Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Confirms Massive Breach Affects 40 Million Customers
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/14/2014 | 3:18:30 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
As a PCI-QSA, I'm hearing stories that Target I.T. personnel simply were not being proactive, attentive - and worse - were well aware of the issue at hand.  This is unfortunately the same attitude I witness on a daily basis with many technology companies that store, process, and/or transmit cardholder data. It's always about how cheap, quick, and fast can somebody become compliant, just to say they are compliant.  Until companies start taking information security SERIOUSLY, this will continue. The most basic of security protocols, such as well-written security policies, sound patch and vulnerability management, employee security awareness training - often take care of the vast majority of security threats, but companies can't even find the time to undertake these basic elements.  Wake up I.T. world, and get serious about information security.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
12/27/2013 | 11:50:01 AM
re: Target Confirms Massive Breach Affects 40 Million Customers
1. Target breach collected PIN numbers and Magnetic strip information, making the breached cards more useful, as well as card info. Some reports have mentioned that hackers also gleaned Target's customer profile information (including SSNs) to make (add on) purchase suggestions at checkout. On card smartchip would still have revealed customer identifiable information for identity theft.
2. Several top 10 retailers instal POS Terminal OS via bootp from store server (server provides updates to this and other equipment as welll) image which receives image updates from corporate IT. As a field tech, I found some corporate IT personnel to be less than professional in addressing "top down" issues.
3. I don't profess to know all financial/POS systems, however many I've encountered run on operating systems or processors on devices, and including "store servers", that have vulnerabilities. (I remember a local hack of Home Depot that lucky for HD the perpetrators had limited ambition.)
4. Corporate security is usually less strict (fewer resources assigned to it) than "loss prevention" implemented at the store level.
macker490
50%
50%
macker490,
User Rank: Ninja
12/21/2013 | 12:22:45 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.


7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.