January 10, 2014

Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.

neimanEarlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.

Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.

Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.

The entirety of the company’s formal statement is as follows:

“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”

The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.

Target released additional details about the breach today, saying hackers also compromised the names, mailing addresses, phone number and email addresses for up to 70 million individuals. But Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers.

Neiman Marcus’s Reeder said the company has no indication at this time that the breach at its stores is in any way related to the Target attack. Still, the timing of the discovery of the Neiman Marcus incident — mid-December — roughly corresponds to the discovery of the Target breach. I will have more on this developing story if additional details become available.


126 thoughts on “Hackers Steal Card Data from Neiman Marcus

  1. Anon999

    Great work once again..
    Why to retailers wait until receiving call from Krebs to come clean with data breach investigations.. Is there not a responsibility to disclose credit card data breaches as in loss of personal data.

    1. saucymugwump

      “Why to retailers wait until receiving call from Krebs to come clean with data breach investigations.. Is there not a responsibility to disclose credit card data breaches as in loss of personal data.”

      It’s not that simple.

      First, the stores are not cowering in their boots waiting until Brian calls. Brian has contacts which the unwashed masses do not possess (as do all reporters).

      Second, there are huge liability concerns. The shysters and bean-counters are arguing over the costs and eventual lawsuits. Management wants to ensure that it does not make the situation worse.

      Third, there is an ongoing criminal case. Criminal investigations do not proceed as quickly as they do on TV. There are possible insiders involved and the laws affecting U.S. citizens are very different than those affecting people working in India, where Target has many IT employees. Target is working with the Secret Service and the FBI and those agencies may wish certain details to not be shared.

      Fourth, there is no law requiring companies to disclose penetrations in a timely matter.

      Fifth, corporate management knows that it is highly unlikely any of them will be personally liable for the company’s actions, so there is no motivation for them to act quickly.

      Sixth, these companies may not completely understand the situation yet.

      Seventh, since it is virtually certain that Russians in Eastern Europe or Russia are involved, the fact that Putin has dedicated his entire country’s military and police forces to the Sochi Olympics may be slowing their response time considerably, if they even respond at all.

        1. anon

          But in order to notify, they have to know what data was taken…

          1. MikeW

            Take Virginia’s law for example (VA CODE 18.2-186.6): Businesses are required to notify customers if they believe a breach has occurred and what information they know was accessed. NM clearly knows CC numbers were accessed. They can delay that notification ONLY if law enforcement has told them that notification would impede an investigation. Did that happen? We’ll find out.

            If not, then they can’t extend their “investigation” indefinitely until they’re absolutely certain they have complete knowledge of the breach. If that were the case, all retailers would ‘investigate’ for years and then notify customers years later “Oh yeah, we had a data breach back in 2012, we just got done investigating it..Oh, and, all you data was stolen.” They could also wait until after earnings reports were issued and ‘notify’ during a holiday or some other tactic.

            In VA, also note that business have an obligation to notify “major statewide media” and the Attorney General “without unreasonable delay” in addition to customers.

            Failure to do so can result in a $150,000 per breach.

            1. JCitizen

              These are the best posts I’ve seen yet! I bet many a junior GEE man in the executive departments of these corporations are having many sleepless nights trying to figure out how the regs pan out. Like I inferred on an earlier KOS article, we need a comprehensive law on how to handle this. I don’t generally like any Federal intrusion on states business, but this clearly transcends all state, and in fact world boundaries. Our legislatures better be warming up their tablets for a round of new regs! UGG!

              1. saucymugwump

                @JCitizen “I don’t generally like any Federal intrusion on states business, but this clearly transcends all state, and in fact world boundaries.”

