Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Confirms Hackers Stole 40 Million Credit Cards
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
billmosby
50%
50%
billmosby,
User Rank: Apprentice
12/19/2013 | 3:53:53 PM
Credit card theft is getting to be pretty normal.
Thank goodness I have never actually found anything I was looking for at Target in recent years. lol.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
12/19/2013 | 3:28:58 PM
Yes, bring the miscreants to justice
This just plain hurts Target, and confidence in credit card use at retailers everywhere. Target's line about bringing the miscreants to justice was a brave one. If they and law enforcement can do that, maybe there's hope this won't become a commonplace. On the other hand, if they can't, that's a clue to why they couldn't prevent this break-in in the first place.
midmachine
0%
100%
midmachine,
User Rank: Apprentice
12/19/2013 | 1:51:46 PM
Re: Must have been Microsoft servers that got hacked
That is today's most idiotic comment so far...sheesh...
pmoore520
50%
50%
pmoore520,
User Rank: Apprentice
12/19/2013 | 1:40:38 PM
Re: Nice Holiday Present
A recent article I read clued me in to another scam where the cashier (could be any store) will indicate a 'cash back' was included in the transaction when in fact, the buyer did not want any cash back.  The cashier then pockets the extra money.  Check your receipts anytime you use plastic before walking away from the register.  It only takes a moment....
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
12/19/2013 | 1:39:51 PM
Re: Yikes.
The PCI spec is far from 100% secure. Its really just a minimal starting point.
Exit to Shell
50%
50%
Exit to Shell,
User Rank: Apprentice
12/19/2013 | 1:31:53 PM
Re: Yikes.
I don't think Target should be commended for anything. Coming clean in a hurry without offering any type of free credit monitoring service for the affected guests seems like an inauthentic apology. They are basicllay saying... Hey everyone - we're sorry, I'd keep an eye on my credit card statements if I were you. We'll see if they do something more credible as time passes.

Also, with the rate at which cards are being stolen... 40 million here, 160 million there, there has to be a better way to protect consumers. Hopefully these breaches will drive the credit card/security industry to come up with better system.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
12/19/2013 | 1:25:40 PM
Re: Nice Holiday Present
The Rec Card is the way to go. Not only do you save 5% on purchases, but in this case Target could very easily cancel and re-issue all of them affected by this breach.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
12/19/2013 | 12:48:05 PM
Re: Yikes.
Thanks for the comment. Being compliant with a standard and reducing the risk of a breach to zero are two entirely different things. Being compliant with PCI means that an organization has followed a specific set of instructions for a specific set of controls and practices, like vulnerability scanning and encryption. But this doesn't mean an organization has eliminated all risk. The card brands (Visa, MasterCard, etc.) would like to conflate PCI compliance with invulnerability, but any security practitioner will tell you that invulnerability is an impossible standard.

Think of the PCI system as kind of like a driver's license. You pass a written exam and a driving exam and you get your license from the state. Then you get in an accident. The state comes along and levies extra fines against you for not having a license--because if you got in an accident, then you must not have really passed the test.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
12/19/2013 | 12:21:45 PM
Re: Nice Holiday Present
What good does a retroactive noncompliant finding do? Thanks for pointing out this important part of the story. We'll have follow up coverage.
IT-security-gladiator
20%
80%
IT-security-gladiator,
User Rank: Apprentice
12/19/2013 | 12:17:05 PM
Must have been Microsoft servers that got hacked
If Target were running Linux Apache servers this would not have happened. Wise up Target and dump your MicroKlunk Junk MS DOS iis servers asap!
<<   <   Page 2 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33336
PUBLISHED: 2021-08-04
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortl...
CVE-2021-33339
PUBLISHED: 2021-08-04
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
CVE-2021-3680
PUBLISHED: 2021-08-04
showdoc is vulnerable to Missing Cryptographic Step
CVE-2021-35397
PUBLISHED: 2021-08-04
A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. The vulnerability is due to lack of proper input validation for requested path. An attacker could exploit this vulnerability by sending...
CVE-2021-36483
PUBLISHED: 2021-08-04
DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization.