Join 3,551 readers in helping fund MetaFilter (Hide)


Guard your card!
December 19, 2013 9:06 AM   Subscribe

Target says they've suffered a data breach that may have exposed 40 million credit card transactions since the end of November.

"The chain said customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards."
posted by Chocolate Pickle (154 comments total) 12 users marked this as a favorite

 
Well. Shit.
posted by middleclasstool at 9:07 AM on December 19, 2013 [17 favorites]


Yeah, I think middleclasstool pretty well said it all: shit.
posted by easily confused at 9:09 AM on December 19, 2013 [1 favorite]


Ummm, yeah. Wow. Shit.
posted by XQUZYPHYR at 9:10 AM on December 19, 2013


Mine was more like "hooooly shit" in a soft whisper and raised brows.
posted by symbioid at 9:11 AM on December 19, 2013


Fuck it, I'm going back to cash.
posted by Elementary Penguin at 9:12 AM on December 19, 2013 [8 favorites]


My company is dealing with a glut of projects right now, but they really need to get on risk management and disaster recovery. You're just rolling the dice until you lock stuff down in the best possible way because this is huuuuuuuge.
posted by OnTheLastCastle at 9:12 AM on December 19, 2013


Target hasn't disclosed exactly how the data breach occurred, but said it has fixed the problem and credit card holders can continue shopping at its stores.

Whew! Thank goodness!
posted by Greg Nog at 9:12 AM on December 19, 2013 [18 favorites]


I shop at Target approximately once every 3 months or so, so of course I was there last week within the extended window of this breach. (Original reports had Nov 27th to Dec 6th as the breach window). Le sigh...
posted by TwoWordReview at 9:13 AM on December 19, 2013 [3 favorites]


Didn't this already happen with Target like, two years ago?
posted by odinsdream at 9:13 AM on December 19, 2013


I shop at Target like, 2 or 3 times a week. Oy.
posted by kmz at 9:14 AM on December 19, 2013 [2 favorites]


The thing about this is, I don't really know what anyone can actually do. I suppose you can ask for a new card number, just in case, but would even a fraction of 40 million people do that? This seems more like situation where it's going to be up to how good a credit card company's fraud detection department is.

Maybe this explains why Capital One called me yesterday- apparently I set off a flag because I used my credit card to purchase something on XBox Live, followed by using it in a vending machine, and I guess making a series of small purchases is often detected as "testing" a stolen number. I'm actually kind of glad they're oversensitive about this- last time this happened about a year ago, it turns out my number actually was stolen.

As for me, I'm probably just going to be checking my account activity every day now for the next, I dunno, three weeks.
posted by XQUZYPHYR at 9:15 AM on December 19, 2013


Oh, my friend was just dealing with someone having his CC # and using it in Italy. He went to Target on Nov. 29. I wonder...
posted by OnTheLastCastle at 9:16 AM on December 19, 2013


I wonder if my credit card company is going to send me a new card? I can't think of any other solution. Heck, my bank might have to also, I can't remember if I went more than once.
posted by emjaybee at 9:16 AM on December 19, 2013


I was curious if they said what time the breach ended. I was there on 12/15, hopefully after they fixed the breach
posted by fridayinjune at 9:16 AM on December 19, 2013


Didn't this already happen with Target like, two years ago?

I don't think so. You might be thinking of the T.J. Maxx data breach, which compromised 45 million cards in 2007.
posted by RichardP at 9:17 AM on December 19, 2013 [4 favorites]


The thing about this is, I don't really know what anyone can actually do. I suppose you can ask for a new card number, just in case, but would even a fraction of 40 million people do that? This seems more like situation where it's going to be up to how good a credit card company's fraud detection department is.

I've heard there's already banks proactively reissuing people's cards. Which makes sense since they're the ones that are going to have to eat the costs.
posted by kmz at 9:17 AM on December 19, 2013 [1 favorite]


Didn't this already happen with Target like, two years ago?

I think that was TJ Maxx? But, yeah, this already happened to someone, it was big news, and if this is the same problem there's really no excuse.
posted by Sys Rq at 9:17 AM on December 19, 2013


I was so pissed when I heard this. I shop at Target all the time. In fact, I'm going there today after work. I just gonna tell Visa to give me a new account number. Seems like the easiest way to make sure my identity isn't stolen.
posted by nooneyouknow at 9:17 AM on December 19, 2013 [1 favorite]


Good thing this isn't a peak shopping time.

