Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Confirms Massive Breach Affects 40 Million Customers
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/14/2014 | 3:18:30 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
As a PCI-QSA, I'm hearing stories that Target I.T. personnel simply were not being proactive, attentive - and worse - were well aware of the issue at hand.  This is unfortunately the same attitude I witness on a daily basis with many technology companies that store, process, and/or transmit cardholder data. It's always about how cheap, quick, and fast can somebody become compliant, just to say they are compliant.  Until companies start taking information security SERIOUSLY, this will continue. The most basic of security protocols, such as well-written security policies, sound patch and vulnerability management, employee security awareness training - often take care of the vast majority of security threats, but companies can't even find the time to undertake these basic elements.  Wake up I.T. world, and get serious about information security.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
12/27/2013 | 11:50:01 AM
re: Target Confirms Massive Breach Affects 40 Million Customers
1. Target breach collected PIN numbers and Magnetic strip information, making the breached cards more useful, as well as card info. Some reports have mentioned that hackers also gleaned Target's customer profile information (including SSNs) to make (add on) purchase suggestions at checkout. On card smartchip would still have revealed customer identifiable information for identity theft.
2. Several top 10 retailers instal POS Terminal OS via bootp from store server (server provides updates to this and other equipment as welll) image which receives image updates from corporate IT. As a field tech, I found some corporate IT personnel to be less than professional in addressing "top down" issues.
3. I don't profess to know all financial/POS systems, however many I've encountered run on operating systems or processors on devices, and including "store servers", that have vulnerabilities. (I remember a local hack of Home Depot that lucky for HD the perpetrators had limited ambition.)
4. Corporate security is usually less strict (fewer resources assigned to it) than "loss prevention" implemented at the store level.
macker490
50%
50%
macker490,
User Rank: Ninja
12/21/2013 | 12:22:45 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.


How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.