Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Confirms Massive Breach Affects 40 Million Customers
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/14/2014 | 3:18:30 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
As a PCI-QSA, I'm hearing stories that Target I.T. personnel simply were not being proactive, attentive - and worse - were well aware of the issue at hand.  This is unfortunately the same attitude I witness on a daily basis with many technology companies that store, process, and/or transmit cardholder data. It's always about how cheap, quick, and fast can somebody become compliant, just to say they are compliant.  Until companies start taking information security SERIOUSLY, this will continue. The most basic of security protocols, such as well-written security policies, sound patch and vulnerability management, employee security awareness training - often take care of the vast majority of security threats, but companies can't even find the time to undertake these basic elements.  Wake up I.T. world, and get serious about information security.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
12/27/2013 | 11:50:01 AM
re: Target Confirms Massive Breach Affects 40 Million Customers
1. Target breach collected PIN numbers and Magnetic strip information, making the breached cards more useful, as well as card info. Some reports have mentioned that hackers also gleaned Target's customer profile information (including SSNs) to make (add on) purchase suggestions at checkout. On card smartchip would still have revealed customer identifiable information for identity theft.
2. Several top 10 retailers instal POS Terminal OS via bootp from store server (server provides updates to this and other equipment as welll) image which receives image updates from corporate IT. As a field tech, I found some corporate IT personnel to be less than professional in addressing "top down" issues.
3. I don't profess to know all financial/POS systems, however many I've encountered run on operating systems or processors on devices, and including "store servers", that have vulnerabilities. (I remember a local hack of Home Depot that lucky for HD the perpetrators had limited ambition.)
4. Corporate security is usually less strict (fewer resources assigned to it) than "loss prevention" implemented at the store level.
macker490
50%
50%
macker490,
User Rank: Ninja
12/21/2013 | 12:22:45 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.