18
Dec 13

Sources: Target Investigating Data Breach

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.


It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

[EPSB]

Have you seen:

Cards Stolen in Target Breach Flood Underground Markets”…Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

[/EPSB]

Tags: ,

620 comments

  1. This makes a case in point for all of you out there whose financial institution has the “alert” feature available to your accounts, but you do not use them. Many banks have a large selection of alerts you can tie to an account, to send alerts to a cellphone number or email address, such as individual transactions totalling $xxx, a day’s worth of transactions totalling $xxx, a balance falling below $xxx, etc. Time is of the essence when dealing with these types of things, thieves grab-and-go, the sooner you know, the better for your own finances, as well as reporting purposes.

  2. Brian, this is going to be a bit embarrassing if this so-called breach is not as big as you reported. As another poster stated that she was informed that the “media have blown this out of proportion”.

    • Perhaps in your desire to try and troll Brian you failed to read the updated posted almost 12 hours before, from the retailer.

      Feeling embarrassed yet, Mover?

    • 40mm bad credit cards in the market today
      40k pos systems infected during peak sales

      Totally blowing it out of proportion

    • Target themselves said “40 million cards”.

      Furthermore, Brian only wrote “more than a million”. He could’ve said tens of millions and still be accurate. If anything, he’s guilty of understating, not exaggerating.

  3. I’ve been trying all day to get into the Target REDcard phone number on the back of my card the number they gave at the store to call for service and the website to kill my credit card and guess what, I can’t get through to any of them. I take any breach of credit card security very seriously even if it is “blown out of proportion”. I’ve had at least a half a dozen fraudulent charges on my accounts over the years and have turned them in as such when I reviewed my statements and discovered them. Then killed each of those cards immediately and had new ones issued. It is prudent that action is warranted by all.

    • I was able to cancel my redcard using the customer service number on the target website: It took 25 minutes on hold to get through to the first rep, who tried to tell me that I should nit be worried yadda yadda ya, then he transferred me to another department to cancel the card, which meant another 30 minutes on hold.

      So in addition to getting hacked Target’s customer dis-service is in no way prepared to deal with the outfall. A two stage process to cancel? What an awful management decision to set it up that way.

    • I have also been trying to call the number on the back of my REDcard all day today to cancel the card. It appears that the number is disconnected. Unbelievable.

  4. It was an NSA breach, they have broken security encryption. Perfect opportunity to investigate your own fraudulent activities and take advantage of the moment. It is always easier to point the finger at someone else, especially if you hold all the CARDS.

    • Only the MOST extreme of extremists would pin this on NSA. First, even assuming NSA can hack every type of encryption there is, THIS hack appears to involve malware, *NOT* hacked encryption. Secondly, it’s very doubtful *any* government agency — even NSA — would be SO rogue that it steals money from ordinary citizens’ bank accounts thru hacking; even the IRS must act within the law. (NSA’s activities, at most, are a form of espionage — NOT petty theft.)

      • I guess you didn’t see the NSA report that was delivered to Congress this week. The NSA has been actively hacking foreign banks and foreign accounts. While I don’t think the NSA was involved in this mess, the NSA has most certainly been involved in these activates with foreign entities. If you don’t think the NSA’s actions will have blowback, you’re not living in reality. The NSA mess is just a further extension of the war on terror debacle that’s only created more terrorist and turned one time allies away from the U.S. So, for many people, it’s very easy to see how the NSA can be the boogieman in every situation – it’s a position the NSA has earned.

      • Dude, please lay off on the caps and use of the asterisks. It is very annoying and makes you look like an idiot.

    • Susie Summersville

      A quote from Keith Wagstaff, NBC News internet article:

      “That is what is kind of mystifying at this point,” Wester said. “It seems like from a security standpoint, Target was doing all of the right things, and somehow this code was put on the POS system, which isn’t a normal access point for hackers.”

      Imagine that: “Somehow” this happened just when the negative press coverage of NSA activities increased. Think it comes under the broad umbrella of “counter intelligence” to distract from current violations of the Constitutional Right to Privacy! Just a guess! Maybe we should ask old Snowden what he thinks! Could a “contractor” with a bad attitude put “this code…on the POS system.”

    • What you’re missing is it doesn’t take an entity as skilled as the NSA to pull off what was done to Target…

      It’s very clear that these skills are possessed by the Carder community, and many insiders are saying they aren’t all that surprised that this happened to a major retailer.

  5. Great article, on the bank side, it seems to be a slow pickup by the fraudsters. We have only had one card compromised so far. Am guessing the bad guys will be waiting for the weekend. Will keep you updated.

    Have heard of cards being used in Florida and over in Europe so far.

    • We have fraudulent charges.i won’t ever shop at Target again.

      • Fred, etc: From now on just use cash at Target like I do at TJMaxx who also had a breach six years back Once that trust is gone, it’s gone forever. I urge everyone to cancel their Target cr. cards too. Best not to shop there overall. They refuse to list their stores breached in every state or answer their phones. They should be sued for lack of security and fined heavily by the gov. for incompetency.

        • target needs to be more upfront on which states and stores were affected. i have tried ALL the numbers provided can’t get through to any of them, very frustrated. will not use my target debit card ever again, and i buy my food there and used to work there. they are NOT handling this situation good. do not trust them anymore.

        • While I understand convenience, etc, don’t you think people SHOULD be using cash in the first place? It’s one thing to use a card for large purchases, but card use these days is staggering and unnecessary — and it grossly contributes to overspending and poor budgeting anyway. People are in over their heads precisely because they have lost the idea of what money actually is; the act of using cash or some other form of currency automatically provides a protective instinct that just swiping a card will never do. Let’s also not forget that it also makes you a target (get it) of corporate data collection and spending habits.

          • Given the choice of having a debit card skimmer steal my banking credentials when I withdraw cash from an ATM in order to make purchases at Target or having my credit card credentials stolen when I make a purchase at Target, I’d much rather have the credit card data stolen.

            There are fewer credit card companies and credit card liability law is much better for US cards than the equivalent debit card liability laws.

            This ignores any risk of losing actual cash if you lose your wallet (generally not replaceable) or of having your wallet stolen.

            I don’t know how many credit cards the average American has, but I’d bet it’s more than the number of debit cards they have. So while it’s certainly annoying to have one canceled, it’s still better than losing the only one of a type.

            • The odds of you coming across a skimmer *inside of a bank branch* is actually quite small, especially if you are careful to do a once-over of the machine and maybe give it a little tug or two before using it. Having cards should not be an excuse for being lazy or shirking responsibility and offloading the risk. Do you need to use a card to make hundreds or thousands of 10$ purchases a month at maybe hundreds of establishments, each time of which you run the risk of coming across a low-paid dishonest employee? No. Nor is there any really good reason for why one should be used at a restaurant etc (where the bulk of these local (and in my opinion more insidious because they tend to take far longer to discover and affect average people in heavier ways) skimming operations take place). Or do you regularly go around buying items that cost thousands of dollars every day? Find trusted establishments and set lower bounds for your purchases and your risks diminish greatly.

  6. Brian,
    Thanks for an excellent article and speed at which you presented it.
    Forgive me if you’ve answered this already (I very quickly scanned the 400 posts) but were any Canadian Targets involved, not Canadian buyers in the US but physical Canadian stores?

    Cheers

  7. Does it do any good to cancel your card?

    • If it is a debit card I would close it immediately, you could lose money!

      If it is a regular credit card you need to weigh inconvenience of closing the card versus risk that the card will be used fraudulently and you need to clean up later. Usually you won’t lose money.