My partner typically picks up something at Target every Thursday when he is in that neighborhood, always using our debit card. But because of the holidays and other things, he did not do it during this window. Then we remembered this morning we went there on the day before Thanksgiving -- the 27th -- and spent about $200. Shit, indeed.
posted by MCMikeNamara at 9:17 AM on December 19, 2013 [1 favorite]


Same thing, same day here. Shit is the operative word.
posted by blucevalo at 9:18 AM on December 19, 2013


I shop at Target approximately daily. Ugh.
posted by dirtdirt at 9:19 AM on December 19, 2013 [1 favorite]


I'm assuming they weren't storing the actual account or ccv numbers (perhaps incorrectly) - are there any hints as to where in the transaction chain the leak took place? I'm really regretting buying those Christmas lights and cleaning supplies there the first week of December....
posted by longdaysjourney at 9:22 AM on December 19, 2013


i have a target card and a debit card from my credit union that i use there all the time.

i wonder if target will send all of us target card holders new cards?

and there's nothing on my credit unions website about this either.

should i proactively ask for a new card from target and the credit union?
posted by sio42 at 9:22 AM on December 19, 2013



Run the government like a business they say....
posted by Pogo_Fuzzybutt at 9:23 AM on December 19, 2013 [36 favorites]


So, my debit card was recently hijacked to the tune of a a couple thousand in purchases around the globe. I used it at a Target on Nov. 29 and then the fraudulent purchases all happened on Dec. 1.

Could this breach be what happened to my card? Is there any way to ever know?
posted by cirrostratus at 9:24 AM on December 19, 2013


I think we can assume that this was a tap on the data stream rather than a break into a database. That's what happened with TJ Maxx, too.
posted by Chocolate Pickle at 9:24 AM on December 19, 2013 [2 favorites]


The NSA is just looking for alternate revenue streams.
posted by entropicamericana at 9:27 AM on December 19, 2013 [7 favorites]


Weird; for the first time ever, I paid cash at Target a couple weeks ago because I somewhat magically kept my purchase under twenty bucks. I've been using cash a lot more frequently these days, and I think I'll just keep on doing that. (I hate the idea of always being tracked. It's fucking annoying.)
posted by heyho at 9:27 AM on December 19, 2013 [2 favorites]


It's things like this that make me glad I don't work in retail banking anymore. Because I would have to continually explain...

Identity theft and fraud are different things. This is, potentially, the latter. Even if your are a victim, it won't be that big of a hassle.

You shouldn't be mad at Target, your bank, Visa, etc. should be mad at Target. Because of Regulation E and all of the bank policies that are even more pro-consumer versions of Reg E, your money isn't really at risk here.

The only thing you need to do is the same thing you should always do, use a credit card instead of a debit card, keep on eye on your transactions, call the card issuer if you see something suspicious.
posted by VTX at 9:27 AM on December 19, 2013 [9 favorites]


I'm assuming they weren't storing the actual account or ccv numbers (perhaps incorrectly) - are there any hints as to where in the transaction chain the leak took place?

Chocolate Pickle is correct - heard it on NPR during this morning's drive - the attack took place BETWEEN the point-of-sale machines and the Target central clearing computer. So everything on the card is compromised - card number, CCV, expiration date - everything. For this reason they are suspecting it might be an inside job. Also for this reason, only in-store purchases are affected, and not online at the Target website.
posted by Joey Buttafoucault at 9:27 AM on December 19, 2013 [4 favorites]


If they have the security codes then yeah, it can't be from a DB breach, unless Target was flagrantly violating PCI.
posted by kmz at 9:28 AM on December 19, 2013 [8 favorites]


So Target was a.... TARGET?

No one ever needs to store CC information longer than a few seconds. Process the transaction, then forget the data, it's no use to you.
posted by blue_beetle at 9:28 AM on December 19, 2013 [2 favorites]


I guess I lucked out. My credit card was stolen on Tuesday, so I had it replaced.

Lucky me.
posted by sutt at 9:28 AM on December 19, 2013 [3 favorites]


Grr. I just had my credit and debit cards replaced my my bank for some other data breach, and it's a huge pain in the ass. We've got to come up with a better way to switch card numbers than waiting a week for a new piece of plastic to show up in the mail. Maybe your bank could issue you something similar to the Coin and change your number remotely?
posted by Rock Steady at 9:32 AM on December 19, 2013 [1 favorite]


I go to Target probably about once a month and I know I shopped there in that time-frame, but looking at my credit card history it appears I must have used cash. Whew.
posted by stopgap at 9:32 AM on December 19, 2013


TJX was a total boner: they used unencrypted WiFi to carry credit card numbers from the point-of-sale terminals to the back-office servers for charging, if memory serves.

Target's attack appears to be more subtle. Something go into their new point-of-sale terminals -- little Linux computers, with the ability to stream web content *boggle* -- and grabbed al the data that the card reader could see before it even got encrypted. (So it's not like they held onto illicit data for a long time and their unpatched servers got cracked, or something else due to incompetence or politics or sloth or the weirder corners of PCI DSS.) Ouch.

For some time I have been waiting for Target to get breached, and I guess it's finally that day. *wince*
posted by wenestvedt at 9:39 AM on December 19, 2013 [4 favorites]


This is a good time to bring up this interesting AskMe on how credit card companies detect fraud.
posted by daninnj at 9:40 AM on December 19, 2013 [2 favorites]


Looks like I only shopped there once during that time and used a recently issued Target Red card. VERY glad I didn't use my usual bank Visa debit card!
posted by dnash at 9:40 AM on December 19, 2013


Of course the Target red card number is busy busy today, and they cannot cancel/replace your card in store. I'm planning on having that either canceled or re-issued with a new number, and then I guess I'll head to the bank and get them to give me a new debit card.

