Reading mode: Light Dark

Target hacked

  • Thread starter Thread starter malch
  • Start date Start date
Go to last post
malch said:
More likely they introduced rogue code into the software that was distributed to all of the point-of-sale terminals.
Click to expand...
That is a plausible explanation. It would almost have to be an in$ide job for that to happen. Not necessarily inside Target, but inside the software provider at least.

I don't think there is firm evidence that all Target stores are affected. We used our credit card at Target, and it still has not received an unauthorized charge.
 
CAcreeks said:
That is a plausible explanation. It would almost have to be an in$ide job for that to happen. Not necessarily inside Target, but inside the software provider at least.
Click to expand...
Yep, there could certainly be an inside element.
CAcreeks said:
I don't think there is firm evidence that all Target stores are affected. We used our credit card at Target, and it still has not received an unauthorized charge.
Click to expand...
Same here. But it will take the crooks a while to work through maybe millions of cards.

Also, it's apparently "normal" for there to be a significant delay of weeks or even months from the point at which the card details are stolen to the first fraudulent use.

So you might have a bad transaction 3 months from now. And that may or may not be related to the Target fiasco. One would probably never know with any certainty.

Don't feel sorry for Visa et al either. It's almost always the merchant that carries the can for bad transactions. In fact, the credit card companies will still charge the merchant commission and add a penalty fee as well. Yep, those guys have engineered a way to make a profit out of fraud!
 
malch said:
If it was bad code sending a copy of the authentication transaction to another server, that would explain how the bad guys got the CVV and PIN numbers too.
Click to expand...
There are two CVV numbers, CVV1 and CVV2. CVV1 is used to verify that the card is in the hands of a merchant and is recorded on the card's magnetic stripe. CVV1 is "security by obscurity" - it's not printed on the card so it's supposed to be difficult for scammers to figure out what it is. But of course it's part of the information exchanged in a POS transaction, and magstripe readers are now a dime a dozen anyway - so as a security measure it's basically obsolete.

CVV2 is used for "card not in hand" transactions (i.e., card not in the hands of the merchant, which means phone or online orders). According to this Wikipedia entry, the CVV2 code printed on the card is not encoded in the card's magstripe data, so unless it's entered as part of a transaction (and that's not the case for "card in hand" transactions) I don't see how it could have been harvested as part of a POS terminal attack.
 
Last edited:
Sean Nelson said:
There are two CVV numbers, CVV1 and CVV2. CVV1 is used to verify that the card is in the hands of a merchant and is recorded on the card's magnetic stripe. CVV1 is "security by obscurity" - it's not printed on the card so it's supposed to be difficult for scammers to figure out what it is. But of course it's part of the information exchanged in a POS transaction, and magstripe readers are now a dime a dozen anyway - so as a security measure it's basically obsolete.

CVV2 is used for "card not in hand" transactions (i.e., card not in the hands of the merchant, which means phone or online orders). According to this Wikipedia entry, the CVV2 code printed on the card is not encoded in the card's magstripe data, so unless it's entered as part of a transaction (and that's not the case for "card in hand" transactions) I don't see how it could have been harvested as part of a POS terminal attack.
Click to expand...
Good point. I assume they got CVV1 but it's unlikely they got the CVV2.

I doubt the lack of CVV2 is much of a problem for the crooks. It seems like they had a very competent planning department. Arguably better than Target's :-)
 
malch said:
Austinian said:
Wow, indeed. Amazingly sloppy security if true. Even my residential neighborhood has no completely unsecured wireless routers visible nowadays.
Click to expand...
I doubt it was that kind of a wireless exploit. They hit all ~2000 stores.
Click to expand...
Yes, that would be a heckuva large parking-lot conspiracy. I love a conspiracy theory, but the larger they get the less plausible they are. :-D
Member said:
More likely they introduced rouge code into the software that was distributed to all of the point-of-sale terminals. Pretty elegant getting Target to perform all of those software installations for them, I have to say :-)
Click to expand...
Then I wonder if it could be as simple as spear-phishing an IT employee; perhaps at Target, or perhaps the POS software provider...in that case, we can expect to hear about breaches at other companies using the same POS terminals as Target...ouch.
Member said:
Member said:
I also read that Target was actually storing the CVV security codes! If so, I understand this is a breach of the agreement with the credit-card companies. Target may have made more enemies here than usual with this blunder.
Click to expand...
If it was bad code sending a copy of the authentication transaction to another server, that would explain how the bad guys got the CVV and PIN numbers too.

In any event, something was seriously flawed. Hopefully lessons will be learned but I will not be totally shocked if the industry just decides to absorb the losses versus re-engineering more secure payment systems.
Click to expand...
Maybe a bit of both; fix the specific flaw found at Target and warn others, but not overhaul security practices firmly enough to upset business as usual?
 
Last edited:
Austinian said:
Then I wonder if it could be as simple as spear-phishing an IT employee; perhaps at Target, or perhaps the POS software provider...in that case, we can expect to hear about breaches at other companies using the same POS terminals as Target...ouch.
Click to expand...
Retail is all about finding a recipe/formula that works and replicating it over and over again.

Crooks operate the same way. So if this is successful, which appears to be the case, you can be sure it will be replicated.
Austinian said:
Maybe a bit of both; fix the specific flaw found at Target and warn others, but not overhaul security practices firmly enough to upset business as usual?
Click to expand...
Yep, I think you probably nailed it.
 