      If it is a RedCard I would close the whole account. If many people do that Target will lose money, which I think is what they deserve! (They knew on Sunday and revealed on Thursday only AFTER this blog broke the story)

      • Well, just to keep things in perspective, we normally don’t find out about big corporate “jobs” like this till months (normally many months) afterwards – its quite unusual of Target (as a big multinational being exploited) to fess up to the rumor immediately. I wouldn’t beat them up too bad.

        While it would be better for them to announce it the moment they knew about it – that never happens.

        • Well, I compare the performance of a company not against a low standard some might have gotten used to, but against best practice.
          As consumer data was breached, and Target is not really in a position to protect consumers, the consumers should have informed ASAP.

          To me it looks more like Target was forced to come out after this blog broke the story and Target was not able anymore to keep the information about the breach under the rug.

          Don’t forgot that Target’s primary advice to consumers is to check their accounts and statements vigorously. This only works if the consumer is aware of the breach.

          • Target risks big fines from PCI SSC if they 1) did not report it to SSC members, and 2) didnt do public disclosure. Krebs seems to indicate that he had info about secret service working with Target on an issue.

            • PCI SSC does not fine anybody. The card brands fine the acquirers and then it gets passed on to the merchant. For something like this it will likely be one very large “settlement” negotiated with card brands.

  8. My credit card was breached at a Target purchase on 11/14 and was used on 11/16 half-way across the country at 3 different Target stores in one day. My credit card company picked it up and closed the account. If it’s not part of this breach, then it means they had another breach.

    • How do you know the BREACH was at Target? The perp could have obtained your data ANYWHERE you used the card, even *before* 11/14. Just because the perp went to Target on 11/16 does *NOT* automatically mean he got the data on your 11/14 Target visit.

      • Very true, but the same question could be said the other way.

        How do you know that his card wasn’t exploited by the countrywide action that was actively going on when he used his card at Target during the “harvesting” window?

        I’d make an argument its far more likely that’s what happened with his card than not, since we know he put his card number at risk inside Target’s network, which was being exploited, during the time period. No guarantee, of course, but greatly increasing the chances his card interception occurred there. JMHO…

        • That’s conflating locational correlation with temporal. The very dates given put it outside, not within, the timeframe of the currently reported compromise. If the card was indeed compromised through use at Target, then it was done before this current breach.

          On top of that, the illicit use of a card normally happens on the order of days to weeks after the card harvesting. If the poster saw activity in mid November, chances are the actual breach compromising his card happened early November or earlier, in late October. That’s holding true here; the current Target breach was back near the end of November, yet there are only reports of it appearing on the card “black” market now, and so far few reports of actual use of those cards.

          And then there’s this: Criminal **use** of the card at Target doesn’t automatically mean it was compromised there.

          Last, there’s no indication Target was the *only* location that card was used at, which leaves open the possibility it was exposed elsewhere. Merely pointing out its use at Target is insufficient correlation to conclude it was compromised there, especially given the dates. That poster has given far too little reason for anyone to believe it’s a given that his card was compromised at Target.

  9. Misinormation, Target states in their FAQs
    ===
    Is the CVV code the same as the three-digit code on the back of my card?

    No, the CVV code is not the same as the security code on the back of your card. As of now, we have no indication that the three-digit code on the back of the card has been impacted.
    ===
    Not true of my VISA card. Check out the CVV definition at http://www.cvvnumber.com

    So why does Target say that it is not?

    • http://en.wikipedia.org/wiki/Card_security_code

      Bottom line: The number you read on the back is the CVV2. What was stolen was the CVV1 (also known as the CVC1) that is encoded on the magnetic strip.

      The Target breach was of magnetic strip data, therefore it’s the CVV1’s that have been compromised. The CVV2s – the number you can actually read that’s printed on the back of your card – was not stolen in this event. It couldn’t have been; it’s not part of the mag strip data.

      Yes, the nomenclature can be a little confusing. But we’re stuck with it.

    • The reason Target added that to their notice was their ORIGINAL version described “CVV” as CVV2, even though posters here had already pointed out *only* CVV1 is on the magstripe. That clarification actually CONFIRMS it was a magstripe hack; CVV1 appears *only* in the magstripe, while CVV2 appears *only* on the physical card (Amex’s CID on the front, everyone else on the back). Even REDcard debit has a CVV2 on the back, and I assume a CVV1 as well.

  10. I agree, Mr. Krebs is very good at finding and reporting what the fraudsters are up to.

    Brian has taken great pains as always to report the facts.

    Several points need to be clarified relative to this compromise.

    1. No “PIN” data was harvested. PIN data is encrypted at the point of purchase. Many news reporters are stated Debit Cards could be used at ATM’s which is not correct, as w/o the PIN the debit is useless.

    2. The 3 digit security code stated as stolen by Target is a code that is embedded in the mag stripe on the card. The code is NOT the same as the 3 digit code on the back of the card. Most consumers do not know this.

    3. The only personal information on the mag is the holders First and Last Name as shown on the front of the card. NO other PII is on that Mag. Your name is on the front. Cards are handed to clerks all day with your name and that does not mean you victims of ID Theft. To steal your identity at a minimum you need to have your Name, Date of Birth, SSN and address. NONE are on a card.

    I applaud Target for bringing this forward, but their message exaggerates the threat of ID Theft, does not state that PINs were not stolen and leaves the consumer with the impression their security code used for Online Purchases was breached.

    Consumers need to understand several things.

    1. All Banks have a Zero Liability Policy. Any unauthorized purchases on their cards will be reimbursed by the banks and if they are fraud, new cards will be issued and many banks will expedite the new cards to you if asked.

    2. There is no need to place an ID theft alert on your bureau’s. You should remain vigilant and always monitor your accounts not just for fraud, but to ensure you are not being charged for things you did not authorize, erroneous fees, etc.

    3. To the extent you can be wary of whom you give your card information. Many thieves have numerous means from skimmers to phishing emails to try and capture your card data.

    In the end, the U.S. will need to migrate off of Mag Stripe and move to other more secure means of electronic payments. Chip Cards are the best next bet and we will see more of these in 2014. Before they can be used both Banks and Retailers need to upgrade their infrastructure. That is occurring now and will continue through 2017. You can help by asking for this technology.

    Unfortunately the U.S. has not migrated to “Chip Card”, which has stopped this activity cold in every Country in the world but the U.S.

    In the interim, expect the number of these compromises to increase as the U.S. currently is the last bastion of resort for card thieves and their capabilities to infiltrate a 40 year technology continues to improve.

    • I appreciate the measured and sensible response. I am wondering (and I mean no disrespect) what your credentials are, though?

      • I cannot reply for him, but I will state that I agree with most of what he said, in case a second opinion matters to you.

        • I say almost partially because this part, perhaps, could be considered misleading: “Unfortunately the U.S. has not migrated to “Chip Card”, which has stopped this activity cold in every Country in the world but the U.S.” — while indeed chip and pin is available in the much of the world it is not required and indeed the ability to run a card through a magstripe reader is standard in every country, as is in line with card standards to date. This is why you can use a North American card overseas, and a card from overseas in North America. Regardless of this, chip and pin is also not infallible; there are difficult but academically known attacks on it and some have even been attempted. All of that said, though, his reply was sober and reasonably good advice given the amount of FUD I have seen about this already.

          • I already knew “chip and PIN” isn’t 100% secure, but it *is* more secure than magstripe alone — especially for credit & U.S.-style signature debit, which doesn’t require a PIN *at all*. Of course, that could mean the U.S. is waiting for a successor to “chip and PIN” before making the expensive migration away from magstripe.

          • I agree, there has been a lot of FUD about this. And the basics of the situation are bad enough, without a lot of extra hype and fear mongering being thrown in there. I thought Rick’s post was good and I’m hoping he is correct, which is why I wanted to know his ‘creds’, so to speak. I do wish Target would be more forthcoming. For example, I would like to see a list of exactly which stores were affected or if they ALL were, then *say so*. I would also like some assurance about when exactly this started. Exact day. I think if people were given complete disclosure, there would be a lot less panic going on all of the affected shoppers would at least know what had to be done.

