Target Breach: 8 Facts On Memory-Scraping Malware

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

MarkSitkowski,
User Rank: Moderator
1/16/2014 | 6:28:29 PM

Target Breach

I posted this against another article, but I think it's important enough to repeat here.

Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple

Reply | Post Message | Messages List | Start a Board

50%

PaulS681,
User Rank: Apprentice
1/15/2014 | 7:30:13 PM

Re: Another reason...

Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.

Reply | Post Message | Messages List | Start a Board

50%

Mathew,
User Rank: Apprentice
1/15/2014 | 7:11:53 AM

Re: Another reason...

Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.

Reply | Post Message | Messages List | Start a Board

50%

Thomas Claburn,
User Rank: Ninja
1/14/2014 | 8:18:24 PM

Another reason...

...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

How to Better Secure Your Microsoft 365 Environment

Kelly Sheridan, Staff Editor, Dark Reading, 1/25/2021

Attackers Leave Stolen Credentials Searchable on Google

Kelly Sheridan, Staff Editor, Dark Reading, 1/21/2021

Webinars

Strategies for Success with Digital Transformation

Building the SOC of the Future: Next-Generation Security Operations

ROI and Beyond for the Cloud

Webinar Archives

White Papers

A Technical Deep Dive on Software Exploits

Improving Your Enterprise's Protection With Cyber Resilience

What To Consider Before Renewing Your SD-WAN

The Essential Guide to Securing Remote Access

Top Threats to Cloud Computing: The Egregious 11

More White Papers

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: Hey! Just a kind advice, we have hidden agents in your endpoint that allow us to know that you are not doing the report for your manager and you ...

Cartoon Archive

Current Issue

2020: The Year in Security

Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Assessing Cybersecurity Risk in Today's Enterprises

COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.

Download Now!

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

Building an Effective Cybersecurity Incident Response Team

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-3318
PUBLISHED: 2021-01-27

attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.

CVE-2020-5427
PUBLISHED: 2021-01-27

In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.

CVE-2020-5428
PUBLISHED: 2021-01-27

In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.

CVE-2021-20357
PUBLISHED: 2021-01-27

IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963.

CVE-2020-4865
PUBLISHED: 2021-01-27

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]