                This is not the business of the states, as the Constitution, Article I, Section 8, declares:

                “The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

                To borrow Money on the credit of the United States;

                To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes;

                To establish an uniform Rule of Naturalization, and uniform Laws on the subject of Bankruptcies throughout the United States;

                To coin Money, regulate the Value thereof, and of foreign Coin, and fix the Standard of Weights and Measures;

                To provide for the Punishment of counterfeiting the Securities and current Coin of the United States;

                To establish Post Offices and post Roads;

                To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;

                To constitute Tribunals inferior to the supreme Court;

                To define and punish Piracies and Felonies committed on the high Seas, and Offences against the Law of Nations;”

                Sentences three and ten clearly state that credit cards are under the control of the federal government. And sentences five, six, and ten clearly state that alternative currencies like Bitcoin are under the control of the federal government.

                http://www.archives.gov/exhibits/charters/constitution_transcript.html

                1. JCitizen

                  Kinda like I just said, except I didn’t quote the articles. Always good to read though.

                  Of course this could end up a world wide issue, so discussions at the next G-20 conference would probably start the ball rolling. It just seems that reporting a problem, even if it isn’t yet defined should have happened earlier. And a law with teeth in it, should enforce that, even if they don’t have all the facts in. The earlier the customers receive some kind of caution, or early warning, the better. The companies involved did a miserable job of this.

                  In fact, I’m not so sure the newly formed Consumer Financial Protection Bureau couldn’t have a hand in this, and Richard Cordray is kind of like a junk yard dog. He won’t be amused or intimidated by excuses made by the big players in this disaster. There again, I’m usually not a fan of interference in a free economy, but I feel a limit was crossed here.

            2. Linda Foley

              The problem is that there are different requirements for each state, in other words you need to find the most stringent state law in terms of reporting a national breach. That is why we need a strict fed law that ALSO INCLUDES PAPER BREACHES. Few states include paper breaches but look at most small breaches of med offices, retailers and others that have thousands of job applications, medical records and such in paper format. Dumpster divers love those.

            3. Anon

              The problem with notification laws and credit, is vendors do not for in store purchase have customer contact information. Only the processors, card labels, and debit banks do have this information. It different for online orders, since you get normally an email and mailing address, but these does not appear to be the case with Target.

              1. cobal

                That depends……. there’s a lot of speculation that the hackers breached Target’s loyalty database, if true, then Target had cross-reference info for every customer who was a member and that would’ve included name, address, e-mail address, etc. etc. linked to a particular Target private label or co-branded credit card #.

        2. saucymugwump

          I was actually referring to a non-existent federal law. I should have said so explicitly.

          But even the state laws have loopholes large enough to drive a cyber-truck through.

          As Wikipedia states, “In addition the law permits delayed notification ‘if a law enforcement agency determines that it would impede a criminal investigation.'” This might be the case here, as Target has not released any specifics.

          And then we have weasel-words. The Wikipedia page included a link to a law firm’s summary of the state laws (URL below). All but one of the laws allow for lots of wiggle room: “without unreasonable delay,” “as soon as possible,” “as soon as reasonably practicable,” and “as quickly as possible.” I assure you, there have been entire court cases arguing over the definition of the word “reasonable.” The word carries a lot of legal baggage.

          Only two, Ohio and Wisconsin, state a time-frame: “not later than 45 days” and “not to exceed 45 days.” Quite a long time, yes?

          Only one, Connecticut, mandates that notice be given “immediately.” That said, given that most credit card companies do business in Connecticut, they might be required to give notice immediately, but maybe only customers living in Connecticut would be able to sue for non-compliance.

          http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf

          1. Bruce Hobbs

            You are correct; we don’t know how useful the state laws are. Actually, the banks processing credit cards seem to be the ones handling the notifications, according to the comments on this blog.

  2. SR

    There almost always is, but it depends on the rules of the Attorney General for the state the company is in. In this case the breach was confirmed to them 8 business days ago so they’re probably still within guidelines for customer notification. The part that concerns me more is that they’re three weeks into the investigation and still don’t have a handle on the size of the breach.

  3. SR

    And yes, as someone who does payment card security for a brick and mortar retailer, “Brian Krebs” is a name I never ever want to see flash across my Caller ID. 😉 Seriously though, great work BK.

  4. TheOreganoRouter.onion

    Not again, this is getting totally ridicules . These stores need to better protect their P.O.S. systems.

        1. TheOreganoRouter.onion

          L.O.L. The negative comments on Target’s Facebook page clearly show how pissed off customers real are

          T.O.R.
          ——–
          Target’s Outraged Rebellion

          1. Serena

            Some customers are outraged. But the business at my local Target appears unchanged.