            • Sparrow,

              I will only say that it is my job is to monitor card transactions on both credit and debit portfolios of a sizeable portfolio. (millions of accounts). I am quite familiar with the counterfeit trends for the past several years.

              But you are warranted and correct to ask, as there is so much information that is being shared that is not accurate, no intentionally, only from lack of being or wanted to be informed. The media, of course, job is to drive ratings and make its sponsors happy. The more sensational the story, the more listeners, the more ad time they sell. In an age where information travels in mili-seconds, it hard to stop and get it right, when 5 or 10 of your competitors are already releasing information.

              I will leave you with the knowledge that all banks are watching this and all fraud activity very closely and are very passionate about stopping the fraudsters.

              I am very supportive of Brian’s steadfast resolve to not only get the facts straight but to get information out to the public quickly.

              One small point, many keep referencing CVV. Just a Visa issues a CVV1 and a CVV2. MasterCard issues a CVC1 and a CVC2. They serve the same validation purpose, but if someone says CVV they are referencing a Visa Card, if they say CVC they are referencing a MasterCard. CID for AMEX which is a 4 digit value, but that’s a separate conversation.

              Bottom line again, is the industry needs to migrate as quickly as possible to Chip.

              • While I will agree with 99% of your statement (BTW the most valuable reply that has been posted is yours) I do have to wonder what the integrity of the PIN transactions are. While absolutely Target (and everyone else) is encrypting that PIN at the PIN device, without having knowledge of the Target POS implementation, I don’t know that we can say that in fact PINs are not compromised. Depending on the POS implementation, that data may NOT be encrypted end to end, ours are not (I work for a mid-size national retailer as the Security Architect who oversees our PCI compliance and CC data protection.)

                This is PURE speculation, but based on the full track data being compromised, that says to me 1 of 3 things happened: the PIN devices were compromised (in which case PIN entry could also be compromised), the POS itself (either hardware / software, either at the client or server level) was compromised, in which case depending on the POS and the level of compromise, PIN data could be affected, or the circuit(s) from Target to their acquirer was in someway compromised, in which case, again it depends on how their POS transmits to the acquirer, many transmit unencrypted to the acquirer over a closed link.

                That said, to me this stinks of PIN device or overall POS compromise, which given the size of this, HOLY CRAP. Unless Target’s POS implementation is using a small number of servers to process / relay payments across all stores, the magnitude of the devices compromised is massive here, and leads me to think either inside job, or a serious long-term hack, or REALLY shotty security inside Target, the latter of which I doubt. Unless they are transmitting track data over the wire for authorizations, I think we are going to find that the size of this hack is massive. That, or they are storing full track data for every transaction, in which case, oh my….

                In any case, the fact is, for consumers, that while there may be inconvenience if your card was one that was affected, and then subsequently used, you are not going to be liable for charges, and you are protected. While this absolutely should be a VERY public story, the story here, IMO, is more about the who and how of this breech, rather than the consumer impact. The number of consumers impacted is huge, but the impact per consumer really is not……

                Just my inside $0.02

                • I checked out target corp structure. They outsource POS app development to India. I think your long term hack theory is likely correct. When youre writing the code – how easy is it to embed security holes….

                  • From what I’ve seen they use TSS India….just glad we use TCS (TaTa). Regardless, if you outsource dev, you HAVE to have good code review, which is a PCI requirement, but application and requirement aren’t the same. If its a long term hack I have to believe its isolated, and not corporate sponsored. But I have to believe it would be easy to buy a few devs in India of you’re mob or china…time will tell. This is going to be a VERY interesting case.

                    • I hate to cast aspersions, but it has always seemed that the oriental mind hates to admit even a smidgen of trouble. So consequently, outsourced services to India always end up in a mess, because they absolutely abhor to address problems!!! It isn’t that they are not superb problem solvers, but that their mind set prevents any improvement on their system! They refuse to admit error! Or at least what they conceive as error; actually they just need to do a policy review, but good luck instituting that!!

                      Any large corporation interested in solving true problems, better quit outsourcing – especially for security. I’ve seen at least one good company almost lose their entire business to cracked or compromised operations with online credit handling. I could see it happening right in front of my eyes; and consulting the help staff at the company did no good at all. These retailers need to WAKE UP AND SMELL THE COFFEE, and LISTEN TO THEIR CUSTOMERS!!! HEAR ME??? AWWWww to heck with it! :/

                    • JCitizen: We are in agreement. It is a cultural issue, made the more problematic by the fact that it is directly money-related and most offshore companies cannot afford or will not tolerate the loss that comes with making such a mistake. While some other Asian countries tend towards humbleness and overapology, some countries tend more towards pride (note most other Asian countries will revert to pride on some level eventually if the accepted means of conflict resolution is not carried out; shame is a large influencer of *any* Asian culture). This is not better or worse than your way or our way or anybody elses’ way — it is different, though, and in cases where money is involved it winds up being harder to square things — the negotiating skills are not there because the cultural understanding is not there (a dance).

                      Why would money processing ever be offshored and outsourced anyway? I know it happens because I see it all of the time, but so far from my experience (and I have quite a bit of it) the best excuse I have found isn’t a lack of local talent — it is offloading risk and saving money while providing an ample opportunity to force blame upon somebody else should something go wrong.

            • They cannot answer something they do not yet know the answer to. People pushing for answers is often what leads to the bulk of misinformation. And really the answers don’t matter as much as you might think — except for the public’s clamoring to know and journalists’ desire to fill in the blanks (not saying Brian, but I have seen speculation everywhere — this sort of occasion always brings out the overblown imaginations and doomsday predictions).

              The logical approach would be to deal with the problem if you are affected, for the banks to reissue cards (regardless of immediate cost, it’d likely be better for consumers, but not all banks choose to do this… my argument is if you are a consumer and this sort of thing is this publicly talked about and you yourself do not request a new card, you are at least partially to blame for not acting). From a consumer perspective speculation isn’t going to soothe your anxiety — it’ll just make you more anxious.

              • True, they cannot tell us what they don’t know yet. That said, I disagree that it isn’t important to release the how. It may not be relevant to the consumer, but it is VERY relevant to people like myself, who’s job is to prevent these attacks. I would much rather see a requirement in the PCI DSS that all major compromises are released, at least to the retail industry, for review. I don’t care as a consumer how MY card was compromised, but I absolutely care as someone who’s primary job is CC data security. I’m well aware that the news reports are aimed at consumers, but this absolutely causes me to lose sleep as the lead security architect for a mid sized retailer. It may not be relevant to small mom and pop stores, but as someone that has to protect 350 stores in multiple states this scares the crap out of me. I hope we find out that it was a total inside job or that it was related to a vulnerability in their home grown pos, but if not, that means that if they can hit every target store, they can hit every one of mine. Sadly we likely won’t see a public answer. Likely finding out the how will involve talking to industry sources that may or may not know the full story. While I don’t want target to be forced to face public shame, or put other retailers at risk by revealing how this happened, it absolutely is important that people like myself DO know how it went down. Lets just say they compromised the verifone pin devices…that’s EXTREMELY relevant to companies like mine, who use verifone devices.

                I just have a very strong feeling about this stuff. I feel that the PCI Counsel would be best served by requiring a white paper from the forensic firm doing the investigation, to be released to the other pci participating organizations. We spend a great deal of money to be part of the PCI process, and there is just as much value in knowing how another retailer was compromised as there is in making sure were compliant with the DSS.

