013 | 1:31:53 PM
Re: Yikes.
I don't think Target should be commended for anything. Coming clean in a hurry without offering any type of free credit monitoring service for the affected guests seems like an inauthentic apology. They are basicllay saying... Hey everyone - we're sorry, I'd keep an eye on my credit card statements if I were you. We'll see if they do something more credible as time passes.

Also, with the rate at which cards are being stolen... 40 million here, 160 million there, there has to be a better way to protect consumers. Hopefully these breaches will drive the credit card/security industry to come up with better system.
jagibbons
jagibbons,
 User Rank: Strategist
12/19/2013 | 1:25:40 PM
Re: Nice Holiday Present
The Rec Card is the way to go. Not only do you save 5% on purchases, but in this case Target could very easily cancel and re-issue all of them affected by this breach.
Drew Conry-Murray
Drew Conry-Murray,
 User Rank: Ninja
12/19/2013 | 12:48:05 PM
Re: Yikes.
Thanks for the comment. Being compliant with a standard and reducing the risk of a breach to zero are two entirely different things. Being compliant with PCI means that an organization has followed a specific set of instructions for a specific set of controls and practices, like vulnerability scanning and encryption. But this doesn't mean an organization has eliminated all risk. The card brands (Visa, MasterCard, etc.) would like to conflate PCI compliance with invulnerability, but any security practitioner will tell you that invulnerability is an impossible standard.

Think of the PCI system as kind of like a driver's license. You pass a written exam and a driving exam and you get your license from the state. Then you get in an accident. The state comes along and levies extra fines against you for not having a license--because if you got in an accident, then you must not have really passed the test.
Laurianne
Laurianne,
 User Rank: Apprentice
12/19/2013 | 12:21:45 PM
Re: Nice Holiday Present
What good does a retroactive noncompliant finding do? Thanks for pointing out this important part of the story. We'll have follow up coverage.
IT-security-gladiator
IT-security-gladiator,
 User Rank: Apprentice
12/19/2013 | 12:17:05 PM
Must have been Microsoft servers that got hacked
If Target were running Linux Apache servers this would not have happened. Wise up Target and dump your MicroKlunk Junk MS DOS iis servers asap!
<<   <   Page 2 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...