Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target's Christmas Data Breach
Newest First  |  Oldest First  |  Threaded View
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
1/9/2014 | 6:28:01 PM
re: Target's Christmas Data Breach
All the criminals got for PIN is the encrypted PIN block. It's encrypted using TDES which is impractical to crack (http://www.voltage.com/blog/cr.... Brute force guessing the PIN to crack it doesn't work. Guessing at the plain text doesn't allow them to compare against the encrypted PIN block and get back a yes/no answer. That would be considered a known plain text attack which TDES isn't vulnerable to last I checked.

The criminals only hope for decypting the encrypted PIN blocks would be to get the key from the payment processor Target uses. As you said, there is no reason to believe they breached the payment processor. If that were the case, we'd all be in a world of hurt, similar to the Heartland and Global Payments breaches.
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
1/9/2014 | 6:21:22 PM
re: Target's Christmas Data Breach
The CVV is separate from CVV2/CID printed on the card. The CVV is embedded in track data which is not supposed to be stored post-authorization just like CVV2/CID. There is no proof Target was storing track data or CVV2/CID. Criminals steal this data as it passes through compromised POS networks. They've been doing this for many years. Track data and CVV2/CID can both be stolen this way.

Only the PIN usid in Debit transactions is actually encrypted from PIN Entry Device (PED) all the way to the payment processor where it's decrypted with US payment processing the way it is today. This is why point to point encryption provided through payment processors for magstripe and manually keyed in cards has been catching on. It reduces the PCI card data environment tremendously for merchants just like debit PINs are protected.

Even EMV is no magic bullet. The value in EMV is they can't make EMV card clones if they sniff an EMV transaction, thereby eliminating card-present transaction fraud at merchants that only accept EMV (as opposed to also accepting magstripe reads or manually keyed in card data). When a transaction is run using EMV, track equivalent data including the card number and expiration date are handled by the POS systems in plain text. The CVV normally found in real track data is changed to something false meaning criminals wouldn't be able to make working magstripe cards from the sniffed EMV transaction to commit fraud. They'd have to resort to card-not-present fraud such as phone ordering using the card number and expiration date, hoping the cashier doesn't ask for CVV2/CID which the criminals wouldn't have.
Brian45242
50%
50%
Brian45242,
User Rank: Apprentice
1/8/2014 | 4:32:56 PM
re: Target's Christmas Data Breach
Who said they are storing the CVV? Not knowing all of the facts about this breach, we are all left to surmise based on what is provided. Given the things that reportedly were accessed such as CVV number and PINs for debit cards, it certainly leads us to think of either a POS breach or something in the flow of this data from the register to their payment processor (i'm not saying the payment processor itself was breached!). These would be possible points where these highly sensitive attributes could be present.
paulie5825
50%
50%
paulie5825,
User Rank: Apprentice
1/3/2014 | 5:56:44 AM
re: Target's Christmas Data Breach
The question you should actually be asking is why is Target storing the CVV number. Which is in direct violation of the PCI standard.
independent_forever
50%
50%
independent_forever,
User Rank: Apprentice
12/31/2013 | 2:21:14 PM
re: Target's Christmas Data Breach
I agree...enough with the lawsuits because as you mentioned all that does is focus the company on protecting ITSELF from lawsuits rather than fixing the core problem..security of their systems. Let's hope Target learns lessons and tightens down their systems to avoid this in the future...my trust in them is shaken and I will only spend cash or use their own credit card going forward..no more using my personal credit cards now....
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/30/2013 | 3:10:51 PM
re: Target's Christmas Data Breach
The byline of this article ("Why, oh, why would Target be storing debit card PINs?") is misleading. There is nothing to conclude that Target is storing PINs.

The Target intruders may have merely grabbed copies of the magstripe as they passed through the Target network. And perhaps the magstripe was not protected by encryption as it was transmitted through the internal Target network - well, that is not a PCI violation, though I wish it was. In my opinion, card numbers should be encrypted when transmitted through internal networks, but PCI still does not require that practice.
macker490
50%
50%
macker490,
User Rank: Ninja
12/29/2013 | 1:11:15 PM
re: Target's Christmas Data Breach
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/29/2013 | 1:08:10 PM
re: Target's Christmas Data Breach
anyone interested in this issue should read this article

http://arstechnica.com/tech-po...

related to Whitfield Diffie's testimony in TQP v Newegg. particularly the "Brief history of public key cryptography" which starts under that heading

Mr. Diffie notes that he and others involved in the development of public key cryptography recoginzed early on that a method of authentication transactions of all sorts that would work in a digital networtk environment was going to be in important need.

PCI has done nothing except to port the pen and ink process used with credit card embossers to the network.

it hasn't worked and it isn't going to. i don't know if the Target embarrasment will turn the trick; perhaps it will. if we adopt the European method of using smart-cards with PINs we may be able to correct one major defect -- that being that the card holder should authorize each transaction individually. as things stand -- anyone with your account number can initiate a transaction.

PCI doesn't care -- "it's just part of the cost of doing business". but we the people do care. if you cave 900 bucks charged on your card for a new gizzie and you call the bank to get the charge reversed -- you are likely to get the run-around.

it's time for reform.

I've gone back to cash.
JamesR010
50%
50%
JamesR010,
User Rank: Strategist
12/28/2013 | 6:33:23 PM
re: Target's Christmas Data Breach
Magnetic stripes are dinosaur-like. They should be abandoned in favor of on-card chips like those found in mass transit smartcards and enhanced drivers licenses. Smartphones with NFC would be better also. BTW: its the POTUS abusing the Constitution, not Congress.
jlindema
50%
50%
jlindema,
User Rank: Apprentice
12/27/2013 | 11:46:00 PM
re: Target's Christmas Data Breach
I too would support Sen. Menendez in his efforts to grant authority for the FTC to impose fines.

However, the story I wish more people were made aware of is how payment card fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (7+?) years. Just ONE of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly. This is simply NOT TRUE.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode the one-time-use card number onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer card technology. A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

See Dynamics Inc.'s webpage (/Corporate/Products) + their "Dynamics Inc. - Enabling Payments 2.0-" Dynamic Credit Card via web.archive.org [http://bit.ly/19fbXKb] (last archived Oct. 1st, 2013).

The single most frightening thing anyone could say that _should_ be the catalyst for the card industry to move toward changing the 1950's card technology that we currently endure is: "I'm just going to pay cash and stop using credit cards". Of course that'll never happen and as long as everyone continues to believe the myth that "all we can do" is to cancel compromised cards and pay extra for "account monitoring", "recover" from identity theft best we can, yada, yada, yada.

What consumers should be hearing is the truth, that card skimming fraud could have been eliminated years ago. I believe Target, or any merchant that gets compromised, is simply a victim themselves -a victim of our current card technology that hasn't changed significantly since it was first introduced.

Target is partially to blame, in that its network was compromised, but then being "PCI" compliant these days means about as much as the US Constitution does to Congress right now... close to nothing!

I say SOLVE THE PROBLEM instead of sweeping the problem under the rug (again) by not holding the card issuers responsible for their lack of innovation -or lack of bringing to mass-market the innovation that has existed for years.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19453
PUBLISHED: 2020-08-03
Wowza Streaming Engine through 2019-11-28 allows XSS (issue 1 of 2).
CVE-2019-19455
PUBLISHED: 2020-08-03
Wowza Streaming Engine through 2019-11-28 has Insecure Permissions.
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.