                It’s only going to cost me $50 max if my card is sold, cloned, and used before I cancel it, but it will directly cost me and my employer far more than that if the target hack is repeatable and were hit. It takes less than 2 hours of overtime I don’t get paid to surpass that $50, and being a medium retailer with razor thin margins, a similar hack like this would cost me the ability to feed my family because we couldn’t sustain the hit like target can….so it very much matters how to me.

                • Also, if I think it’s important that we know who issued their ROC. IF, in any way, they let security slip, then it’s very relevant and important to know who has been conducting their PCI audits. Not because if they used the same firm as us it matters, but rather because I believe the responsibility falls just as much as the audit firm as target, IF the compromise is due to poor implementation of security controls.

                  Until shown otherwise, I give target the benefit of the doubt that realistically they couldn’t have foreseen this, but should it be shown otherwise, then I want to know who said they were compliant.

                  My biggest issue with PCI compliance is that it’s not public, and there’s been ZERO attempt to educate consumers on PCI. I think it should be public who is compliant and who is not. Likewise I think who audits retailers should be public. If multiple retailers are compromised in a year or two, and they’re all audited by XYZ Auditors, that matters, and I want to know who else XYZ audited.

                  Personally I’d like to see PCI compliance be as visible as SSL is to online shopping. It may not stop me from shopping at ABC Store if they were audited by XYZ, but I should get to make that choice as a consumer.

                • I was in no way saying they should not release the how — ONCE THEY KNOW the how (and the when, and maybe eventually the why). My objection is to the FUD and pointless speculation which just makes people more frantic and anxious.

                  The fact that journalists aren’t saying ‘do this if you are concerned’ when it really is as easy as calling your bank and getting a new card within a couple of days or so is absurd. Report when there is news. Don’t blow things out of proportion. And most of all tell people what they can do instead of drumming up the psychotic fear and fantastical anxiety because none of it helps.

                  There is no need to call Target unless you have a REDcard (if that’s what they’re called) and frankly if you do I am sure they already know you do, since that is their systems, so that’s probably a waste of time and energy anyway. Again, you should be calling your bank and detaching your bank account from it until the issue has been resolved and a card has been reissued (although I’d have a hard time imagining they can access your bank account this way if they haven’t already, given that Target is well aware of what is going on; they have their own fraud detection systems, too).

                  I will reply to your PCI statements separately in a bit.

                  • Incidentally if people do not know if they have used their card at Target in the past month then that is a problem in and of itself that speaks to a greater issue: WHY NOT?

      • For what it’s worth, I work on the acquiring side of the credit card industry, and all of Rick’s numbered facts are accurate.

    • I want to emphasize that I’m not trying to be snarky. I think what you’re saying sounds reasonable and sensible, I just want to know where the information is coming from. :)

  11. The breadth of the breach (all US Stores) seems to rule out Payment Terminal hardware as the compromised element. I don’t know how easy/hard it is to do a widespread hack of Payment Terminal software, but it certainly doesn’t sound like the path of least resistance. Some sources online say that most of Target’s payment terminals are VeriFone (roughly 80%), with the rest Equinox/Hypercom. Target issued a blanket advisory that if you shopped in their stores during the breach window you should check your accounts. They did not indicate that there were any stores distinctly unaffected (such as stores with Equinox terminals), so that seems to imply Payment Terminals were not the point of failure.

    Which leaves the POS code…developed by Target, with most stores already running the version containing the exploit before it was exploited. The exploit must have been either discovered by someone a while ago (to allow time for planning the execution), or specifically coded by someone even longer ago (to allow enough time for distribution to all the stores). A third option is one of newly developed POS Malware variants (Dexter, BlackPOS, vSkimmer, etc)…most of these are Windows-specific, but this case study indicates that Target Technology Services is a Microsoft Shop, including the POS: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

    Perhaps I’m drawing too many conclusions, but this seems like the exploit couldn’t have been executed to this scale without someone helping from the inside. POS Malware looks like the path of least resistance to me. It’s prepackaged and can be bought online, doesn’t require specialized knowledge in POS/payment code, and just needs a means of install…in the wild, it is often installed with help from inside.

    Furthermore, the major point in the Microsoft case study is that Target did a ton of virtualization in the last few years, to the point where every system in a given store (including every POS) is virtualized down to two servers. So if code needed to be specifically installed for the exploit, and you wanted to hit every POS in every store, Target had an infrastructure that makes that relatively easy.

    • Bingo. I’ve known even as a consumer that Target uses different PIN-pad equipment at different stores (even though *none* of my local stores use the latest Verifone model), *and* have noticed their registers run on Windows. Thus, I wouldn’t be surprised if the exploit was running on the REGISTERS instead of the PIN pad. The lack of credible PIN-hack reports also suggests the hack was *NOT* at PIN-pad level.

      However, a register-level hack suggests yet ANOTHER possible vulnerability: Even CHECKS could have been compromised. Target uses an “e-check” system where the register scans your check to convert it to an ACH debit; if THAT data was captured, check-writing consumers will likely have to close their checking accounts. (Even REDcard debit is more secure in that respect; except for new accounts, the data needed to generate ACH debits is kept in a Target corporate server, *not* at register or store level. Thus, compromised REDcard debit magstripes can *only* be used for Target purchases, even with a PIN.)

      • the card reader is not the POS terminal. and yes, if the network is all tied together then Dexter is very possible. the POS terminal itself has an OS, perhaps a common flaw due to a “60 day” patch cycle is to blame.

    • Actually it would be quite easy to infect all POS devices. All you have to do is crack the update server, and then push a package containing the malware to the POS devices.

      I don’t know what technology they use (CCM, BigFix, SCCM) but they certainly would need something like that just to manage updates. How it got by their AML and FIM is entirely another matter.

      • This is exactly correct. All verifone devices have custom firmware builds on them, based on the customer, POS, and other details. When you use a VeriFone device at Target, and the screen shows the Target logo, is part of the custom firmware for those devices. Given that target has an enormous number of PIN devices, it would be logical to assume that they also have an automated method for updating those PIN devices, however even if they dont, most VF PIN devices can be updated remotely and if you were able to gain access to the network the PIN devices are on, and have the proper credentials, and knew how to craft trojan firmware, it would take all of a night to deploy it to every VF device in their infrastructure.

  12. Several weeks ago a group of grocery stores in Eastern WA, Northern ID and OR suffered a similar breach. Card accounts from credit unions seemed to be favored by the crooks who produced physical cards to use for purchases around the world. It took URM stores over a week to repair the breach. In the mean time they limited credit card use to a single dial up terminal at the customer service counter. Was this a test run of the hack? The story did not get much national attention.

    http://www.spokesman.com/stories/2013/nov/25/yokes-fresh-markets-have-stopped-taking-credit-deb/

    • They’re similar only in that they’re apparently hacks at the store (or in your case, possibly wholesaler) level. Target obviously has a different store system, reportedly developed in-house, which is likely to have different weaknesses than the one this small grocery wholesaler offered to its store customers. (However, that does *NOT* rule out the same perps being involved.)

      • In light of what the post before yours pointed out, I’d add that *IF* the grocers used a Windows-based system (like Target), they *COULD* have been hit by the same malware. If so, as I just pointed out above, CHECKS may have been compromised if the grocery registers capture routing- & account-number data (whether the stores use “e-check” or not).

  13. I am from India. I was under the impression that debit cardholders MUST enter their debit card PINs at retail stores when they pay for their purchases by a card present swipe at a POS terminal. Whereas, credit cardholders just have to sign the charge slip. If this was the practice at Target, then debit cardholders should not worry as POS terminals use secure EPP and the PIN could not have been compromised. Our Central Bank (RBI in India) has mandated PIN for debit cards at retail POS.

