Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Target Confirms Hackers Stole 40 Million Credit Cards
Threaded  |  Newest First  |  Oldest First
Kristin Burnham
Kristin Burnham,
 User Rank: Apprentice
12/19/2013 | 10:56:47 AM
Yikes.
What a nightmare. While Target should be commended for coming clean so quickly, it's unsettling that this type of ordeal could happen to such a large corporation and affect such a large number of people.
kwieting
kwieting,
 User Rank: Apprentice
12/19/2013 | 12:16:21 PM
Re: Yikes.
ACM, Question:  How could a merchant possibly be compliant to any standard if they are breached?  It's ridiculous to think a merchant is compliant after the fact either.
Drew Conry-Murray
Drew Conry-Murray,
 User Rank: Ninja
12/19/2013 | 12:48:05 PM
Re: Yikes.
Thanks for the comment. Being compliant with a standard and reducing the risk of a breach to zero are two entirely different things. Being compliant with PCI means that an organization has followed a specific set of instructions for a specific set of controls and practices, like vulnerability scanning and encryption. But this doesn't mean an organization has eliminated all risk. The card brands (Visa, MasterCard, etc.) would like to conflate PCI compliance with invulnerability, but any security practitioner will tell you that invulnerability is an impossible standard.

Think of the PCI system as kind of like a driver's license. You pass a written exam and a driving exam and you get your license from the state. Then you get in an accident. The state comes along and levies extra fines against you for not having a license--because if you got in an accident, then you must not have really passed the test.
Somedude8
Somedude8,
 User Rank: Apprentice
12/19/2013 | 1:39:51 PM
Re: Yikes.
The PCI spec is far from 100% secure. Its really just a minimal starting point.
IT-security-gladiator
IT-security-gladiator,
 User Rank: Apprentice
12/19/2013 | 12:17:05 PM
Must have been Microsoft servers that got hacked
If Target were running Linux Apache servers this would not have happened. Wise up Target and dump your MicroKlunk Junk MS DOS iis servers asap!
midmachine
midmachine,
 User Rank: Apprentice
12/19/2013 | 1:51:46 PM
Re: Must have been Microsoft servers that got hacked
That is today's most idiotic comment so far...sheesh...
WKash
WKash,
 User Rank: Apprentice
12/19/2013 | 6:19:17 PM
Re: Must have been Microsoft servers that got hacked
I agree, that statement takes the cake for idiotic statements.

What it took to pull this off is a level of sophistication that makes a bank robbery look simple...

I don't know if this is in fact correct, but it paints the picture -- and provides a basis for the next Hollywood Christmas Heist movie:

"To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."
samicksha
samicksha,
 User Rank: Apprentice
12/20/2013 | 5:18:47 AM
Re: Must have been Microsoft servers that got hacked
The most common pic we in India see these days is,

 

A new study shows that hackers can secretly transmit and receive data from laptops, mobiles and other devices by using high frequency audio signals inaudible to the human ears.(Source: http://www.mouthshut.com/blog/dgfjrqnqqm/Now-your-PC-can-be-hacked-just-with-a-sound)
midmachine
midmachine,
 User Rank: Apprentice
12/20/2013 | 8:46:24 AM
Re: Must have been Microsoft servers that got hacked
The clue for me, toher than what you quoted, was the reference to gleaning info from the stripe. Definitely agree with the level of sophistication. Most likely comprimising the readers at the checkouts. Inside job/assistance?
IT-security-gladiator
IT-security-gladiator,
 User Rank: Apprentice
12/21/2013 | 10:42:13 AM
Re: Must have been Microsoft servers that got hacked
midmachine,

 

What's idiotic is you work for MicroKlunk and have no clue how pathetic your iis servers are.

Get a grip idiot and learn Linux Apache, then I can welcome you to real technology not 1980's MS DOS servers.
aditshar
aditshar,
 User Rank: Apprentice
12/23/2013 | 7:14:40 AM
Re: Must have been Microsoft servers that got hacked
Sounds like Walmart people on target, i guess target need to target on increasing their security, else they will be exploiting their customers by putting profits over prudence.
catvalencia
catvalencia,
 User Rank: Apprentice
2/15/2014 | 5:52:08 AM
Re: Must have been Microsoft servers that got hacked
One of the biggest arguments for using credit cards over other payment systems is that the cards supposedly provide protection from scams. It is important to know, however, that this protection often comes with limitations.
Exit to Shell
Exit to Shell,
 User Rank: Apprentice
12/19/2013 | 1:31:53 PM
Re: Yikes.
I don't think Target should be commended for anything. Coming clean in a hurry without offering any type of free credit monitoring service for the affected guests seems like an inauthentic apology. They are basicllay saying... Hey everyone - we're sorry, I'd keep an eye on my credit card statements if I were you. We'll see if they do something more credible as time passes.