I lost my debit card a couple of years ago, and I was surprised that I could walk into the branch and they handed me a new card - it didn't have my name on it, but I could use it immediately, and then I got the one with my name within a week.

I shop at Target a couple times a week, but ugh. I don't envy the people on the other end of the phone line for the Redcards today!
posted by needlegrrl at 9:40 AM on December 19, 2013


I think at least one of our bank cards has been replaced by the bank without us asking every year in the past few years. I suspect we've used all three at the Target up the street, that should make for a festive card replacement mess.
posted by Lyn Never at 9:41 AM on December 19, 2013


"your money isn't really at risk here"

If you use a debit card like most people do, in the short term, your money's very much at risk. In the long term you can dispute everything and get it all back, theoretically.
posted by edheil at 9:41 AM on December 19, 2013 [1 favorite]


Brian Krebs, who broke the story, has a good thread about this on his site. There's speculation that the new PoS terminals could have been compromised, or the new servers, both of which got rolled out to all the stores this summer.

Someone in that thread said they could get their card cancelled/serviced/whatever via the mobile app, even though the web site & phones are swamped.

I love Target. This sucks.
posted by wenestvedt at 9:42 AM on December 19, 2013 [3 favorites]


And of course, I used my debit card at Target on the 9th to get some cash back along with my purchase. Boo-urns.

I'm not overly concerned about identity theft, but the last time a vendor I was at had this kind of breach, Bank of America just cancelled my debit card without letting me know except by sending a letter to my mailing address, which happened to be my parents' house since I was at college, so of course I didn't get the letter. That was a nice moment of panic when my card was declined at the grocery store! Now I'm going to be paranoid about the same thing happening again.

Do I need to proactively contact my bank? I haven't noticed any hinky charges yet, but do not want to be debit-card-less over the holidays.
posted by yasaman at 9:44 AM on December 19, 2013


The linked article says the problem is fixed, yet this article says the breach "may be continuing". Who's right? And how can the problem be "fixed" unless all affected cards are identified and/or canceled?
posted by RobotVoodooPower at 9:44 AM on December 19, 2013


Hmm, let's see. The one time I've been to Target in the last two years was... yes, December 11. Awesome. And I just had one of my other cards replaced, thanks to a skimmer.
posted by hades at 9:44 AM on December 19, 2013


Ha, joke's on them! My AmEx has a FOUR digit security code! Me 1, breachers 0.
posted by spamguy at 9:46 AM on December 19, 2013 [3 favorites]


the attack took place BETWEEN the point-of-sale machines and the Target central clearing computer. So everything on the card is compromised - card number, CCV, expiration date - everything.

How does this work? Is the CCV in the magnetic stripe? If so, that seems dumb to me.
posted by shothotbot at 9:48 AM on December 19, 2013


If you use a debit card like most people do, in the short term, your money's very much at risk. In the long term you can dispute everything and get it all back, theoretically.

Depending on the amount of the fraudulent transactions (assuming there are any), the "short-term" might as little as the time between when you notice the transaction has posted and when you hang up the phone with your bank's phone banker.

The easy way to prevent things like this from being a hassle is stop using your debit card at anything other than the ATM or as a back-up. Use your credit card instead. I realize that this isn't something everyone can do, but if you have a credit card, you should be using that instead of your debit card.
posted by VTX at 9:52 AM on December 19, 2013 [5 favorites]


The linked article says the problem is fixed, yet this article says the breach "may be continuing". Who's right? And how can the problem be "fixed" unless all affected cards are identified and/or canceled?

I believe they mean the hackers can't get in anymore, not that the mess is all cleaned up.
posted by pwnguin at 9:53 AM on December 19, 2013 [1 favorite]


Full track data. Damn. Clearly a card-present POS failure. To my memory this is about the quickest a breach of this magnitude has been revealed, so that's something.

It sounded to me, from Kreb's article, that he was getting information from unnamed fraud investigators at the card brands - I wonder if this was an unauthorized reveal by frustrated employees of the banks?
posted by These Premises Are Alarmed at 9:57 AM on December 19, 2013 [2 favorites]


No one ever needs to store CC information longer than a few seconds. Process the transaction, then forget the data, it's no use to you.

Not true if you take returns. But you should be tokenizing as soon as possible in that case.

How does this work? Is the CCV in the magnetic stripe?

Track 1.
posted by bfranklin at 10:07 AM on December 19, 2013


I work across the street from Target HQ; walked by there just now on the way to Chipotle for lunch. It's as you'd expect, a zoo. TV truck outside. Anxious people in suits having intense convos in the atrium (to be fair, that's usually the case). The weird thing is the crowd of lower-level people in their Target t-shirts, which generally means that some sort of Enforced Corporate Jollity is happening. I assume whatever staff holiday thing they had scheduled is a pretty subdued matter now.