    1. Tris

      Well is not always that simple. There are plenty of us who work day and night to protect our clients data. Sadly we are out numbered greatly and they only have to be right once. Add to that we have to protect our systems from our internal employees who wish to try exploits and clueless idiots that fall victim to phishing attacks and use the same password everywhere.

      And on top of that we have vendors that program so poorly that their software requires admin access to a POS terminal OS.

  5. Vikas

    Having served a number of retailers, yes you can call me BK, the upper eschelons only really care about keeping the regulators, in their case pci-dss off their backs.

    Retail, similar to healthcare, is about to fall and fall hard ’cause they’ve been left exposed by middle management who either don’t know , or don’t care.

  6. Scott

    Brian, do you think this was some coordinated attack by a group? Again, thank you so much for all your work!!!
    Scott

  7. Tony Zarro

    As the Target breach proved, we are now living in a world where an attacker can pull off a heist of data representing a large retailer’s entire POS install base.

    Still not sure how, but the attackers know and are going to use this as a template over and over and over again.

    Regardless of how many large retailers figure out how to prevent it, there are going to be tons of medium-to-large sized retailers that will still be vulnerable for years, better get used to this.

  8. Anonymous

    Why are the Secret Service helping this retail outlet? I’d have thought this would have been more up the FBI’s street?

    1. Clyde Tolson

      Agreed. Only the federal bureau of investigation ever makes arrests in these cases. Gonzalez was a long time ago and was an informant. Shameful.

  9. Anonymous

    My credit card information was taken at the Levi’s outlet in Florida City, FL this Christmas. It would be nice if someone looked into that one to see how many others were affected.

  10. Otto

    Quote from NM released statement:

    “On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. ”

    Cyber security is all about keeping your data safe from unauthorized access, be that documents, company secret, payment card data, etc. Maybe Neiman Marcus should’ve had cyber security intrude into their payment processing system to prevent exposing their customers payment card data.

    They should call this event a data breach, payment processing system exposed/compromised, hacked, etc. Don’t try to make up a new, “politically correct” definition, that suggest excusing your negligence in advance…

  11. JimV

    Well, they definitely earned the old cynical moniker of “Needless Markup” with this episode….

  12. Effie T

    The penalties are too lenient. Hacking like this should be a felony. The jail term should be 20 to 35 years. No access to the internet during the jail term. That works for the rest of us who have been raped by these creeps.

    1. John Smith

      Under the Computer Fraud and Abuse Act (CFAA) it is in fact a felony to access a computer without authorization if the damage is greater than $5k. The problem of course is that these guys are generally in Eastern Europe or somewhere out of jurisdiction. Law enforcement will try to lure them to Cyprus or Turkey for apprehension but they are onto this trick now.

  13. crystal

    Im willing to bet that this is Snowdens stolen metadata back door. Snowden supporters will scream that he is helping but he is a thief, liar and economic terrorist. Im willing to wait it out, they may never tell the truth, but he sold that data to china and then to the Russians and you all know what that means. He should never be allowed to leave that country ever. It was Paul supporters who doesnt like the USA, don’t fool yourself. Lets just wait and see shall we. Ill be the first to admit that Im wrong.

  14. George G

    Never mind laws about disclosing break-ins.

    The first rule of damage control is to communicate immediately and communicate everything that you know.
    Losing consumer confidence is likely to cause more damage than enforcement of a law with which a lawyer can find fault.

    1. JCitizen

      Good point – we got too many laws on the books as it is. This consumer’s confidence is definitely broken!

  15. Burt

    Does anybody know if Target and Neiman Marcus process their own EFT or if they have outsourced the entire process? And if outsourced, to whom?

  16. saucymugwump

    I assume you are referring to Electronic Funds Transfer, not Emotional Freedom Techniques.

    Only a Target insider could definitively answer that question. That said, go to Target’s jobs website and search for “software architect” and you will discover that most of the job openings are for Karnataka, Bangalore, India.

