• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Target Investigating Massive Data Breach

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If you thought Target's Black Friday deals were good, wait until you find out what crooks are charging for your credit card info. :(

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.
 
CC companies should really reconsider their security systems. If credit cards required a 6 digit PIN which could not be stored (destroyed after encrypted authentication) it'd probably significantly dent the fraud. The fact merchants retain the information is a major issue, so why not add an extra check that can't be stored.
 
CC companies should really reconsider their security systems. If credit cards required a 6 digit PIN which could not be stored (destroyed after encrypted authentication) it'd probably significantly dent the fraud. The fact merchants retain the information is a major issue, so why not add an extra check that can't be stored.

Haven't worked in a large corporate environment have you? The word "Progressive" and "Innovative" tends to not be in their dictionaries.
 
CC companies should really reconsider their security systems. If credit cards required a 6 digit PIN which could not be stored (destroyed after encrypted authentication) it'd probably significantly dent the fraud. The fact merchants retain the information is a major issue, so why not add an extra check that can't be stored.

It doesn't matter if they're permitted to store the information (PIN), someone who has hacked their systems could. It's not hard to think of a pretty bulletproof system, but credit cards are all about convenience, and good security would be inconvenient, and more expensive, so the industry has gone the way of shitty inherent security plus a layer of 'fraud watch' etc. The other thing to think about is there is still some amount of offline transactions. I actually had my card imprinted in the last 3 months... and the charge went through, I was amazed.

(chip and PIN is garbage too, FWIW)
 
I got my Debit card skimmed about 3 months ago, and my wife's about 2 weeks later. Guy at my bank said it was probably Walmart or something. They took care of the $250 or so in charges since they were pretty obviously not mine. One in New York, one in Paris shortly after that the bank did not allow to go through. One of them was an online order with an address attached to it. Totally weird, but altogether, I'd rather have my cc skimmed and get reimbursed than get mugged.

Also weird that my wife had the same experience right after but again her bank took care of it quickly. In both cases the cards were temp. suspended automatically by security settings after the second unauthorized purchase.
 
CC companies should really reconsider their security systems. If credit cards required a 6 digit PIN which could not be stored (destroyed after encrypted authentication) it'd probably significantly dent the fraud. The fact merchants retain the information is a major issue, so why not add an extra check that can't be stored.
These were skimmed in software for the in store readers. Stored data had nothing to do with it.
 
While this is being investigated, are the POS systems still compromised?

The period appears to be Black Friday 11/29-12/15.

Of course I made 3 CC purchases in that timeframe, I'll be on the phone to CC company shortly.
 
Hmm. My CC info was stolen shortly after Black Friday, and I went to Target a little time before and after that.

In Europe they have chips in CCs to verify PINs. Here the companies think it would "slow the transaction." OK, well enjoy ur fraud.
 
Hmm. My CC info was stolen shortly after Black Friday, and I went to Target a little time before and after that.

In Europe they have chips in CCs to verify PINs. Here the companies think it would "slow the transaction." OK, well enjoy ur fraud.
Increase the speed if anything. I can type in a 4 number pin faster than they can print out a receipt, have me sign it and then put it away.

They just don't want to send out new cards to everyone unless they have to.
 
My last Target credit card purchase was November 14th (B2G1 PS4 games), am I more than likely not affected by this? My credit card usage has been normal thus far.
 
Increase the speed if anything. I can type in a 4 number pin faster than they can print out a receipt, have me sign it and then put it away.

They just don't want to send out new cards to everyone unless they have to.

They have to send me a new CC anyway, I wish it came with a chip and a PIN.
 
I got my Debit card skimmed about 3 months ago, and my wife's about 2 weeks later. Guy at my bank said it was probably Walmart or something. They took care of the $250 or so in charges since they were pretty obviously not mine. One in New York, one in Paris shortly after that the bank did not allow to go through. One of them was an online order with an address attached to it. Totally weird, but altogether, I'd rather have my cc skimmed and get reimbursed than get mugged.

Also weird that my wife had the same experience right after but again her bank took care of it quickly. In both cases the cards were temp. suspended automatically by security settings after the second unauthorized purchase.

You should never use a debit card for anything other than withdrawing from an ATM where your bank is located. They are the easiest to skim and can be a huge hassle to get your bank to fix it and make right your funds. People who are anti-credit card are in my opinion incapable of being responsible.
 
Wow, just as well we refuse to get one of their damn discount cards, that requires your bank details for some reason.
 
CC companies should really reconsider their security systems. If credit cards required a 6 digit PIN which could not be stored (destroyed after encrypted authentication) it'd probably significantly dent the fraud. The fact merchants retain the information is a major issue, so why not add an extra check that can't be stored.

Most of the world has already abandoned obsolete magnetic stripe credit cards. However, in the Corporates States of America, corporations are never held accountable when their lax security and negligence hurts people and therefore, there is no motivation to upgrade.

JPMorganPalladiumCard.jpg
 
Good thing I haven't shopped at Target in awhile. But if I did my credit card company is often overzealous in protecting me from fraud that I get legitimate purchases blocked...lol.
 
Hmm. My CC info was stolen shortly after Black Friday, and I went to Target a little time before and after that.

In Europe they have chips in CCs to verify PINs. Here the companies think it would "slow the transaction." OK, well enjoy ur fraud.
In another story I read the period is the day before Thanksgiving to Dec. 15.
 
Who else did the same operation hack that just hasn't come out yet. Only Target? Watch for more revelations from other big retailers, since they all buy the same security stuff and equipment from the same vendors, the exploit is likely common amoung a bunch of retailers.

I throw-up a little in my mouth saying "security" in reference to any of this shit.