On the way back, I took the skyway, and could see across 10th street into one of their big conference rooms; there was a powerpoint running about "2013 Black Friday Recap" and a lot of people standing around in knots talking. None of them looked happy.
posted by COBRA! at 10:09 AM on December 19, 2013 [10 favorites]


honest question: what is the extent of Target's liability? i know the card companies have fraud detection and a lot of that can be recovered for the cardholder. but - for example - say, everyone in that 40 million spend an hour of their time (min) sorting this out. Seems to me that Target should be compensating everyone for the trouble.
posted by j_curiouser at 10:10 AM on December 19, 2013


How does this work? Is the CCV in the magnetic stripe? If so, that seems dumb to me.

The CVV is just used to confirm that you have access to the physical card. It's something that's supposed to never be stored in any form in retailer systems, unlike the card number itself. If it's not in the magnetic stripe you'd have to type it in every time you physically swipe the card.
posted by kmz at 10:11 AM on December 19, 2013


Does anyone have an educated guess as to whether it's relatively better or worse to have used a Target debit card rather than a standard Visa/MC debit card issued by a bank? I am thinking that it'd be harder to, say, extract money from an ATM with a Target debit card number but I don't really know.

At any rate, keeping an eye on my bank account balance. Of course we shop at Target like twice a week.
posted by trunk muffins at 10:12 AM on December 19, 2013


kmz: "If it's not in the magnetic stripe you'd have to type it in every time you physically swipe the card."


That sounds fine. But we do that for debit cards too, so what's the point.
posted by Big_B at 10:13 AM on December 19, 2013


Every time I check out at TGT, the cashier asks if I want to save 5% today and everyday with a Target Red Card. Every time I politely say no thanks. They usually are incredulous that I would not want to save 5%. I explain to them that it would have to be closer to 25% for me to let them track and profile me. That yields a shrug and my change.
posted by JohnnyGunn at 10:13 AM on December 19, 2013 [1 favorite]


There's a lot of confusing and conflicting information out there about this. Is it just the Target RedCard that's at risk or is it any debit card used at Target within the time frame specified?

I was just at Target a few days ago. I was surprised when the check-out clerk didn't ask me if I wanted to sign up for the Target card because they've been pushing it for quite a while. Guess this must be why.
posted by fuse theorem at 10:13 AM on December 19, 2013


JohnnyGunn: "Every time I check out at TGT, the cashier asks if I want to save 5% today and everyday with a Target Red Card. Every time I politely say no thanks. They usually are incredulous that I would not want to save 5%. I explain to them that it would have to be closer to 25% for me to let them track and profile me. That yields a shrug and my change."

We literally just got our Target card in the mail yesterday. They were already tracking and profiling us whenever we paid with another card, so the 5% doesn't cost us anything additional.
posted by tonycpsu at 10:16 AM on December 19, 2013 [3 favorites]


Is it just the Target RedCard that's at risk or is it any debit card used at Target within the time frame specified?

Any credit or debit card that was used is at risk.
posted by soelo at 10:16 AM on December 19, 2013


Just called my bank to freeze/reissue my debit card, which is indeed a pain in the behind, but they didn't remotely question it and set me up for a new one. All I said was "this Target thing," and we were off. I think they know cautious people will want to be cautious.
posted by Linda_Holmes at 10:17 AM on December 19, 2013


I signed up for the link to my debit card. That is my concern.
posted by stormpooper at 10:18 AM on December 19, 2013


Does anyone have an educated guess as to whether it's relatively better or worse to have used a Target debit card rather than a standard Visa/MC debit card issued by a bank? I am thinking that it'd be harder to, say, extract money from an ATM with a Target debit card number but I don't really know.

Since the PIN for your Debit card isn't connected to the card at all, they'd only be able to use an ATM if you gave them your PIN in some other way. I supposed it's technically possible but it would implausible.

It doesn't really matter in either case. If you see a transaction on either that you didn't authorize, call the card issuer and you'll get your money back.
posted by VTX at 10:18 AM on December 19, 2013


honest question: what is the extent of Target's liability?

To the consumer? Minimal. They'll have to provide credit monitoring, but likely not much else. To the payment card industry? They'll probably be fined by the PCI council if the council determines they weren't engaging in best practice for risk management.

In most cases, a retailer like Target will be relying on their PoS vendor to produce a product that is certified as PCI-compliant. That amounts to something of a free pass, but there may be issues with how Target implemented that solution.

The worst case for Target would be having their merchant class downgraded and end up paying a higher % for each transaction fee.
posted by bfranklin at 10:19 AM on December 19, 2013 [5 favorites]


OK, it's been bothering me that the CVVs were compromised since I was always under the impression that CVVs were only useful at all in card-not-present transactions. Some Wikipedia-ing has given me the impression, though, that there are actually two *different* CVVs on modern credit cards. There's the CVV1, which is in the magnetic stripe, and which was compromised in this breach, and the CVV2, which is the three-digit code you have to type in when you are buying something with a credit card on your computer. Both of these seem to have the same PCI compliance requirements of non-storage, but they are distinct entities.

Can anyone who knows more about this verify my understanding? Because if I'm correct, this means that the compromised CVV1s can't be used for ecommerce transactions, right? They could use this info to make fraudulent cards, but they can't just hit Amazon and start buying all the things?
posted by town of cats at 10:20 AM on December 19, 2013 [1 favorite]


I know it's kind of beside the point, but is anyone else amazed that Target had 40 million in-store credit/debit swipes in a 2.5 week span? I know those are huge shopping days, but that number is staggering to me.

