Targe is just the lastest incedent of the thousands we hear about. 70 million customer credit cards and account information compromised. I frankly don't understand how this can be allowed to happen. Do retailers just buy the "Economy" computer version for its sales? Surely they realize that hackers are smart people, adept at computers. But it even happens to large, international companies and to Government.

If TOR ("The Onion Ring" browser for the "Deep Web" and developed by the Government, of all people) can eliminate back doors used by hackers, why can't others do it? Why is it so hard to prevent hacking into a system? I really want to know. If it can be prevented, shouldn't companies who are hacked be liable for the hassle of a customer cutting his losses?

It's easy, convenient, and even fun to order online...but it's turning into a dumb thing to do. Of course I'm assuming that the Target hackers compromised online orders, or was it just in-store sales? Does it make a difference, though?

I've read that it usually takes 300-600 hours to repair identity theft problems and those efforts are rarely 100% successful. I seems like the buyer is a forgotten item in commerce nowadays.

I think Target was an inside job.

I cancelled my debit card Dec 23. I received my replacement last week and my new p i n number today. It was very inconvient and is causing me great emotional stress. Will Annie be handling the class action suit?

Nieman Marcus was comprised as well

I think American banking would rather pay the losses on some fraud rather than have to convert 10's of millions of card readers and ATM's to encrypted smart chip technology like they use in Europe (and even Canada now).

I cancelled my debit card Dec 23. I received my replacement last week and my new p i n number today. It was very inconvient and is causing me great emotional stress. Will Annie be handling the class action suit?

Yes, that is Annie's specialty. Well...actually her specialty is drinking, but she does a pretty good job of (drunk) handling of class action suits. She's a lot like Denny on "Boston Legal": Just when you think she's finished, she pulls it out. It isn't pretty, though....

I think American banking would rather pay the losses on some fraud rather than have to convert 10's of millions of card readers and ATM's to encrypted smart chip technology like they use in Europe (and even Canada now).

I tend to agree with you. Sorta like a car company finds it cheaper to pay out the jury verdicts than to change the design.

I tend to agree with you. Sorta like a car company finds it cheaper to pay out the jury verdicts than to change the design.

It's called "blood equity." Improvements could be made, but it would cost companies and organizations more to fix the problem than it does to let it ride and absorb the predicatably occasional cost.

Commerical aircraft companies could make jetliners safer by offering ejectable compartments for passengers, but it would cost a shet ton of money.

I think Target was an inside job.

Exactly. Let's say a hacker wants to get some encrypted files off a laptop. They can:

a) employ massive computer time to break the encryption.

b) find the person who knows the password and torture it out of him, threaten to kill his family, whatever it takes.

Option b is much much easier for criminals. These people are hard-core criminals. They are not going to let something like torture or murder get in their way.

The inside job thing is most likely in this case. Some bad guys compromised a trusted insider, using some sort of leverage over him or her. You'd be shocked at what kind of access insiders can have.

Exactly. Let's say a hacker wants to get some encrypted files off a laptop. They can:

a) employ massive computer time to break the encryption.

b) find the person who knows the password and torture it out of him, threaten to kill his family, whatever it takes.

Option b is much much easier for criminals. These people are hard-core criminals. They are not going to let something like torture or murder get in their way.

The inside job thing is most likely in this case. Some bad guys compromised a trusted insider, using some sort of leverage over him or her. You'd be shocked at what kind of access insiders can have.

Greed is a strong motivator, too. Said hackers probably cut said insider in on a hefty slice of the take. There's a thriving economy among cyber criminals, some of whom specialize in stealing credit card numbers to others who figure out a way to profit. :yesnod:

long article from June of 2013.

U.S. rolling out chip card technology, ever so slowly (http://www.creditcards.com/credit-card-news/us-slowly-rolls-out-emv_chip-technology-1276.php)

The government will prolly doll out some mandate for chip card technology soon.

The inside job thing is most likely in this case. Some bad guys compromised a trusted insider, using some sort of leverage over him or her. You'd be shocked at what kind of access insiders can have.

Sometimes that leverage is nothing more than throwing the right amount of money around.

An insider with the right access is nearly impossible to stop.

Your options are:

Limit the number of people who have insider access (the number will always be greater than zero)
Background checks
Make sure all access to private information is audited
Make sure the audits are actually reviewed


In the end this simply limits your exposure.

Hacking of banking and credit card information is serious business, and a complete pain in the ass to those of us in the business trying to stop it.

The government will prolly doll out some mandate for chip card technology soon.

It's a shame that merchants and card issuers have to be forced to protect consumers. For once, though, I'm in favor of more laws.

On another note, and please correct me if I'm wrong, I read that hackers sell credit card numbers and personal identification info for up to $70 each, say, for a platinum Amex account. 70 million accounts at, say, $30 per account, is a shit-load of money. And I image the hackers sell the accounts multiple times.

My guess is that they used key loggers installed on the registers, not the
POS machines themselves.
It's really low-tech, but sophisticated in the way that multiple teams worked
to distract the sales staff, while others took pictures of the equipment, followed by other teams that installed the key loggers.

Nordstrom was hacked using this method in October (http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/).

Not only can they get credit card info, but they can also get the clerk's
login info among other things that would give them access to the
back end systems.

Didn't think of the access to backend systems with a key-logger. :willy:



Report about the possible malware used in the Target attack.

This malware class was reportedly used in the Target hackings. Here’s how it works. (http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/13/this-malware-class-was-reportedly-used-in-the-target-hackings-heres-how-it-works/)

Interesting stuff. :yesnod:

Interesting as it is, it seems to be pretty simple to prevent: Encryption. I still don't understand why more protective measures aren't being taken.

I wish I would have thought about this before the Target fiasco.

Target hack is a wake-up call on privacy - Jan. 11, 2014 (http://money.cnn.com/2014/01/11/technology/security/target-hack-privacy/index.html?hpt=hp_t2)

I wish I would have thought about this before the Target fiasco.

Target hack is a wake-up call on privacy - Jan. 11, 2014 (http://money.cnn.com/2014/01/11/technology/security/target-hack-privacy/index.html?hpt=hp_t2)

From the link
Think twice next time a store asks for your phone number, email or zip code

I'll give them a zip code from a few towns over or just say NO. :yesnod:

~~~~~~~~~~~~~

Original hacking

Somebody with an in to the system could have been bought, threatened or pissed off enough just to give it up.

zip code is often used to validate against the credit card zip code to help establish that you are the owner of the credit card (used most often at gas stations around here).

email address and phone number should never be needed.

zip code is often used to validate against the credit card zip code to help establish that you are the owner of the credit card (used most often at gas stations around here).

email address and phone number should never be needed.

I will put my correct billing zip in at the gas station. If the clerk in a face to face transaction asks me for a zip, close better be good enough.