    • There are TWO forms of debit in the U.S., commonly known as “signature debit” and “PIN debit”. Signature debit is processed thru the regular Visa & MasterCard credit-card networks (even at stores & websites outside the U.S.), and does *NOT* require a PIN; as the term implies, usually only a signature is required, though not always. (As others have noted, “chip and PIN” is *NOT* used here.) PIN debit is processed thru ATM or ATM-like networks, and normally requires a PIN for purchases — but *NOT* always (Amazon in the U.S. is the biggest offender). ATMs require a PIN for both debit & credit.

      Most U.S. debit cards have Visa logos, with MasterCard the closest competitor; those cards are capable of signature debit. All indications are the hack involved magstripe data (as the CVV1 clarification confirms) captured via store-level hacks (whether at PIN pads or registers); that can be used to make duplicate cards for in-store purchases *without* a PIN, *or* online purchases at stores that do *NOT* require a CVV2 or PIN (like Amazon), worldwide. That is why I’ve suggested replacing ALL such cards that were used at Target between 11/27 & 12/15, even if NO fraudulent transactions have been seen yet.

      Target’s in-house “REDcard” debit cards are a different animal altogether. Like most non-U.S. debit networks (and most but NOT all uses of U.S. PIN debit networks), PINs are mandatory; but unlike usual debit networks, the transaction goes thru a central Target server with bank account numbers that converts it to an ordinary U.S. ACH debit transaction (a process that normally takes 2-3 days, longer if weekends & holidays are involved). Though it’s not 100% certain (U.S. retailers are *NOT* assured of using PIN encryption at store level, though most reports say Target did), so far there are *NO* reliable reports that the attack included any PINs *or* bank account numbers; there are anecdotal reports of fraudulent REDcard debit purchases, but those likely result from bad self-select PIN choices by the users themselves. (It doesn’t appear that the central REDcard ACH database was hacked; *IF* it was, the damage will grow substantially.)

      *IF* the breach is as limited as they say it is, REDcard debit cards with reasonable PINs are as safe as PIN debit in India, but *ONLY* those cards; but that COULD change if either keyed PINs or the ACH database were hacked. (REDcard also has CREDIT cards; like Visa & MasterCard here, those do NOT require a PIN and IMO should be replaced ASAP.)

      • Just to clarify: REDcard debit’s magstripes were compromised just like all other debit & credit cards. *Unlike* all other debit & credit cards used at Target, however, REDcard debit *always* requires a PIN; its magstripe is *NOT* enough to use with illegal duplicate cards without a PIN. Thus, if *both* your PIN *and* the ACH database are secure, those cards are safe even with stolen magstripes. (A PIN breach or guess would open REDcard debit to fraud at Target; only an ACH-database breach would lead to non-Target fraud with those cards.)

  14. Two quick points:

    First, for consumers: Always avoid using your PIN for debit card transactions when you can use it as a credit card. That way the worst case will be having to dispute the transaction with the CC issuer and/or the merchant. Maximum liability is $50 for fraudulent CC transactions. If your PIN is compromised, then it’s possible hackers can create a counterfeit debit card and use your PIN code to withdrawal funds from your account in a number of ways. If this happens, you’re at the mercy of your bank to credit the funds back to your account which will likely be more difficult and time consuming than disputing a charge.

    Second, for security geeks: In my opinion, there is a flaw in the Payment Card Industry (PCI) Data Security Standards (DSS). These are the rules that apply to merchants and service providers who process, store, or transmit cardholder data. On whole the standard is an excellent collection of data security requirements. The flaw I’m referencing is that merchants and service providers are NOT required to encrypt cardholder transmitted on the “internal network.” Problems can arise if the internal network is compromised and intruders can intercept internal network traffic. I think it’s time the PCI SSC revisit this requirement, especially if we learn this was the attack vector.

    My $.02

    • I won’t address #2 because I’m not an industry insider, but IMO #1 is *NOT* always good advice. First, using debit cards as “credit” (i.e., signature debit) does *NOT* invoke the “$50 rule” for credit cards; it only assures the transaction goes thru Visa or MasterCard and is subject to THEIR “zero liability” policies. (The higher legal limits for delayed reports of debit-card fraud — $500 or, in some cases, unlimited — apply EVEN IF you choose “credit”; those are usually OUTSIDE the “zero liability” policies.)

      Second, though using “credit” protects your PIN at gas pumps (PIN sniffing is common there), so far it does *NOT* appear there was *ANY* PIN sniffing or hacks at Target. Even if the magstripes were hacked at PIN-pad level, so far there are *NO* reports of PIN encryption breaches; gas-station-style PIN sniffing is highly unlikely at Target (where all but the newest card readers use the touch-screen for PINs).

      Most importantly, magstripe-only theft (as occurred at Target) *STILL* leaves Visa & MasterCard debit open to PIN-less fraud using fake cards encoded with the stolen magstripe; though those will likely be eaten by the bank under “zero liability” policies, that STILL depends entirely on the BANK’s graces. That’s why I suggest those cards should be replaced ASAP if used at Target between 11/27 & 12/15. (REDcard debit, though NOT covered by bank “zero liability” policies, is *NOT* open to PIN-less fraud; it’s also easier for Target to eat those transactions without bank involvement.)

  15. Two quick points regarding the payment system breach at Target:

    The first point is for consumers: Always avoid using your PIN code for debit card transactions, use your debit card as a credit card when making purchases. If your PIN is compromised, it’s possible for hackers to create a counterfeit debit card and use your PIN code to withdrawal funds from your account in a number of ways. If this happens, you’re at the mercy of your bank to credit the funds back to your account which will likely be more difficult and time consuming than disputing a credit card transaction.

    The second point (or suggestion) is for security geeks: In my opinion, there is a flaw in the Payment Card Industry (PCI) Data Security Standards (DSS). These are the rules that apply to merchants and service providers who process, store, or transmit cardholder data. On whole the standard is an excellent collection of data security requirements. The flaw I’m referencing is that merchants and service providers are NOT required to encrypt cardholder transmitted on the “internal network.” Problems can arise if the internal network is compromised and intruders can intercept internal network traffic. I think it’s time the PCI SSC revisit this requirement, especially if we learn this was the attack vector.

    My $.02

  16. Hackers will try to sell this information in bulk on black market. and try to convert it via buying gifts online. this could be the point investigating agencies will keep in mind. and it can be helpful to catch thives.

    • According to earlier comments here, the numbers are ALREADY on the black market.

    • Most of the retailers that accept cards without the CVV2/CVC will only ship to the address on the card; of the ones that are a bit more flexible, the majority will only ship within the USA. Which means they’d need people to deal with reshipping and a rather large, pre-prepared and well-recruited ‘workforce’ of dupes at that. There are not THAT many of these that could handle this amount of volume (though sure, there are a lot of people who are willing to be dupes).

      This leaves in-store carding, which also requires a well-prepared ‘workforce’ of trusted people (though gang members and drug users have been quite busy expanding in this arena and reselling on places like eBay, etc), or, preferably probably for many carders, insiders at stores. This is how people often wind up with $1000 USD charged to a card at a gas station or a small shop.

      Large purchases tend to stir up speculation and even though it goes against card issuer policy a lot of stores will request to see ID (eg for electronics), which means someone would also need to have a very good fake ID maker, not just someone capable of pressing very authentic-looking cards (these are not easy in the US — in Asia, perhaps). While looks would not matter if PIN numbers had been captured, and often plain white plastic is used at ATMs (or other cards are rewritten again and again), they would matter if you were in-storing.

      Long story short, most of these dumps (no PINs) will wind up being encoded and used for in-storing, and likely in countries willing to look the other way, if the cards are even accepted in those countries in the first place.