Those are transactions, not items. And not counting cash, check or online. Good grief.
posted by jermsplan at 10:22 AM on December 19, 2013


I keep reading "PoS" as "Piece of Shit" rather than "Point of Sale". Shows you where my mind is.
posted by Chocolate Pickle at 10:25 AM on December 19, 2013 [10 favorites]


I keep reading "PoS" as "Piece of Shit" rather than "Point of Sale". Shows you where my mind is.

If you work in retail, the two are normally pretty synonymous.
posted by bfranklin at 10:31 AM on December 19, 2013 [18 favorites]


How long does it take a bank to re-issue your credit and debit cards? I'm sure we've been compromised, but we also plan on leaving town soon for a holiday trip.
posted by Area Man at 10:38 AM on December 19, 2013


Okay, I just downloaded the iOS Target app. It let me log in to the Red Card site which is (for me) tied to my Target Visa card that I never use.

Once in there, I was able to delink the "saved" bank account information I'd had in there to pay for purchases I never make.

So - uselessish.

I was not able to cancel my Target direct-debit card (the only one I use, and that I used for a return and purchase once in the timeframe).
posted by tilde at 10:44 AM on December 19, 2013


Brian broke this about 2:30pm yesterday, and it's been amazing to see it blow up. He also says on Twitter that "the follow-up is going to be even bigger" and that he's working on an FAQ for the breach, so continue to keep an eye on this. (KrebsonSecurity.com is his site.)

Business Insider had a decent writeup about what you should do:
Here's What To Do If You Shopped At Target After Its Black Friday Data Breach

It might be premature to get your cards re-issued, as it hasn't been conclusively shown that people's cards are being actively exploited from the breach. Might be enough to just keep an eye on your card usage for now (using the bank's online portal). Also keep the number of the issuing bank handy, so you can call if something fishy shows up on your card.
posted by gemmy at 10:48 AM on December 19, 2013 [1 favorite]


Even if your are a victim, it won't be that big of a hassle.

So you're volunteering to call the bank on my behalf, wait on hold, dispute the charge, fill out the paperwork, and provide me with a no-cost loan to cover immediate charges for the time period I have to go without a card? Mighty kind of you.

IT'S A FUCKING HASSLE.
posted by disconnect at 10:49 AM on December 19, 2013 [19 favorites]


FYI - I dispute charges directly from online banking. It's super easy, and you get a nice (physical) letter of confirmation a week later.
posted by 2bucksplus at 10:50 AM on December 19, 2013


So this explains why my debit card had to be replaced two weeks ago. Huge hassle to try to finish holiday shopping with a card that had its creditness turned off.

My anger was compounded when I went to the bank to activate the replacement card and was told that I could not use the six digit PIN number I've used for years (and extensively that very week with the old card) because "the system only accepts 4 digit PINs and has always only accepted 4 digit PINs." I ended up going all Picard and ranting and raving about the number of lights in the room before the nice men in blue helped me back out into the street as I gibbered and waved six fingers around (which was... tricky as one hand was cuffed behind my back so I had to improvise for the sixth digit).
posted by robocop is bleeding at 10:54 AM on December 19, 2013 [2 favorites]


that number is staggering to me.

You know it really did to me too, even when it includes their biggest shopping weekend, but then you break it down to

40,000,000 / 19 days / 1,683 stores --

it's a little more than 1250 transactions per store per day, which is still a lot but seems much more realistic to my brain.
posted by MCMikeNamara at 11:03 AM on December 19, 2013


Just because I always have to do things differently, someone cloned my credit card and swiped it at a Target in that timeframe. So I got a new card anyway. Phew.

How Amex knew to decline that transaction as fraudulent, with a card present, is beyond me. But I will say that American Express is 100% awesome when it comes to fraud matters.
posted by hwyengr at 11:05 AM on December 19, 2013


1250 transactions per store per day - how many hours were they open, let's go with 14, that's about 89 per hour or 1.5ish every minute. Interesting breakdown.
posted by tilde at 11:11 AM on December 19, 2013 [1 favorite]


Yeah, that's still a lot when you look at it that way. Too many for this kind of fuck up from my perspective.
posted by MCMikeNamara at 11:13 AM on December 19, 2013


I used my bank card 5 times at two different Target locations between Nov 27 and Dec 15. I spoke to a CSR at my credit union over lunch. She was unaware a breach had occurred (!???)

Sigh.
posted by theBigRedKittyPurrs at 11:16 AM on December 19, 2013


The fact that that onus is still on us THE CUSTOMERS to deal with this crap and clean up the mess and not BIG CORPORATION is absolutely sickening.
posted by Big_B at 11:16 AM on December 19, 2013 [11 favorites]


I go to retail tradeshows as part of my job, and for years now, the POS manufacturers have been pushing Web-enabled cash registers as the next thing every retailer just HAS TO HAVE. Because then your associates can look up things for shoppers who have questions! And they can automatically be suggested additional products to upsell! You can stream little product demo videos right at the point of sale!

