Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach Should Spur POS Security, PCI 3.0 Awareness
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:26:32 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
it is important to recognize that electronic fraud generally exploits our failure to authenticate transactions and transmittals. we have attempted to "port" our manual, "pen and ink" procedures into a digital network environment

public key encryption systems were then created to resolve this issue. sadly we have settled for the x.509 SSL certificate and allowed the bIG vENDORS to just sweep the issue under the carpet.

we should be teaching the 7th graders how to verify a PGP key trust model instead of wasting time factoring polynomials.

hint: if you are going to trust a key you are expected to verify it yourself, -- and sign for it. Yep, you should have your own PGP key if you are going to do any e/commerce, including downloading/installing software, banking, -- and -- credit cards.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:27:28 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/26/2013 | 4:02:24 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
One point I didn't see in this article is that just being PCI compliant is nowhere near enough. One of PCI's greatest shortcomings is that it does not require the encryption of card data on internal networks. I am told that the reason for this is that many companies would have to pay too high a price to implement internal encryption. However, we may yet learn that the Target breach (as others) was a result of card numbers being transmitted in the clear through internal networks.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:36:57 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Great Discussion for a IT student,who has always been interested in Security and hope to actually branch out in the Future.Scary that Target was targeted like this but i could be wrong in suggesting that an inside man was involved...
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:39:16 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Most Companies dont pay attention to IT depts suggestions until a tragedy like this Happens,IT Depts should have a more influential Role(CIO) in Day to day Running of a Compnay!!! the Company is work for had a similar situation....they never implemented full disk encryption for more than 45 years til senior executives laptop was stolen with Patient info.
lancop
50%
50%
lancop,
User Rank: Apprentice
12/27/2013 | 1:53:02 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
While the article is a good start on the Target Breach discussion, it is of necessity highly speculative since the investigation is in progress and insider forensic details are not likely to be forthcoming any time soon. But the real meat & potatoes at this point are to be found in the reader comments by folks like Mike Acker, pgregory and inforiskgroup. How transactions are captured, authenticated and settled is at the core of every credit card breach that we find ourselves dissecting, so informed comments by IT security professionals that illuminate the inherent flaws in the curent standards or propose new processes that reduce the attack surface of credit card transaction systems are extremely helpful to all of us who play a role in the Information Technology arena. The Internet has become the public & private communications backbone of modern civilization, but financial transaction processing over this global network is rife with potential vulnerabilities that make fraudsters salivate in anticipation of a successful exploit at any point in the overall system. Given the costs & widespread disruption that POS breaches can cause to every party involved, it is critical to educate all IT professionals in security best practices and vulnerability assessment so that we can all be informed evangelists for continuous improvements to IT security standards. Otherwise, we will find civilization increasingly undermined by those dark forces that sneak around in cyberspace hunting for their next prey.
macker490
50%
50%
macker490,
User Rank: Ninja
12/27/2013 | 2:17:38 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
remember,-- it finally came out that the Heartland breach was an inside job,-- using USB sticks -- AGAIN

if you are interested in security get mother boards with PS/2 connectors for keyboard & mouse -- and NO USB connectors. ideally the connectors should be inside a locked case.
macker490
50%
50%
macker490,
User Rank: Ninja
12/28/2013 | 1:20:04 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
thanks
my remarks are not totally original,-- I would suggest reading this report
http://arstechnica.com/tech-po...
on Whitfield Diffie's testiomony as an expert witness for Newegg in their lawsuit v TQP

Whitield explains the realization that network commerce would require security and authentication -- and relates that to his participation in the development of public key cryptography

managing key trust should be taught in the 7th grade rather than wasting time factoring polynomials.
Bill Frank
50%
50%
Bill Frank,
User Rank: Apprentice
1/22/2014 | 11:25:08 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
According to Brian Krebs (http://krebsonsecurity.com/201..., who seems to have the best information, the cardholder data was scraped from the memory of the POS terminals themselves. Therefore encrypting the data at rest or in-motion would not have prevented the attackers from capturing the cardholder data.

Krebs went on to say that the cardholder data was then moved to a compromised server, most likely in the Target data center. So why didn't Target's firewalls' policies deny this communication between the POS terminals and this server? Also, since this communication happened can we deduce that Target was not in PCI DSS compliance requirement #1 - Install and maintain a firewall configuration to protect cardholder data?

The answer is that you can be completely compliant with the PCI DSS firewall requirements and still not block illicit communications. The reason is that PCI DSS does not specify the type of firewall to be used. Therefore you can use a legacy port-based, stateful inspection firewall, which cannot monitor all applications on all ports, all of the time, and be fully compliant. My point is that attackers can easily bypass a stateful inspection firewall. In fact, there are thousands of legitimate applications being used every day that bypass legacy firewalls. If you don't believe me, contact me, and I will prove to you.

I am not sure if it's OK to provide a link to a more detailed blog post I wrote about this a couple of days ago at www.riskpundit.com. If not, just delete this paragraph.


7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...