      As for the criminals, they probably had the right idea, from a criminal standpoint, in attempting to offload the dumps via forums and cardershops, because there’s no way they’d be able to use as many cards as were potentially taken — and neither will the people who probably buy them. Their payoff likely is a combination of maybe a few hundred cards and the money they make via selling dumps in bulk.

      If PINs had been taken this would have been an entirely different post and my words of caution would be considerably scaled back. To understand the risk here, you need to understand actual capabilities, not imagined ones. And that’s ignoring issues of economics and supply/demand.

  17. What POS does Target use? Are they using a proprietary solution? Are they integrated with a payment gateway?

    The same code infecting Target could easily be affecting other retailers that haven’t realized it or come forward yet. If it is in fact at the POS level where the breach occurred – and not further downstream at potentially either a data center housing a DEX or third party gateway solution – then other store brands using the same POS systems are also potentially, even likely depending on how the mal-code evaded the outbound firewall rules, compromised.

    • Google answered my own question if the source is to be trusted:

      http://www.expertmarket.us/What-Point-Of-Sale-System-Does-Target-Use

      “Target utilizes its own in-house point of sale system that has been developed by its IT department, Target Technology Services. Each store has its own servers capable of running about 30 registers and these are supported by a third party IT services provider who have technicians trained in Target store procedures.”

      Who wants to bet that Target outsources much of the development of their proprietary POS system over seas?

      • Company likely worst hit by the breach outside of Target the store:

        http://www.targetegysoft.com

        They not only need to update their website out of the 90’s, they need to change their name QUICK!

      • Info about Target Technology services:
        https://corporate.target.com/discover/article/meet-Target-s-Silicon-Valley-team

        “The new office opened last fall. Today, the 15 team members who work there—including commerce technologists, data scientists and product managers—share their findings with teams in Minnesota in order to help to bring new ideas and technologies to life for Target. They’re currently investigating the latest developments in areas such as augmented reality, wearable computing and gamification in order to create even better digital experiences for our guests and rapidly move our multichannel vision forward.”

        Perhaps they may want to spend less resources on augmented reality and “gamification” and more time on the reality that is security…

      • Who wants to bet that Target outsources much of the development of their proprietary POS system over seas?

        If you took that bet you’d be a winner!!!

        http://www.linkedin.com/title/manager+target+technology+services/

        Sarosh Kayomurs Gandhi
        Heading HR for Technology Services (TTS) at Target Corporation India Pvt Ltd

        Bengaluru Area, India | Retail

        • https://target.taleo.net/careersection/tgt_india/jobsearch.ftl?lang=en

          Lot’s of Sr. Software engineers wanted in India.

          How many do you think are recent openings?

          • Another question needed to be answered:

            From the link mentioned above we have, “Each store has its own servers capable of running about 30 registers and these are supported by a third party IT services provider who have technicians trained in Target store procedures.”

            Who is the third party IT services company? Where are they located and where do they staff?

            Reeks of inside job IMO.

            • Likely not, unless that inside job was by a single person in their outsource firm. We outsource a large part of our support and store support to a different firm in India, and they, as a company, have too much to lose to be involved. Their contracts are worth FAR more than the sale of this data on the black market.

              With regard to the PCI DSS comment, not only is encryption not required on the internal network, but its not required on other closed links, such as a p2p or frame from the retailer to the acquirer / bank, so long as that data doesnt cross the public internet. PCI DSS is a great TOOL for IT to use with the business management to justify security costs, but not much more. As with any other regulation (for lack of a better term) there are plenty of ways to circumvent it and still meet the requirements of an audit.

              • Generally I agree, but it depends on the size of the company…there are estimates that this data will fetch 500m to a billion once fully laundered, so it could be worth it for even a decent size company…

                Hell, I wouldn’t be surprised if we found out some of this was state-sponsored…half a billion can buy a relatively huge amounts of weapons and other disruptive gear for some of the most antagonistic nations on our list…

                Still, though, I’m going with a lone insider who couldn’t resist the opportunity…

                put it past one of our known ebb

                • Heh, disregard that last bit o’ text…or all of it if you wish :)

                  • Do we know who provided targets ROC?? I have a contact I can check with, just curious if anyone knew (a quick google didn’t turn it up but granted I didn’t look too hard from my phone – my wife isn’t nearly as fascinated by this as I am so my time is limited at home! Lol)

                    I only ask, because there is a specific firm, that lets just say has a reputation for giving out ROCs for the right price, and sadly as I discovered at the community meetings, there isn’t a consequence (this far) to that firm due to some inside connections. A good number of large retailers use then because the overblown cost of the ROC is far less than true compliance.

                    I want to be VERY clear, I am not lodging accusations that Target was compliant in name only, nor do I even have the information to justify such rumors. I AM however very curious to know who signed their ROC both due to the breech as well as the fact that it gives those of us a bad name that spend countless nights losing sleep over truly protecting our customers and those of us that take comipliance seriously to advance our security posture with the business.

                    In a separate but related note, a very common discussion I had at the community meetings this year in Vegas was that those of us like those here discussing this don’t have a good place to collaborate and speak openly, trade thoughts, and raise concerns. It’s not realistic for the SSC to provide that forum, wed all fear speaking openly. I say that to ask this – how many, inside the CC industry (retailers, banks, auditors, etc) would be interested in a place to be able to discuss and talk about this stuff?? I have been mulling the idea of getting together with a few contacts to put together a forum of sorts centered on PCI, CC security, and retail security overall. I would be very interested in the response from others on interest in participating in such a venue, as well as any willing to donate time / resources to jump start it. My goal is in no way financial, I have no interest in trying to run a for profit site, rather strictly a place for those of us doing this daily to kick around ideas, discuss issues, and basically continue the conversations we have at the meetings over lunch and such…..

                    • This is something that should have been done a while ago, in a way, but maybe also should never be done (something looser — one to one encrypted communications based on GPG trust model, perhaps, with an established known network — would provide more security). It would be a matter not just of vetting but also of making sure you did not get a wolf in the henhouse… or a hacker who’d see it as a one-stop-shop. There are also major confidentiality issues that would need to be sorted out as well as likely NDAs if you wanted anybody with the appropriate experience. Not that, as we both know, this prevents people from talking about these things outside of work anyway (it doesn’t; people do).

                    • For some reason I couldn’t reply to your post voksalma, so replying to my own. I agree that wed need to be careful, but I think we could speak openly in a closed forum. I wouldn’t want people to be required to say who they work for or give details to compromise their own systems, but you can speak in generalities just like we all do in general security forums. I have very few direct contacts in the retail world on the security side, and that’s an issue. We’re one if the few industries were itsec pros don’t trade thoughts and practices. I can openly tell you how we secure our cardholder data environment without posing any risk to it.

                      We just need a better way, as peers, to better out practices.

                    • Let me know if you’d like to take this to email — it is probably more suited to a private discussion.

                    • voksalna,

                      The comments section here is a real pain in the butt! But I digress….I’d love to keep the conversation going, in private if you would prefer. I dont know if it will work to use the masked email that this site uses, but you can try fd2508b5 -at- opayq -d.o.t.- com

                      If that doesnt work I can post my email, just would prefer not to have it sitting in this thread.

                    • In the last two years my company has outsourced both QA and development abroad. Our QA is now handled by a firm in the Philippines and all of our UI is developed in India. Just 3 years ago we were an all in house shop in the states. On a few projects we’ve contracted Indian developers to help with certain program interface translators.

                      As a side note, and largely unrelated but worth noting, Indian and US diplomatic relations have soured over the past three or four years. India leadership has expressed deep concern over US and Pakistan relations and fears when the time comes the US will assist in placing the Muslim Brotherhood in power in Pakistan, which India fears will result in a re-escalation in the Kashmir region. Relations have only been exacerbated with the recent anal and vaginal probing of one of India’s royal diplomats on December 12 in the US.