The biggest retail show of the year is next month, and it is going to be fascinating talking to these tech vendors about this.

I'm also guardedly optimistic that this might be the thing that finally forces American banks to move to the EMV standard, which the rest of the developed world already uses (also called chip-and-PIN, cards with a computer chip on them in addition to a magstripe). Research in the past few years has shown that most of the world's fraudulent financial activity has been migrating to the U.S. from the rest of the world, precisely because we do not have chip-and PIN.
posted by jbickers at 11:20 AM on December 19, 2013 [14 favorites]


You should pay for everything with cash and not have credit/debit cards with RFID. If you do, put them in an Altoids tin while you carry them.
posted by koavf at 11:23 AM on December 19, 2013


This is probably preaching to the choir here, but as a reminder: if you have a credit card you pay off every month, use that rather than a debit card. Credit cards have much greater legal protections (at least here in the USA) if they are compromised. Personally, I've moved to making most of my purchases with cash, especially at smaller retailers - in addition to protecting my credit info, they do not have to pay fees to MasterCard/Visa.

Also, the idea of web-enabled cash registers is quite disturbing from a security perspective.
posted by antonymous at 11:26 AM on December 19, 2013 [4 favorites]


the POS manufacturers have been pushing Web-enabled cash registers as the next thing every retailer just HAS TO HAVE.
Is this because THEY ARE FUCKING HIGH?
posted by fullerine at 11:29 AM on December 19, 2013 [6 favorites]


There's nothing wrong with a web-enabled cash register, provided your card sled or pin pad is doing hardware encryption and your keys are properly secured. A lot of retailers simply use network segregation rather than hardware encryption to protect transaction data, though.

At this point, it's a little too early to throw Target under the bus over this. They're certainly a victim here too. The technical details will speak to how sympathetic of one they are, though.
posted by bfranklin at 11:36 AM on December 19, 2013 [1 favorite]


From Forbes:
According to published reports, the thieves captured magnetic stripe data from customers swiping their cards to complete their purchases. The technique is called “skimming” and is accomplished by thieves adding a small chip into the credit card readers typically attached to cash registers. Because the chip is right at the device, there’s no need to infiltrate the company’s systems. The chip grabs the information right up front.

[...]

It’s going to be hard to find Target culpable in any way for this new breach. The truly interesting questions are who planted the skimming devices in the card readers? Was it employees? Store cleaners? Were they planted by a large group of organized criminals over a short period of time, or did a smaller group take months of time preparing for the big weekend?

[...]

This one required a lot of coordination. It was very organized, and it certainly was a crime. Secret Service involvement acknowledges concern at very high levels. This was a bad thing, most especially for the banks and card processors.
posted by zakur at 11:39 AM on December 19, 2013 [1 favorite]


If this actually is skimming - and honestly I'm not sold that it is yet - that's just staggering. Getting physical access to all the POS terminals across the country is quite a feat.
posted by stoneweaver at 11:42 AM on December 19, 2013 [9 favorites]


How long does it take a bank to re-issue your credit and debit cards?

My credit union does it while you wait. Maybe 3 minutes max. CUs FTW

So when are we going to get card readers that read the electronic print off your card and you "sign" with a fingerprint?
posted by BlueHorse at 11:43 AM on December 19, 2013


"Skimming" involves a physical device being placed atop/alongside/inside the physical card swipe unit. We're talking 1800 stores here, 10-12 lanes in each? If this was really a skimming attack, if people really coordinated placing a skimmer at even a fraction of that many units, then we've got the most organized, er, crime probably in history.

My money is on the data being captured somewhere between the back-office machine in each store and corporate.
posted by jbickers at 11:44 AM on December 19, 2013 [13 favorites]


"the attack took place BETWEEN the point-of-sale machines and the Target central clearing computer" according to NPR, via Joey Buttafoucault above. Forbes is saying that skimming is the only way to get info from a card swipe and that is not true.
posted by soelo at 12:01 PM on December 19, 2013


So when are we going to get card readers that read the electronic print off your card and you "sign" with a fingerprint?

As someone with eczema and who is supposed to use a fingerprint reader at work: hopefully never as they don't work for me.
posted by shothotbot at 12:05 PM on December 19, 2013


A skimming-style attack was carried out on a chain of stores* here in the Pacific Northwest a year or two back; it was pretty shocking to think of all those machines being physically compromised across several counties. I think the likelihood of this being the case for Target is pretty small.

*These stores have since installed a new POS system and all card readers are located behind the counter where only employees can access them.
posted by trunk muffins at 12:06 PM on December 19, 2013


Target lets 40 Million American's credit cards get stolen during Christmas season.

healthcare.gov hadn't let anyone's credit cards get stolen.

Why don't I think we'll see congressional hearings into Target's ( and other retailers') negligence, liability and continued risks?
posted by mikelieman at 12:09 PM on December 19, 2013 [9 favorites]


So you're volunteering to call the bank on my behalf, wait on hold, dispute the charge, fill out the paperwork, and provide me with a no-cost loan to cover immediate charges for the time period I have to go without a card? Mighty kind of you.