Sean Nelson said:
CVV2 is used for "card not in hand" transactions (i.e., card not in the hands of the merchant, which means phone or online orders). According to this Wikipedia entry, the CVV2 code printed on the card is not encoded in the card's magstripe data, so unless it's entered as part of a transaction (and that's not the case for "card in hand" transactions) I don't see how it could have been harvested as part of a POS terminal attack.
Click to expand...
Interesting article on the apparent fencing of the stolen cards which also makes the same point about CVV2 data not being harvested:

Loading…

krebsonsecurity.com
 
CAcreeks said:
digitalshooter said:
it involved the theft of PIN numbers.
Click to expand...
There are no PIN numbers associated with credit cards...
Click to expand...
Whilst it certainly isn't foolproof - many European countries have been using 'EMV' (in the UK it's called 'chip and PIN') for very nearly a decade already.

So it appears that the (so-called) richest/most advanced country on the planet is almost ten years behind as regards credit card security.

http://en.wikipedia.org/wiki/EMV#EMV_Implementation
 
Mark H said:
CAcreeks said:
digitalshooter said:
it involved the theft of PIN numbers.
Click to expand...
There are no PIN numbers associated with credit cards...
Click to expand...
Whilst it certainly isn't foolproof - many European countries have been using 'EMV' (in the UK it's called 'chip and PIN') for very nearly a decade already.
http://en.wikipedia.org/wiki/EMV#EMV_Implementation
Click to expand...
That's a very interesting Wikipedia article. The information about Point-of-Sale equipment that had been electronically altered during or just after manufacture in China and then used to steal millions of dollars in Europe shows that chip-and-Pin is still vulnerable to POS terminal attacks, which is the kind of attack that was apparently used in the Target case.

The other very interesting thing in that article was that the "stick" that the card vendors use to get the merchants to upgrade to chip-and-pin capable POS terminals is a "liability shift" - they dump the liability for fraudulent transactions onto the merchants for transactions done with older, non-chip-capable equipment.

I'm not sure why this hasn't been implemented in the US yet, but it looks like it's coming in the next few years.
 
news update last night said no pins stolen she got a letter from Target.

At this point, we feel that all impacted numbers have been notified to companies and they have taken action.
 
Last edited:
digitalshooter said:
At this point, we feel that all impacted numbers have been notified to companies and they have taken action.
Click to expand...
Seems like a Russian hacker operating a website registered in Laos. At this point you are supposed to say:

"I don't want to be one of those 'I told you so' people, but I told you so."
 
Target have confirmed that the theft was executed via point-of-sale terminal malware.

Loading…

online.wsj.com

"Target confirmed on Monday that the company is partnering with Secret Service to investigate the breach, and said its point-of-sale terminals in U.S. stores were infected by malware, or malicious software."

I have little doubt that there will be other attempts. How successful those will be remains to be seen. I suspect that more than a few stores and makers of PoS terminals are scrambling right now.
 
Weeks before the security breach, the cashier demanded to swipe my driver's license for a six-pack of beer. I showed him the card with a firm grip but refused. He had no option to override. (By the way, no one looking at me thinks I am within decades of age 21.) The procedure was coded into the checkout program.

I walked out. All the information on your driver's license is on the magnetic stripe.
 
Target Corp. now says that the hackers got thecardholder's address, email address, and phone number in addition to card info - of 70 million people, not the originally announced 40 million.

Loading…

www.dallasnews.com
 
Not sure of what vector the hackers used in this case, but I've worked a lot of a POS (point of sale)security.

Most communications between data acquisition devices to the client software such as card readers etc., is not encrypted. Aka, if the terminals are running Windows, which most are, zipping a credit card through most readers with notepad open is enough to hijack the card. If this makes you shudder, it should.

Most retailers don't use very aggressive security measures or lockdowns of the OS. At a minimum they should be sandboxed with all executables white listed.

Visa's merchant policies do not require a merchant to ask you for a additional ID, and in some states it's illegal. I refuse to show my driver's license with Visa sales for any reason because the merchant really doesn't care about identity fraud. They are merely trying to protect themselves from chargeback disputes. Refuse to provide your ID, and/or threaten to call the police.
 
Scott Eaton said:
Most communications between data acquisition devices to the client software such as card readers etc., is not encrypted. Aka, if the terminals are running Windows, which most are, zipping a credit card through most readers with notepad open is enough to hijack the card. If this makes you shudder, it should.
Click to expand...
That's why VISA is switching over to chip-and-PIN, and using retailer liability as the stick to force them to buy the new POS equipment. It looks like the US is going to be at the very tail end of this conversion. I've been using a chip-and-PIN card here in Canada for a couple of years now.
 
You must log in or register to reply here.

Keyboard shortcuts

f
Forum
p
Previous
n
Next
w
Next unread
m
My threads
Mobile site
About
Editorial content
Cameras & Lenses
Community
All content, design, and layout are Copyright © 1998–2025 Digital Photography Review All Rights Reserved.
Reproduction in whole or part in any form or medium without specific written permission is prohibited.
When you use DPReview links to buy products, the site may earn a commission.
©GPS Media - Guides, Products, Services.
Back
Top