                      As far as motivation, money. It is not unheard of for an outfit, be it private mob enterprise or rogue government, to get a person employed into a targeted business or corrupt an existing employee. A few years ago a company I once worked for actually had to fire an entry level support rep four months after she was hired because it was discovered a relative of her’s was involved with auctioning card data out of the Bahamas. There was no proof or evidence of any kind she ever accessed, or had access, to full card data; but the business couldn’t risk continuing her employment which IMO was the right decision. From what friends that were at the company told me, she was bright and picked up on things quickly, probably within a year or two she would have been moved right up the ladder.

                      Corporate espionage and subversion is real. Even when outside intrusions occur there always exists the possibility that someone on the inside was feeding vulnerability data. Someone making 50k a year with debt up to their ears is capable of making some pretty rash and dumb decisions for a 100k outside contact. Export the work and it becomes even harder to track and insure you don’t have internal rogue elements diagramming or even programming vulnerabilities for black hats to leverage.

                      The fact that many articles are reporting authorities are investigating this as an inside job, and every POS was affected, leads me to believe that the theft occurred inside an official company software patch that was distributed over the POS system network to prepare for the holidays. This would explain why it went undetected as well; someone trusted within their own ranks delivered a Trojan Horse at a time when change was officially expected.

                      At least that’s the way I see it from the outside looking in and having worked at every level in the POS and payments industry for the last 10 years.

                    • Limited nesting in comments. I actually greatly appreciate that Brian Krebs does not ban anonymous commenting or I’d probably never post here (that is not a hint Brian! hehe) since I generally hate registering anywhere. Tradeoff.

                      I will send you an email sometime this week. I assume you are having your Christmas around now, so enjoy your holiday. :)

                    • It’s retail, there is no such thing as enjoying our holiday! 😉 Actually I am in the office half the day today, and out tomorrow. I will be in on Thus and Fri – I look forward to hearing from you – my head is ready to explode reading some of the other news stories and their so called experts!! :)

  18. IIRC, there was an article published in 2600 Magazine a few years ago about how abysmal Target’s network security was at that time. As I recall, their WIFI connections and network passwords were so badly managed that one could sit in a car in the parking lot and pick off CC info from register transactions without much trouble. I’m wondering if they had gotten the message at that time, or just went on oblivious with business as usual. Companies do not like to hear about their own security weaknesses and generally prefer to shoot the messenger. How long before they realize that’s a strategy that doesn’t seem to work all that well?

    • Artemis Wolfenbarker

      If that’s true, I doubt any QSA would have given them a ROC.

      • Artemis is correct. In order to meet PCI compliance, a merchant the size of Target Inc. has to undergo routine audits as well as system scans, both by a third party. A problem that obvious would’ve been caught very, very quickly.

    • That’s from 2007. The big PCI-DSS compliance pushes came in ’08-’09, and it’s already the end of 2013. Again, as noted above, Level 1 audit and scan requirements would’ve found that and prevented compliance verification, and at that point none of the card brands or payment processors would’ve trusted them until things got fixed. The mere fact that Visa, MasterCard, Discover, and I presume AmEx can be used in their stores demonstrates right there that the old problem is gone.

      Plus, the claim is trivially testable. The background to the 2600 claim was that in ’07, the Target networks used WEP. Even if that was true then, walking into a current target with a smartphone or tablet running Wireshark would reveal if that was still the case or not, and last time *I* was in my local target with my phone I don’t recall seeing any networks like that.

  19. It’s the White House paying for our new healthcare system

  20. Brian-
    I believe the breach is far worse for customers who used a Target Red Card. Target’s practice is to have customers apply for the card with the clerk at Target’s checkout. The customer is asked to give his/her Social Security number to the clerk in front of other customers. The clerk then enters the SSN into the POS system. I have refused to participate in this highly dangerous practice. The Red Card and its 5% discount was never so important to me that I would allow clerks and bystanders to have this information or to take the chance that Target would store it in unsafe places like the magnetic strip, or just into a system that could be accessed by thousands of employees.

    • Actually, the Red Card holders are probably best off.

      First of all, the SSN is not transmitted when you are doing a purchase. Even if you enter the SSN when you apply for a card the hackers were likely not sniffing for that data. The haul of credit card numbers is going to yield something in the neighborhood of a half-billion to a billion, no need to waste time with data that isn’t nearly as valuable and can’t exploit nearly as quickly.

      Secondly, many banks aren’t even getting communication yet on which cards are compromised. Target knew far more quickly which of their REDcards were compromised, and are likely already in the process of rectifying. I’ve got to think that all of those card numbers are now blacklisted for purchases at Target, the only place you can use the card.

      If they stole your Debit card data, that’s the thing likely most dangerous. That can be used anywhere, the banks are playing catch up on cancelling.

  21. PCI was created as a self regulation program by industry, it seems, to avoid implementing a more secure chip and pin system as used in Europe.

    As others have written, in the early days of card fraud, the costs of implementing a new CC system were seen to be far higher than managing the risk through insurance.

    At this point, I have to wonder why the government doesn’t mandate a chip and pin (or similar) system.

    http://en.wikipedia.org/wiki/Chip_and_PIN

    No it would not solve the compromise of a central database, but I suspect it would eliminate the issue with POS systems.

    • Well, the real strength of chip and pin is that it will make cloning extremely difficult. Not completely impossible, but it throws a whale of a roadblock in its way, a big enough one to where it’s a practical impossibility for most. That’s why I’m for it. I don’t know why the card industry just swallows the billions in losses from fraud, but there’s one thing right there that’ll help reduce the loss, and they won’t do it. It’s maddening.

      • Exactly!

        At the RSA convention in 2012 I asked a gentleman from a large card brand in London what he thought. His comment “It cut down fraud by 90%”, “we don’t understand why you are not implementing this…”

        • The incentive to US bankers is only so their Europe traveling customers can operate smoothly when traveling there. The US infrastructure is huge compared to tiny little EU, and there are cheaper technologies that work just as well and maybe better. The chip in the Chip and pin cards is not that hard to static snap reprogram; I’ve done it with sound devices using the same technology. Not much different than an EEPROM. This doesn’t give me much confidence in something so expensive to implement over here. Better to submit to cheaper alternatives and let VISA continue their slow campaign to absorb the costs of conversion.

          • Well, it’s fair enough to point out vulnerabilities. And I agree that if there are cheaper solutions they should be used. There’s nothing holy about chip and pin.

            But my own point is nothing is implemented now. I was only pointing out chip-n-pin because it currently exists. If there are cheaper protection technologies on the horizon that provide the same level of security, then sure, I’m fine with choosing something else. But it has to be something, because the current paradigm is just putting money into criminal’s pockets.

            • FYI, the PCI Counsel, as of Sept when the meetings were held, is 100% behind chip tech. As it currently sits, the hold up on deployment is regulation in congress, and hardware and software standards. IMO, there is no way the goal of 2 years will be met. I dont expect it here in the US as a true standard before 2020, i hope I am wrong, but given that the financial industry and the govt are playing point the finger, I dont expect good results.