Compared to the multi-year cluster-fuck that is being a victim of identity theft that people often confuse this kind of breach with and are now worried that they will be a victim of, no, that is not really a hassle.
posted by VTX at 12:11 PM on December 19, 2013


Retail point of sale/payment processing is one of those areas where bad code accumulates because no one wants to take on the risk of updating it, because to do so and screw it up would be catastrophic for your career and maybe even the business, and since the code ials ancient, it's also probably poorly documented, it probably has seen many maintainers, each with slightly different philosophies, so it's probably inconsistent, as well. I'm only surprised this doesn't happen more frequently.
posted by feloniousmonk at 12:12 PM on December 19, 2013 [8 favorites]


How long does it take a bank to re-issue your credit and debit cards?

Some example experiences from a couple of years ago, involved a physically stolen wallet:

Amex Gold - fantastic service, everything you could ask for. Fedexed me a fresh replacement card immediately, I had it in my hand within 24 hours. (Downside: high-ish annual fee to get this high-touch service.)

Wells Fargo - okay to good service. No big hassles involved, but replacement cards went through what seemed like their regular process. Took a couple of days before fraudulent charges were dropped from debit card (not a hassle in this instance, but could be to other people). Took about a week to get physical cards.

U.S. Bank - paranoid, suspicious service. Made me file an official police report with St Paul, Minnesota police before they'd do anything. Whole process took over a month. I'm assuming they won't follow that procedure for people affected in this case, but that's an assumption.

The financial loss to me across the board was zero. All fraudulent charges were reversed. But the process was different at each card issuer.
posted by gimonca at 12:13 PM on December 19, 2013


As someone with eczema and who is supposed to use a fingerprint reader at work: hopefully never as they don't work for me.

May also be a problem for some older people, as the whorls can wear down/off with age; my mother's prints, for example, are just a black smudge.
posted by thomas j wise at 12:18 PM on December 19, 2013 [1 favorite]


This FPP should probably link to more technical coverage, like Ars Technica. On that page, there's a link to a story from Dec 12:

Credit card fraud comes of age with advances in point-of-sale botnets
Researchers: 20,000 cards compromised in active campaign hitting US merchants.

I think the Target breach is just one of these botnet guys who got really really lucky. I am not so lucky, I shopped at Target twice during the suspected time frame, using a MasterCard debit card. I have no idea if this card is protected under MC or unprotected in a direct link to my checking account. I have asked the credit union several times about what protection is offered and they do not know. The only positive factor here is that I don't have any money to steal. This is my universal solution to crime: own nothing worth stealing.
posted by charlie don't surf at 12:18 PM on December 19, 2013 [5 favorites]


Of course I used my amex card at target during this period (and I only go there about twice a year).. Amex stated that they are monitoring carefully any charges on cards used at Target during this period and that I would not be liable for any fraudulent charges.. They stated it wasn't necessary to replace the card.
posted by HuronBob at 12:31 PM on December 19, 2013


If the registers at Target work at the registers like at (electronics store) that I do POS support for, and this leak IS really at the level of the pinpad, then there's a few ways this could happen.

Assuming they were actually skimming un-encrypted data off the pinpads themselves that is - and this is NOT LIKELY to be a physical skimmer, but a software related one - it would be the easiest method.

I'm guessing this is what happened because damn it would not be that hard. It is more than possible to modify the pinpads remotely if you know what you are doing. I have access to the software and the cables to modify the firmware on pinpads myself, but I do not possess the programming knowledge to modify the software. I mean literally I am looking at the special cable on a shelf, the specific software for ours is on a thumb drive on my desk, and I've walked into our stores and upgraded our pinpads. It was easy. It took me longer to get a coffee at the Starbucks then it took to upgrade one pinpad.

Sometimes pinpads can be updated remotely -depending on how they are connected to the register, they can be accessed like any other peripheral device on a computer. Like updating your printer's firmware, you can update the pinpad's firmware too. So if you can connect to the register, you can touch the pinpad.

However - some setups don't allow this. Our pinpads don't allow remote upgrades. We had to touch each pinpad physically at the store we tested the new software, and then we opted to have the pinpad-software-company inject the new version at their HQ - but had we the human bodies and time to upgrade ourselves we could've done it.

So there's a few ways this kind of hack at that level could happen.

1) Someone on the inside at the supplier who modified the firmware on the pinpad at the injection phase.

2) Someone in the POS-support team at Target or the company they contract to support their registers who has access to all/some of the pinpads remotely, and the ability to update the firmware.

