Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach Should Spur POS Security, PCI 3.0 Awareness
Newest First  |  Oldest First  |  Threaded View
Bill Frank
50%
50%
Bill Frank,
User Rank: Apprentice
1/22/2014 | 11:25:08 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
According to Brian Krebs (http://krebsonsecurity.com/201..., who seems to have the best information, the cardholder data was scraped from the memory of the POS terminals themselves. Therefore encrypting the data at rest or in-motion would not have prevented the attackers from capturing the cardholder data.

Krebs went on to say that the cardholder data was then moved to a compromised server, most likely in the Target data center. So why didn't Target's firewalls' policies deny this communication between the POS terminals and this server? Also, since this communication happened can we deduce that Target was not in PCI DSS compliance requirement #1 - Install and maintain a firewall configuration to protect cardholder data?

The answer is that you can be completely compliant with the PCI DSS firewall requirements and still not block illicit communications. The reason is that PCI DSS does not specify the type of firewall to be used. Therefore you can use a legacy port-based, stateful inspection firewall, which cannot monitor all applications on all ports, all of the time, and be fully compliant. My point is that attackers can easily bypass a stateful inspection firewall. In fact, there are thousands of legitimate applications being used every day that bypass legacy firewalls. If you don't believe me, contact me, and I will prove to you.

I am not sure if it's OK to provide a link to a more detailed blog post I wrote about this a couple of days ago at www.riskpundit.com. If not, just delete this paragraph.
macker490
50%
50%
macker490,
User Rank: Ninja
12/28/2013 | 1:20:04 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
thanks
my remarks are not totally original,-- I would suggest reading this report
http://arstechnica.com/tech-po...
on Whitfield Diffie's testiomony as an expert witness for Newegg in their lawsuit v TQP

Whitield explains the realization that network commerce would require security and authentication -- and relates that to his participation in the development of public key cryptography

managing key trust should be taught in the 7th grade rather than wasting time factoring polynomials.
macker490
50%
50%
macker490,
User Rank: Ninja
12/27/2013 | 2:17:38 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
remember,-- it finally came out that the Heartland breach was an inside job,-- using USB sticks -- AGAIN

if you are interested in security get mother boards with PS/2 connectors for keyboard & mouse -- and NO USB connectors. ideally the connectors should be inside a locked case.
lancop
50%
50%
lancop,
User Rank: Apprentice
12/27/2013 | 1:53:02 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
While the article is a good start on the Target Breach discussion, it is of necessity highly speculative since the investigation is in progress and insider forensic details are not likely to be forthcoming any time soon. But the real meat & potatoes at this point are to be found in the reader comments by folks like Mike Acker, pgregory and inforiskgroup. How transactions are captured, authenticated and settled is at the core of every credit card breach that we find ourselves dissecting, so informed comments by IT security professionals that illuminate the inherent flaws in the curent standards or propose new processes that reduce the attack surface of credit card transaction systems are extremely helpful to all of us who play a role in the Information Technology arena. The Internet has become the public & private communications backbone of modern civilization, but financial transaction processing over this global network is rife with potential vulnerabilities that make fraudsters salivate in anticipation of a successful exploit at any point in the overall system. Given the costs & widespread disruption that POS breaches can cause to every party involved, it is critical to educate all IT professionals in security best practices and vulnerability assessment so that we can all be informed evangelists for continuous improvements to IT security standards. Otherwise, we will find civilization increasingly undermined by those dark forces that sneak around in cyberspace hunting for their next prey.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:39:16 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Most Companies dont pay attention to IT depts suggestions until a tragedy like this Happens,IT Depts should have a more influential Role(CIO) in Day to day Running of a Compnay!!! the Company is work for had a similar situation....they never implemented full disk encryption for more than 45 years til senior executives laptop was stolen with Patient info.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:36:57 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Great Discussion for a IT student,who has always been interested in Security and hope to actually branch out in the Future.Scary that Target was targeted like this but i could be wrong in suggesting that an inside man was involved...
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/26/2013 | 4:02:24 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
One point I didn't see in this article is that just being PCI compliant is nowhere near enough. One of PCI's greatest shortcomings is that it does not require the encryption of card data on internal networks. I am told that the reason for this is that many companies would have to pay too high a price to implement internal encryption. However, we may yet learn that the Target breach (as others) was a result of card numbers being transmitted in the clear through internal networks.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:27:28 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:26:32 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
it is important to recognize that electronic fraud generally exploits our failure to authenticate transactions and transmittals. we have attempted to "port" our manual, "pen and ink" procedures into a digital network environment

public key encryption systems were then created to resolve this issue. sadly we have settled for the x.509 SSL certificate and allowed the bIG vENDORS to just sweep the issue under the carpet.

we should be teaching the 7th graders how to verify a PGP key trust model instead of wasting time factoring polynomials.

hint: if you are going to trust a key you are expected to verify it yourself, -- and sign for it. Yep, you should have your own PGP key if you are going to do any e/commerce, including downloading/installing software, banking, -- and -- credit cards.


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...