More Than 1,000 Businesses Affected By Same Attack That Hit Target

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
It's nice to know that almost all of the 1,000 business affected by this still haven't notified their customers. You'd think there would be some kind of law that required businesses to notify customers of data breaches. :(

More than 1,000 American businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores. The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.
Click to expand...
 
part of me wishes I could hack all that shit and get away with it. Those hackers probably have millions of dollars worth of loot.
 
In ~2010-2011 these types of massive breaches exploded. The fraud unit at the small company I was at would get a few breach alerts a quarter, with only a few cards each. We then started getting breach alerts multiple times weekly, with hundreds of cards per breach. I can only imagine what the big banks are seeings.

All that being said, debit/credit cards are still massively profitable to the banks with the interchange fees.

dr.kevin said:
part of me wishes I could hack all that shit and get away with it. Those hackers probably have millions of dollars worth of loot.
Click to expand...

It's the best game in town. You can put so many layers of intermediaries, countries, etc, between you, it's hard to even detect who is doing it in the first place, much less track them down. On top of that, there are so many, who do you prioritize? :(
 
TwistedAegis said:
In ~2010-2011 these types of massive breaches exploded. The fraud unit at the small company I was at would get a few breach alerts a quarter, with only a few cards each. We then started getting breach alerts multiple times weekly, with hundreds of cards per breach. I can only imagine what the big banks are seeings.

All that being said, debit/credit cards are still massively profitable to the banks with the interchange fees.



It's the best game in town. You can put so many layers of intermediaries, countries, etc, between you, it's hard to even detect who is doing it in the first place, much less track them down. On top of that, there are so many, who do you prioritize? :(
Click to expand...

It's such an easy attack to prevent though...really boggles my mind that these companies would take so long to invest in preventative measures. Target's hardware was ancient. If you've been in there in the last few months, all the pinpads have been replaced with Verifone MX950s and presumably use hardware encryption now.

I do not work in IT sec, but I manage a point of sale platform for a large company. Our payment terminals / pinpads tokenize credit card numbers at a hardware level (an actual credit card number NEVER touches the register itself), and each pinpad does so in a unique manner. Even with memory scraping, all you can get is a token (we've tried). Even if the pinpad itself were to be compromised (like the Barnes and Noble breach), we are immediately alerted by the credit processor of unencrypted traffic and all credit processing from the device is declined. The barnes and noble breach was easily avoided as well by requiring a specific device initialization process if a new pinpad is introduced on the POS.

This is all standard industry practice...
 
You must log in or register to reply here.
Back
Top