Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach Should Spur POS Security, PCI 3.0 Awareness
Newest First  |  Oldest First  |  Threaded View
Bill Frank
50%
50%
Bill Frank,
User Rank: Apprentice
1/22/2014 | 11:25:08 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
According to Brian Krebs (http://krebsonsecurity.com/201..., who seems to have the best information, the cardholder data was scraped from the memory of the POS terminals themselves. Therefore encrypting the data at rest or in-motion would not have prevented the attackers from capturing the cardholder data.

Krebs went on to say that the cardholder data was then moved to a compromised server, most likely in the Target data center. So why didn't Target's firewalls' policies deny this communication between the POS terminals and this server? Also, since this communication happened can we deduce that Target was not in PCI DSS compliance requirement #1 - Install and maintain a firewall configuration to protect cardholder data?

The answer is that you can be completely compliant with the PCI DSS firewall requirements and still not block illicit communications. The reason is that PCI DSS does not specify the type of firewall to be used. Therefore you can use a legacy port-based, stateful inspection firewall, which cannot monitor all applications on all ports, all of the time, and be fully compliant. My point is that attackers can easily bypass a stateful inspection firewall. In fact, there are thousands of legitimate applications being used every day that bypass legacy firewalls. If you don't believe me, contact me, and I will prove to you.

I am not sure if it's OK to provide a link to a more detailed blog post I wrote about this a couple of days ago at www.riskpundit.com. If not, just delete this paragraph.
macker490
50%
50%
macker490,
User Rank: Ninja
12/28/2013 | 1:20:04 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
thanks
my remarks are not totally original,-- I would suggest reading this report
http://arstechnica.com/tech-po...
on Whitfield Diffie's testiomony as an expert witness for Newegg in their lawsuit v TQP

Whitield explains the realization that network commerce would require security and authentication -- and relates that to his participation in the development of public key cryptography

managing key trust should be taught in the 7th grade rather than wasting time factoring polynomials.
macker490
50%
50%
macker490,
User Rank: Ninja
12/27/2013 | 2:17:38 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
remember,-- it finally came out that the Heartland breach was an inside job,-- using USB sticks -- AGAIN

if you are interested in security get mother boards with PS/2 connectors for keyboard & mouse -- and NO USB connectors. ideally the connectors should be inside a locked case.
lancop
50%
50%
lancop,
User Rank: Moderator
12/27/2013 | 1:53:02 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
While the article is a good start on the Target Breach discussion, it is of necessity highly speculative since the investigation is in progress and insider forensic details are not likely to be forthcoming any time soon. But the real meat & potatoes at this point are to be found in the reader comments by folks like Mike Acker, pgregory and inforiskgroup. How transactions are captured, authenticated and settled is at the core of every credit card breach that we find ourselves dissecting, so informed comments by IT security professionals that illuminate the inherent flaws in the curent standards or propose new processes that reduce the attack surface of credit card transaction systems are extremely helpful to all of us who play a role in the Information Technology arena. The Internet has become the public & private communications backbone of modern civilization, but financial transaction processing over this global network is rife with potential vulnerabilities that make fraudsters salivate in anticipation of a successful exploit at any point in the overall system. Given the costs & widespread disruption that POS breaches can cause to every party involved, it is critical to educate all IT professionals in security best practices and vulnerability assessment so that we can all be informed evangelists for continuous improvements to IT security standards. Otherwise, we will find civilization increasingly undermined by those dark forces that sneak around in cyberspace hunting for their next prey.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:39:16 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Most Companies dont pay attention to IT depts suggestions until a tragedy like this Happens,IT Depts should have a more influential Role(CIO) in Day to day Running of a Compnay!!! the Company is work for had a similar situation....they never implemented full disk encryption for more than 45 years til senior executives laptop was stolen with Patient info.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:36:57 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Great Discussion for a IT student,who has always been interested in Security and hope to actually branch out in the Future.Scary that Target was targeted like this but i could be wrong in suggesting that an inside man was involved...
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/26/2013 | 4:02:24 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
One point I didn't see in this article is that just being PCI compliant is nowhere near enough. One of PCI's greatest shortcomings is that it does not require the encryption of card data on internal networks. I am told that the reason for this is that many companies would have to pay too high a price to implement internal encryption. However, we may yet learn that the Target breach (as others) was a result of card numbers being transmitted in the clear through internal networks.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:27:28 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:26:32 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
it is important to recognize that electronic fraud generally exploits our failure to authenticate transactions and transmittals. we have attempted to "port" our manual, "pen and ink" procedures into a digital network environment

public key encryption systems were then created to resolve this issue. sadly we have settled for the x.509 SSL certificate and allowed the bIG vENDORS to just sweep the issue under the carpet.

we should be teaching the 7th graders how to verify a PGP key trust model instead of wasting time factoring polynomials.

hint: if you are going to trust a key you are expected to verify it yourself, -- and sign for it. Yep, you should have your own PGP key if you are going to do any e/commerce, including downloading/installing software, banking, -- and -- credit cards.


HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.
CVE-2020-11527
PUBLISHED: 2020-04-04
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
CVE-2020-11528
PUBLISHED: 2020-04-04
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file.