  17. Mike Hayes

    I wonder why the retailers need the information about passwords… and why they need to retain data about a purchase once payment has been received…

  18. Mr Guppy

    C’mon everybody…let’s be honest. The idea of a secure website or security in cyberspace is the modern unicorn. It has never existed and it will never exist. We should all adapt to this reality.

    1. Bruce Hobbs

      Only if you live in a Microsoft world. If you live in a Linux, Unix, Power Systems or Macintosh world, complete security is much easier to achieve.

      1. Patrick O'Connor

        “Only if you live in a Microsoft world. If you live in a Linux, Unix, Power Systems or Macintosh world, complete security is much easier to achieve.”

        Oh absolutely, and if you have a few minutes I have a really nice bridge you might be interested in buying….

        1. thehumandefense

          I agree with Mr. Grumpy, not just because I think your name is awesome, but again. security is not a technical solution, its a human resolution. We must, need to, maybe even have to start thinking of cyber space in the same light as traditional crime. It can happen anywhere, at just about any given time. In fact it is even worse, because the volume that these crimes can be committed are truly astounding.

          If you start telling people that Mac, Linux and other technologies are a silver bullet, then you will be firing blanks. I work with guys who can crack a Mac, all they need is malware written to crack a Mac. How do they get that???? They write it!
          Have you ever sat and watched someone crack a Linux box once they figured out how? Yes! Make no mistake, there is nothing uncrack able.

          Now, on the other hand, a Linux box takes a lot of time and effort, so that puts you at less risk. Attackers are looking for the quickest ROI. If its gonna take twice as long and the attackers goal is a financial heist, well this just won’t do. However, if there objective is espionage or a nation state break in, well then everything and everyone is fair game.

          If I carry a gun, does that protect me? Or defend me? If I have a bullet proof vest, does this protect me? or Just some of my vital organs as long as they don’t aim at my head? If I sit in an armored car, will I be 100% protected? Or will an armor piercing round or a rocket rid me of my protected feeling.
          I think you get my point.

          As we train employees and people to be aware of how these attacks work, and how to create some simple defenses that will mitigate the risk, we cannot continue to tell them that technology will save them. This is misguided advice.

          By the way, the smart card has already been cracked in Europe. I watched a demo of how to skim a smart card 5 years ago. Having been in the white hat side of the credit card fraud arena for years, I can tell you that the bad guys will always figure out how to get to the money. That’s their job, they will be up to the challenge and I have watched it only grow. I remember that software vendors in 2002 had developed new software used today. That software would learn card holder behavior and alert to fraud. I remember at least 4 of them telling us “credit card fraud will be all but extinct in the next 10 years with this software”! REALLY!!!!
          It has only progressively become one of the most profitable crimes on the planet.
          Now you will find that traditional criminals are moving into the cyber world. For example, recent arrest made in the LA area and in the Southwest. Gangs, like the Bloods, and other large rivals, are actually using hackers for hire to teach them how to hack, and in some cases are paying them to build malware. Then they are breaking into institutions to steel money.

          76% of all network intrusions were due to weak or stolen credentials. NEED I SAY MORE?

          92% of all network intrusions were committed by outsiders. The insider threat only made up for 14% of the intrusions.

          Source: Verizon DBIR 2013 on 2012 stats. This report is based on only forensic data from intrusions and breaches. Not surveyed data. Over 18 U.S. and International Agencies in 27 countries.

          These intrusions were made by simply asking people to provide their credentials, how??? Spear phishing attacks where an email address was spoofed and someone had their own trust used against them. However, if you look at these tactics, there is almost always a red flag that you can teach people to look for and keep them safe.

          PLEASE, LETS START TALK TO PEOPLE ABOUT USING THE BEST COMPUTER ON THE PLANET, THEIR BRAINS AND THEN USE TECHNOLOGY TO HELP US.

          TECHNOLOGY WAS BUILT TO SERVE THE BETTER GOOD OF HUMANS, NOT THE OTHER WAY AROUND…………..

          The Human Defense

          1. JCitizen

            Good post thd! One of my clients got totally pawned on his Mar Air, and he is a security expert! Unix(Linux) is an old target – my 1st virus event was in 1989 on a floppy from Ft. Lee; it blew our Unix system away! Linux is newer, but several items in the news recently have found even a thousand eyes don’t find everything.