Simplest concept is for you to have a "secret word" on record at Visa/MC and whenever someone (including you) tries to open a new account, you are asked to verify yourself with the secret word. It is NOT stored on your card. This is for the specific act of OPENING an account ... for SECURITY you need to close the loop, that you are in fact you, in a way that couldn't be easily compromised.

You don't need a "chip" on board, these breaches occurred downstream POST decryption anyway, so having a chip on the card is irrelevant and wouldn't have stopped this breach.
 
Im guessing lifelock and similar and companies are gonna see increased sales as of this revelation.
 
I'm really curious what will come out as the true cause of this. Contrary to what some are saying here, 'good security' actually saves a lot of money in implementation and maintenance costs on a POS system (dealing with PCI stuff is expensive).

I find it unlikely that a company like Target would not have point to point encryption on their devices. Essentially, in this situation, a POS register will never see raw credit card number as it is encrypted immediately upon swiping. In order to look up a purchase using the card number, the store can query for a tokenized version of your card, but they do not have the card number itself. This is pretty standard in retail these days.
 
Im guessing lifelock and similar and companies are gonna see increased sales as of this revelation.

and who owns the lifelock companies? the same people as the banks...

maybe they were frustrated that the lifelock sales were lackluster so they wanted to get a boost in sales

no better way than to 'have a security breach'

this is what you get when you contract the fox to setup 'security' and guard the hen house
 
I'm really curious what will come out as the true cause of this. Contrary to what some are saying here, 'good security' actually saves a lot of money in implementation and maintenance costs on a POS system (dealing with PCI stuff is expensive).

I find it unlikely that a company like Target would not have point to point encryption on their devices. Essentially, in this situation, a POS register will never see raw credit card number as it is encrypted immediately upon swiping. In order to look up a purchase using the card number, the store can query for a tokenized version of your card, but they do not have the card number itself. This is pretty standard in retail these days.

no matter how encrypted the data is, eventually it has to be decrypted in order to be checked against the issuing company to ensure it's a legit transaction.

anyone remember TJ Max's debacle? 'Secure' pos machine, with unencrypted data flying from the POS to the building's server via WiFi... so lol
 
no matter how encrypted the data is, eventually it has to be decrypted in order to be checked against the issuing company to ensure it's a legit transaction.

anyone remember TJ Max's debacle? 'Secure' pos machine, with unencrypted data flying from the POS to the building's server via WiFi... so lol

This is true, but in such a situation it would mean the credit processor would have been compromised and not necessarily Target.
 
In Europe they have chips in CCs to verify PINs. Here the companies think it would "slow the transaction." OK, well enjoy ur fraud.

It's not that it would slow, but that it would require the upgrade of equipment to support it. Look at most small businesses, they are using systems that were made in the 90s.

In late 2015 banks will require that businesses can support chip and pin or be liable for any fraud that occurs, hopefully that means that starting next year new cards will at least have the chip implemented.
 
no matter how encrypted the data is, eventually it has to be decrypted in order to be checked against the issuing company to ensure it's a legit transaction.

anyone remember TJ Max's debacle? 'Secure' pos machine, with unencrypted data flying from the POS to the building's server via WiFi... so lol

A PRNG-based authentication code should solve that issue. Both the card and the credit card provider generate a code based on a seed and an iterator that increments in unison. Each code is only valid for one transaction and then the next code is needed. Unless you know the seed, you cannot know the next code in the sequence. Since all you would get when reading the credit card is a single use authentication code, and that code would be used up by the merchant (assuming that they are using skimmers), even if you knew the number, you wouldn't be able to clone the card because you wouldn't know the seed.
 
Target should be sued into oblivion over this. It's the only way they will learn.
 
If due to gross negligence yes. Otherwise it's a bit early to make a statement like that.

I agree, give it time before making an overblown statement like that. Let's see what happened. To be fair, I would postulate other big box stores aren't any more secure.
 
A PRNG-based authentication code should solve that issue. Both the card and the credit card provider generate a code based on a seed and an iterator that increments in unison. Each code is only valid for one transaction and then the next code is needed. Unless you know the seed, you cannot know the next code in the sequence. Since all you would get when reading the credit card is a single use authentication code, and that code would be used up by the merchant (assuming that they are using skimmers), even if you knew the number, you wouldn't be able to clone the card because you wouldn't know the seed.

This would give a good guarantee that the card was present (assuming there's no terrible flaw in the PRNG that exposes the seeds), so it's good for the issuers and the merchants, but it offers card holders no protections against sketchy merchants (who could tell you the charge was $x, but charge higher) or lost cards. Not perfect, but probably better than chip and pin as currently deployed.
 
Companies like Target have weak security because they don't feel a need to keep there customer's data secure. Looks like i won't be shopping there anytime soon.
 
If due to gross negligence yes. Otherwise it's a bit early to make a statement like that.

Using obsolete magnetic stripe credit cards constitutes gross negligence. The retail industry has been the primary opposition to switching to EMV.
 
Using obsolete magnetic stripe credit cards constitutes gross negligence. The retail industry has been the primary opposition to switching to EMV.

And it's not the answer to everything. There was a similar heist in the UK a year or two ago. Chip and Pin didn't help. It's not security, it's authentication and there's several ways to fool it on both the card and the terminal side of the system.

If card providers wanted it in the US they could have forced it years ago, just like they are doing to finally get it here in 2015. The reason why they haven't? Because retail would also like them to lower interchange fees to what's similar in the EU. (.2 or .3% instead of the 2-3% it is now) If the card providers are making 45 billion on interchange fees, you can absorb 5 billion in losses for a while.
 
Back
Top