Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Confirms Massive Breach Affects 40 Million Customers
Threaded  |  Newest First  |  Oldest First
macker490
50%
50%
macker490,
User Rank: Ninja
12/21/2013 | 12:22:45 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/14/2014 | 3:18:30 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
As a PCI-QSA, I'm hearing stories that Target I.T. personnel simply were not being proactive, attentive - and worse - were well aware of the issue at hand.  This is unfortunately the same attitude I witness on a daily basis with many technology companies that store, process, and/or transmit cardholder data. It's always about how cheap, quick, and fast can somebody become compliant, just to say they are compliant.  Until companies start taking information security SERIOUSLY, this will continue. The most basic of security protocols, such as well-written security policies, sound patch and vulnerability management, employee security awareness training - often take care of the vast majority of security threats, but companies can't even find the time to undertake these basic elements.  Wake up I.T. world, and get serious about information security.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
12/27/2013 | 11:50:01 AM
re: Target Confirms Massive Breach Affects 40 Million Customers
1. Target breach collected PIN numbers and Magnetic strip information, making the breached cards more useful, as well as card info. Some reports have mentioned that hackers also gleaned Target's customer profile information (including SSNs) to make (add on) purchase suggestions at checkout. On card smartchip would still have revealed customer identifiable information for identity theft.
2. Several top 10 retailers instal POS Terminal OS via bootp from store server (server provides updates to this and other equipment as welll) image which receives image updates from corporate IT. As a field tech, I found some corporate IT personnel to be less than professional in addressing "top down" issues.
3. I don't profess to know all financial/POS systems, however many I've encountered run on operating systems or processors on devices, and including "store servers", that have vulnerabilities. (I remember a local hack of Home Depot that lucky for HD the perpetrators had limited ambition.)
4. Corporate security is usually less strict (fewer resources assigned to it) than "loss prevention" implemented at the store level.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...