            The kind of crackers that are in this world can always find a chink in the armor of any OS, but as you infer, the user is usually the easiest target.

  19. AlphaCentauri

    I suspect that these are just two of many breaches. But identifying others becomes increasingly difficult.

    The Target breach was discovered by a bank that bought back its own customers’ card numbers on a blackhat forum and identified the common source. (Sort of like interviewing the victims of a food poisoning outbreak to find out what they all ate and didn’t eat.)

    If the bank continued to investigate with subsequent buys and found card numbers that had not been used at a Target, it might become obvious those had been used at NM. Since NM shoppers are not so likely to be Target shoppers, looking solely at the cards that had not been used at Target would still show the NM common source.

    But just to pull a name out of the air, suppose there was a breach at Macy’s? Because of a series of consolidations, that chain is serving a very broad clientele. A card used at NM or a card used at Target has a high chance of having been used at a Macy’s too. There is a much smaller pool of cards that would have been used at Macy’s but not at a store that was already known to have been breached, and it’s sheer luck if one of them is in a block of purchased stolen numbers. And for smaller retailers, it becomes even less likely a breach would be discovered by tracing the purchases made by cards whose numbers ended up for sale.

    Until the Secret Service releases information about the method by which Target and NM were breached, other retailers with similar problems will remain in the dark.

  20. The Human Defense

    First of all, to Tris…I’ve only known one Tris in my entire career, and hope you are well.
    Secret Services Involvement – Credit cards are considered part of our currency and when one has had their card compromised, or a card was used to perpetrate fraud against someone else then they get involved. But, in these last 2 cases, it would tell me (ex-card fraud investigator) that how they found out about the breaches, were due to cards that were cloned and being used while the original card was simultaneously being used. I believe that the breach was only found out because a customer had fraud committed against them.
    My guess is this is all going to change the face of how any company, not just the retail industry, handles breaches with or without gov intervention.
    If they do not start reveling the point of intrusion, anyone can fall victim. Even if the feds are telling them to not say how the malware was delivered, then the feds are not doing anyone a favor.

  21. flowersandsunshine

    So does NM also outsource IT to India like Target? Bob Cringely, a tech blogger, believes the Target breach was likely an inside job. After reading many comments here, it would appear that many also are thinking along those lines. Hope we get more info soon.

    1. Bruce Hobbs

      So you’re saying that the inside jobs themselves have been outsourced to India (pun intended)? Could be, could be.

  22. Mariscal

    There were earlier reports that the breech at Target came from overseas. Shortly after the breech went public, stolen credit information began being sold via the internet.
    The timing of both breeches is too close and the method used was very similar. It it disconcerting to think that there is a person, or group, that has the capability to evade similar security measures which could adversely affect approximately 30% of US credit card holders.
    At this point it would be counter productive to withhold any information regarding the origin of the cyber attack. Damage control takes precedence over image control in this situation. The breech was just too ubiquitous to keep under wraps.

  23. Mark

    Am waiting to hear how these POS terminals got infected. Also, would chip-and-PIN (EMV) have prevented this? Am based in Central Europe now, and wish my US credit card issuers could give me EMV-capable cards, but so far none can.

    1. Bruce Hobbs

      The problem with chip-and-PIN is that it is deemed completely secure by the banks and so there is no cancellation or refund when there is fraud. You’re in Europe; you should know this. To me, that is worse than then American system which limits losses to $50.

      1. JCitizen

        Plus, as he asked originally, how do we know chip ‘n pin will do any good anyway? Until we get the full story, they could have found a way to completely circumvent it by going after centralized data repositories.

      2. Clive

        EMV acceptance denotes merchant liability shifts back to the bank…that is, if a PIN is successfully validated, then the merchant’s liability is zero and the issuer is on the hook for any fraudulent transactions…the thought being that only the cardholder knows their PIN, so if a PIN was successfully authorized than the cardholder must have been there (in a Card Present situation).

