Target Breach: 8 Facts On Memory-Scraping Malware

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

MarkSitkowski,
User Rank: Moderator
1/16/2014 | 6:28:29 PM

Target Breach

I posted this against another article, but I think it's important enough to repeat here.

Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple

Reply | Post Message | Messages List | Start a Board

50%

PaulS681,
User Rank: Apprentice
1/15/2014 | 7:30:13 PM

Re: Another reason...

Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.

Reply | Post Message | Messages List | Start a Board

50%

Mathew,
User Rank: Apprentice
1/15/2014 | 7:11:53 AM

Re: Another reason...

Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.

Reply | Post Message | Messages List | Start a Board

50%

Thomas Claburn,
User Rank: Ninja
1/14/2014 | 8:18:24 PM

Another reason...

...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

Mobile Banking Malware Up 50% in First Half of 2019

Kelly Sheridan, Staff Editor, Dark Reading, 1/17/2020

7 Tips for Infosec Pros Considering A Lateral Career Move

Kelly Sheridan, Staff Editor, Dark Reading, 1/21/2020

For Mismanaged SOCs, The Price Is Not Right

Kelly Sheridan, Staff Editor, Dark Reading, 1/22/2020

Live Events

Webinars

March 16-19, 2020: Data Center World Registration is open! Join Us

Data Center World: The leading conference & expo for Data Center and IT Infrastructure Professionals. Register Today!

Get Insights: Cisco vs Microsoft & More at EC20 Orlando

More Informa Tech Live Events

White Papers

Using AI to Power AppSec

Simplify Your App Security

NetFlow vs Packet Data

[IT Trend Report] The Future of Cloud

Orchestrate Risk and Vulnerability Management Across the Software Development Life Cycle

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: It's a PEN test of our cloud security.

Cartoon Archive

Current Issue

IT 2020: A Look Ahead

Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

How Enterprises are Attacking the Cybersecurity Problem

Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.

Download Now!

How Data Breaches affect the Enterprise

0 comments

Rethinking Enterprise Data Defense

0 comments

Assessing Cybersecurity Risk in Today's Enterprise

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-7245
PUBLISHED: 2020-01-23

Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...

CVE-2019-14885
PUBLISHED: 2020-01-23

A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...

CVE-2019-17570
PUBLISHED: 2020-01-23

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...

CVE-2020-6007
PUBLISHED: 2020-01-23

Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.

CVE-2012-4606
PUBLISHED: 2020-01-23

Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]