Also, with the rate at which cards are being stolen... 40 million here, 160 million there, there has to be a better way to protect consumers. Hopefully these breaches will drive the credit card/security industry to come up with better system.
Drew Conry-Murray
Drew Conry-Murray,
 User Rank: Ninja
12/19/2013 | 11:00:27 AM
Nice Holiday Present
As someone who shopped at Target during the breach period, I'll be spending the holidays taking a closer look at my card statements.
David F. Carr
David F. Carr,
 User Rank: Strategist
12/19/2013 | 11:05:01 AM
Re: Nice Holiday Present
We've used the Target store credit card (Red Card) for our recent purchases there. Wondering if Target is better able to protect customers in that instance. If the crooks have that card #, at least they couldn't use it anywhere other than Target.
jagibbons
jagibbons,
 User Rank: Strategist
12/19/2013 | 1:25:40 PM
Re: Nice Holiday Present
The Rec Card is the way to go. Not only do you save 5% on purchases, but in this case Target could very easily cancel and re-issue all of them affected by this breach.
MarciaNWC
MarciaNWC,
 User Rank: Apprentice
12/19/2013 | 11:29:13 AM
Re: Nice Holiday Present
I also shopped at Target during the affected period, and am really frustrated. This breach underscores the broken nature of the payment card system. Gartner's Avivah Litan wrote a good analysis: http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-we-learn-from-the-target-breach/.

 
Drew Conry-Murray
Drew Conry-Murray,
 User Rank: Ninja
12/19/2013 | 11:49:16 AM
Re: Nice Holiday Present
Thanks for link from Avivah. She calls out something that has always frustrated me about PCI: that a certified compliant company can be retroactively found non-compliant if there's a breach. The card brands seem to want to promote the ridiculous fantasy that PCI is a perfect system, and if a compliant company gets breached, then it must have been because weren't really compliant. It's bizarre logic.

 
Laurianne
Laurianne,
 User Rank: Apprentice
12/19/2013 | 12:21:45 PM
Re: Nice Holiday Present
What good does a retroactive noncompliant finding do? Thanks for pointing out this important part of the story. We'll have follow up coverage.
anon4768076153
anon4768076153,
 User Rank: Apprentice
12/19/2013 | 11:48:23 AM
Re: Nice Holiday Present
After hearing the news about Target hackings,  I checked my statement and lo and behold,  (I just shopped the Target store in Kearny Mesa San Diego (Othello) and my $81.00 bill turned into $101.00, I think the store manager might want to check one of their employees ... at around 2:45pm 12/19/13 description of cashier: heavy set Black (sorry not a racist ! just a description)  Unfortunately I threw out my receipt after unloading the items.  Managers only have to remember one of their other employee, named Teresa who did the same thing !
pmoore520
pmoore520,
 User Rank: Apprentice
12/19/2013 | 1:40:38 PM
Re: Nice Holiday Present
A recent article I read clued me in to another scam where the cashier (could be any store) will indicate a 'cash back' was included in the transaction when in fact, the buyer did not want any cash back.  The cashier then pockets the extra money.  Check your receipts anytime you use plastic before walking away from the register.  It only takes a moment....
cbabcock
cbabcock,
 User Rank: Apprentice
12/19/2013 | 3:28:58 PM
Yes, bring the miscreants to justice
This just plain hurts Target, and confidence in credit card use at retailers everywhere. Target's line about bringing the miscreants to justice was a brave one. If they and law enforcement can do that, maybe there's hope this won't become a commonplace. On the other hand, if they can't, that's a clue to why they couldn't prevent this break-in in the first place.
billmosby
billmosby,
 User Rank: Apprentice
12/19/2013 | 3:53:53 PM
Credit card theft is getting to be pretty normal.
Thank goodness I have never actually found anything I was looking for at Target in recent years. lol.
Susan Fourtané
Susan Fourtané,
 User Rank: Apprentice
12/21/2013 | 2:16:20 AM
Re: Credit card theft is getting to be pretty normal.
Bill, 

You can consider yourself very lucky.

-Susan
anon1187403560
anon1187403560,
 User Rank: Apprentice
12/20/2013 | 9:57:14 AM
Was It Really That Complicated?
Does anyone have any hard evidence regarding exactly what happened?  It's great to bloviate about how this must have been a Windows computer being compromised or that this was planned for months but why do we assume such complexity is required?  Someone on the inside could have access to encryption keys and simply copied a transaction log to a thumb drive.

Forest for the trees folks.  Forest for the trees.
ANON1236681627026
ANON1236681627026,
 User Rank: Apprentice
12/20/2013 | 8:50:53 PM
Target Breach
"But the retailer is to be commended for coming clean about the breach relatively quickly". Not so true; this breach happened November 27th, as a Target customer, I was informed YESTERDAY. Target expects their customers to do all the legwork to protect their identity and credit, EG:contact all the credit bureaus, place a freeze on their credit, etc. Not impressed, actually disgusted with their expectations and they lost me as a customer.

 
Alison Diana
Alison Diana,
 User Rank: Apprentice
12/24/2013 | 12:00:27 PM
Lack of Education in Banks too
I used my debit card once during that period in Target, instead of my usual Target Red Card. So first thing, I called my large, national bank to cancel it, then went to the local branch to pick up a temporary card until the replacement arrived in "10-15 business days." The local branch manager said I would be fine and she couldn't understand why the bank was allowing customers to cancel their cards since customers had zero liability. I explained it was my DEBIT card, not credit card and I was concerned my entire paycheck could be wiped out and payments would bounce all over creation. "But you're not liable," she said, not once comprehending my concerns. 

Obviously, there is still a major disconnect - at least with one employee at one bank - about the full scope these breaches can have.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...