  24. Thehumandefense

    Simple Protection –
    Use your credit card or banks available protections on a transaction level.
    1. Have a Text sent to you for any transaction over 100.00 (or whatever you are comfortable with)
    2. Have a Text sent to you for any cash withdraws over 100.00 (or whatever you are comfortable with)
    3. Do not use your debit card as a debit card. If a card skimmer is present within the POS (point of sale) device that you are sliding your card through, they will capture your PIN and now they can clone the card and wipe out your bank account.
    4. Use credit cards whenever possible. Without getting into all of the laws and protection, I just want you to understand that you are always, ALWAYS using the banks money when you use a credit card until you pay it back. They get loans to provide loans to the customer. This is why they take immediate action on credit card fraud. Plus, its not tied to your lively hood.
    5. Use cash when possible, if you can, use cash. I know it sounds crazy, but fact is I only use cash to purchase gas because of the ramped use of skimmers in my region of the country at gas pumps.
    6. Use PASSPHRASES instead of passwords. Without getting into all the technical aspects, just know that your safer if any passphrase you make is over 15 characters. Example: patriotgamesPage57Chapter8 this type of passphrase increases the time it takes to crack it over 10 years. change it about once a quarter or every 160 days.

    Hope this might be helpful to someone. Just know, I was also a victim of this breach, and also of a local college breach. I have been a victim of identity theft, and at that time I was managing a credit card fraud unit. I say this, because I also am a victim and learned from these experiences.

  25. Scott

    The good news for people like me who really don’t spend money on plastic besides on groceries, we never have to worry about this.

  26. violeta

    use prepaid card / something with limit/ and sleep peacefully

  27. AnotherVictim

    I was a victim of the Target breach. Unfortunately, my bank did not cancel my cards immediately. Instead, it allowed transactions of up to $200 or $300 a day. I had informed my bank that I would be traveling overseas for Christmas and would have never known about the 11 transactions (almost $1,000) done at a Target in Wisconsin if I didn’t have notifications (both email and SMS). These were all done in one day. I called my bank from overseas and cancelled immediately. My international Visa was cancelled immediately with no unauthorized transactions. My other bank had been informed that I was one of the victims.

    Let me tell you it was such a hassle…

    1. Serena

      Not wishing to invade your privacy, but since the zip codes where the credit cards were used was included in the stolen data, I’m interested to know if the fraudulent purchases were done at the same store where you used your card. Or another store in the same zip code, at least.

  28. Richard Goeken

    What is interesting, and being overlooked at this time, is that in both cases the brick & morter stores were hit—not the on-line stores. Hmmm….

    1. TheHumanDefense

      Richard,
      The reason for this is because the CVV (4 or 3 digit code) code on the back or front of a card is for online or over the phone purchases. The CVV code in the mag strip is to indicate that the card was present for the purchase. If I do not have that code, I cannot clone the card. This is why they wanted the credit cards only presented at the stores. It also tells me that they knew Target (assuming) segmented that data from online purchases. These 2 breaches are the game changer for the entire retail industry.
      I will say it time and time again. It’s not a matter of if you’ll get breached, but when. Ask anyone who rides a motorcycle.

  29. Jim

    Another point to be mindful of is the type of card used; was it proprietary (a Target card/Neiman Marcus card) or were one of ‘the big 3’ used/breached.
    Comments were made earlier of ‘why not just put out the breach when it happens?’ (paraphrased). Much depends on the entity that needs to be contacted (the big 3 or the proprietary), how the particular company/group’s security policies are written to handle such events (stop the breach if it’s still underway, and begin the recovery process), and mainly how to get a handle on just what was breached.
    The ‘big 3’ have specific instructions in place already on how a company is expected to handle accepting plastic (pci-dss), and it takes a bit to get all that in place once a breach is discovered.
    On one hand I completely agree that “immediate disclosure” would be helpful; on another hand I understand why it takes a little time for the announcement to happen.
    Ultimately, we the end users of plastic are the ones who can most likely help best. Keep track of your statement and the charges that appear on it. Should you find something there that you don’t recognize.. even a small amount (such as $9.65), contact your card company and let them know. Not only will this allow you and me (aka ‘the end user’) to know if something sideways has occurred, but also lets the company involved have a better idea of what’s happening.
    Brian.. thanks sir. More to come I’m sure.

Comments are closed.