        • Retailers are weighing the cost of implementing versus just paying the cost of the fraud once they own the liability…up until now, the math for many of them was unconvincing…

          They are also hoping that as all the other major nations convert, that the fraud won’t just shift to the US…

          And they have reason for hope, some studies suggest that as EMV shuts down one avenue of fraud for a given country, that country’s crooks migrate fraud mostly online instead of another country…

          However, that was before it was proven that you could intercept an entire 1800 site chain’s payment traffic for three whole weeks…

          Crime shifts to where the best opportunity lies…so now all the carders know that a Target-style attack is easily the best opportunity…

          Target likely wasn’t highly irresponsible, I wager what happened there will be the first of many now that it’s been proven out…

          • My position is that Chip ‘N Pin is so expensive, and cheaper solutions exist. I feel the there are two solutions that when used together are superior, as follows:

            1. Magneprint – http://www.magneprint.com/how-magneprint-works.html

            2. Passwindow – http://passwindow.com/

            Look at it and see what you think; but if I were the credit industry, that is what I’d want, because it is cheaper, and the tech has been vetted on several security forums, with good arguments from all sides. It would still mean changing the POS swiper slightly, but I feel still way cheaper’n Chip ‘N Pin, and just as hard to crack. Also both are about as infinitely scalable for very little infrastructure costs.

            Industrial espionage has affected the developers of these technologies, so I figure they must have something, or the world’s crooks would not be after it like flies on dung!!!! I’ve held off commenting on this as long as I can stand; but I just can’t keep quiet anymore!! >:(

  22. The problem is not Targets it is the Credit card issuers that refuse to update the credit cards with smart chips. This mentality is killiing U.S. innovation, we have the slowest internet speeds, archaiac railways and highways, and credit card technology that dates back to the 60’s and to make matters worst we get fleeced by paying premium prices for this outdated garbage. For those anti-regulators and anti goverment folks out there, this is what Corporate self regualtion gets you: Overprices Stock market and crappy technology!!!

    • There are cheaper alternatives that work just as well, so we would be better off converting to those until VISA can get the whole continent converted to Chip n’Pin. Besides I’ve reprogrammed the same chips they use in that tech very easily, what will keep the crooks from simply doing the same thing with fake card centers, just like the ones Brian has written about in the past?

      Can the encryption in Chip N’ Pin be copied, or does it have a self destruct algorithm like tunneling data packet protocol technology in telecommunications?

      • The main thing is Chip and Pin works much better than what we have now.
        I am arguing that we have at last reached the point where the cost of retooling with a more secure system is clearly lower than the cost of the PCI compliance effort itself.

        An educated person can reprogram a chip, but it is hard to compromise a chip in the POS transaction – which is the point after all.

        • Bingo!

          The Target breach dramatically shifts the risk equation to the other side…

          EMV is an ugly answer, but all of a sudden the problem it solves just got a whole lot more critical…

          You’re going to see budgets shift harder to EMV, likely slowing down momentum of alternative payments a bit…

  23. apologies if I am asking already answered questions…

    As consumers, we reasonably expect security of our data we share, especially from a major retailer.

    QUESTION 1 –
    Regardless of how the data was taken from Target – dont they have some sort of obligation to us?

    It seems logical to me that if your card info was stolen from target, then target should be liable for your losses incurred.

    QUESTION 2 –
    Who ultimately absorbs these costs? Target? The bank that issued the card? The consumer?

    My debit card info was stolen last week. Well, used last week. I noticed the fraudulent charge right away (a 10.00 charge from zappos.com where ive never shopped) and cancelled my debit card immediately. I then closed my paypal account as it was tied directly to my checking account. I have no idea where my data was stolen, but I imagine my card data would have been sold from the bargain-bin clearance section LOL. I dont have much to steal…

    • Target will not get fined if they prove passing ROC and show continuing due-diligence (a soc2/type2 ROC would suffice). The banks are the ones who hold the $$, banks are insured.

      • A punitive fine by the card brands is possible if there is clear evidence that compliance was not maintained. I don’t see how Target could be compliant at the point of breach . . .solely from the assumption that the hackers were able to somehow transmit the data outbound through Target’s firewalls. That is a failure of basic PCI compliance, regardless of the conditions surrounding the malware attack vector. We will likely never know the full story on this.

        The bigger issue is not fines but compensation to issuers for financial losses. Any fine would be a drop in the bucket compared to the settlement of liability for losses.

      • A fine is not the same as settlment for losses incurred by issuers and cardholders. Unless Target is somehow blameless this will probably cost them $50m or more. Fines are academic. Visa and other card brands will force a settlement between Target and the damaged parties.

      • I would actually be surprised if a company like Target actually had a PCI Compliance issue…

        Just being PCI Compliant doesn’t guarantee that you won’t be successfully attacked. That’s a big misconception that lulls retailers into a false sense of security.

        Target is going to pay, that’s for sure…but several analysts have said they appeared to have checked all the boxes retailers are supposed to check.

        Which is why I’m becoming more and more convinced that it was internal sabotage…I’m sure they even had fairly reasonable measures for that, but a very determined individual is hard to defend against, especially if it’s internal.

  24. The point of sale and payment systems are very vulnerable because they use old magnetic stripe technology which is insecure by design. For more details see my new book — Hacking Point of Sale — which is going to be published in February by Wiley.

    • Thanks for the link, it’s an interesting case. Holding site administrators accountable for the activites occuring on their site sets a huge precedent.

      I noticed in Count One, Charge 10 that the narcotics list did not include cannabis – only heroin cocaine and LSD. We all know cannabis too was readily available on Silk Road. I wonder why they omitted it… maybe The Man is finally realizing fighting weed is a hopeless endeavour.

      • Probably an issue of felony versus non-felony quantities being vastly lower for pharmaceuticals and ‘hard drugs’. I doubt huge quantities of marijuana would have been moved heavily through SR, and the laws vary too much from place to place anyway. It’s fairly irrelevant if they mostly are just looking to put the moderators away for a decade or two (not to mention becoming informants and/or pleading the charges down). There’s probably more indictments coming anyway (perhaps even superseding ones as things continue).

  25. Great article Mr. Krebs and the comments are prettty good also.

  26. From what I’ve read so far in the comments it would seem to indicate that data from the POS terminals to the in store servers are not secured, so that if someone could collect the information at the servers and remove it, then they could pretty much not deal with all the encryption involved in transmitting the data out of the store?

    I have heard in the past that overseas organized crime groups have computer experts on their payrolls (do to good education but poor job opportunity) who are just as good as the security experts on the legit side, any comments on that?

    I did like the info that banks are trolling the illegal sites and buying back their cards, sounds like cyber kidnapping.

    • data at rest encrypted is only safe from someone stealing the disks, etc. systems run processes that are authorized to fetch and decrypt the data, thus manipulating the process or infecting the process can still get the clear text data, encryption is useless in this regard. also, on internal networks, PCI SSC (DSS) doesnt require encryption for data in motion. my guess though, if Target has card data on disk then it is on an EFS or encrypted SAN, or using Decru, etc.

  27. If all Americans abandoned their cards and instead used cash only – stupid bank fees and credit interest rates, gone. no more costing us money to spend money. identity theft, gone. Credit score based on unsecured debt only. We need to get off this credit card crack pipe we’ve been sucking on for far too long.

    Target POS system and application development brought to you by India,

    Target – India: Information Technology

    https://corporate.target.com/india/career…/information-technology.html‎

    Find a successful and rewarding career in Information Technology. … Develop systems and applications for Target Stores, Point of Service (POS), Target …

  28. here, the fraud market at work, or should i say partially busted
    http://nypost.com/2013/12/20/ny-apple-thefts-eyed-in-targets-nationwide-credit-breach/

    • I thought that article was very funny…

      As if the NY cops are hoping they might have arrested guys who are actually more involved in the Target breach than your average Carder that has purchased Target card data this week.

      If someone is buying card data this week, they’re likely using it this week…and if they’re buying it this week, I’ve got to think they’re buying it specifically from the Target breach because it has a reputation of having such a high rate of the card numbers still being valid.

      I know we’ve all been following this story, but I keep running into people that say “whoa, really?” when I ask them if they’ve heard about it. And Krebs’ article seems to confirm that the banks aren’t necessarily getting complete information on a timely basis either.