3) A massive coordinated hack of pinpads at each store to update the software. (super unlikely, since they'd have to go touch every pinpad with the magic cable)

(a note - this doesn't really have anything to do with web-enabled point of sale machines. As long as the POS has a connection out somehow, the data can be pulled off of it. Web-enabled might make it easier but non-web-enabled are hackable too at this point)
posted by FritoKAL at 12:31 PM on December 19, 2013 [6 favorites]


Anything tied to biometric data would need to be opt-in for many reasons. However, 3D printing a fake fingerprint to wear over your own finger can't be that far off, can it?
posted by soelo at 12:32 PM on December 19, 2013


what sucks about this is the credit monitoring stuff. so target pays for a year of credit monitoring… and then after that equifax or whoever starts charging you monthly.

at this point i can't remember if i had to give them my credit card number to sign up for the free year, but maybe it does not matter - they are credit monitoring agencies after all. even after my CC number changed, they were able to keep charging me. and they make it impossible to cancel the service online, you have to call them.

so the industry just turned fraud into yet another opportunity to make money, and that sucks.
posted by joeblough at 12:34 PM on December 19, 2013 [4 favorites]


Remember that the new PoS devices are embedded Linux hosts. If there was a vulnerable service listening that was exploited, I believe that they really could have done this over the network and exfiltrated the data the same way. That would be why it's nationwide and why they got so much of the data.

As an IT guy, I look at this and just…Do Not Want.
posted by wenestvedt at 12:37 PM on December 19, 2013


I am not looking forward to the "ARE WE VULNERABLE TO THIS?" emails I'm going to get any second now. Actually hopefully it won't be me getting them, it'll be my boss and not-boss. I do not have answers for that question.
posted by FritoKAL at 12:41 PM on December 19, 2013 [3 favorites]


I don't envy the people on the other end of the phone line for the Redcards today!

In this case, isn't it a good thing to have a Redcard CC and only use it at Target? I mean, I only use it at Target, and since it's not backed by Visa, MC, Amex, anyone who steals the number will ONLY Be able to use it at Target.
posted by FJT at 1:17 PM on December 19, 2013 [1 favorite]


Why don't I think we'll see congressional hearings into Target's ( and other retailers') negligence, liability and continued risks?

There was an article posted here a couple of hours ago which includes a Senate report on the data broker industry, which includes a mention of data breaches like these.
posted by RobotVoodooPower at 1:33 PM on December 19, 2013


Is there any way of finding out if they got your credit card number and they haven't used it yet? I used a Visa at Target on 12 December but there isn't anything on that card at this point but my own purchases. If it hasn't been used yet does that mean they didn't get mine?
posted by bukvich at 1:48 PM on December 19, 2013


Assume that you've been compromised, and get your numbers rotated is really the best defense.
posted by mikelieman at 1:52 PM on December 19, 2013


And consider this. While Target is disclosing this, you have to wonder "How widespread are these issues, and is there ANY confidence that when my card is processed it won't be stolen???"

And the only defense to that is to just stop using your credit card until it is GUARANTEED to be secure.

Yeah, right.
posted by mikelieman at 1:53 PM on December 19, 2013


Within minutes of seeing this news, I was on the phone to my credit card company asking for a new card.

The best part of my conversation with the truly delightful Cody of customer service was "Are all those Amazon purchases yours?" Yes, they were. "How will you cope with no credit card?" No worries, I have online access to the library catalog and my library card does not need renewal for at least 3 years. That settled, we had only to decide if I needed the card NOW or if I can wait. I can wait.

Apparently some places offer you an option of getting a new card in 2 or so days by express mail for $$ (In my case it was $25). So if you are one who is unable to survive for long without a card, ask about that if you call to get a new one.
posted by AllieTessKipp at 1:57 PM on December 19, 2013


Lots of places are offering to do the express mail bit free of charge for those impacted by this. At this point, I don't know of any that are publishing this fact, but are doing it for people that ask. A case of ask an ye shall receive.
posted by stoneweaver at 2:14 PM on December 19, 2013


I don't envy the people on the other end of the phone line for the Redcards today!

In this case, isn't it a good thing to have a Redcard CC and only use it at Target? I mean, I only use it at Target, and since it's not backed by Visa, MC, Amex, anyone who steals the number will ONLY Be able to use it at Target.
"

This is not limited to redcards.
posted by Big_B at 2:46 PM on December 19, 2013 [1 favorite]


How long does it take a bank to re-issue your credit and debit cards?

If you're with Wells Fargo, you can get a temporary debit card on the same day you go into the branch. Permanent card comes about a week later. Credit cards take up to a week and you can't get a temp one.

US Bank doesn't have the temporary, same day debit card option (at least they didn't last year). Both credit and debit cards take upwards of a week.

Not sure about other banks. If you're cancelling all your cards (and given the holidays are coming) it might be worth asking if they can express ship it and not charge you. After all, it's cheaper for them to do that than have to eat the costs of any potential fraud. My small community bank sent me an email today saying they were waiving the fees for replacement cards for anyone who wanted them.
posted by triggerfinger at 5:17 PM on December 19, 2013


Finally, an argument in favor of store credit cards: because they can't be trusted with your VISA number.
posted by ceribus peribus at 5:26 PM on December 19, 2013


the rest of the developed world already uses (also called chip-and-PIN, cards with a computer chip on them

I (an American) was just issued a new Visa with a chip. Totally improved European travel!

(Bank of America, if it matters)
posted by spitbull at 5:48 PM on December 19, 2013


Got a preemptive email from my credit union about this breach, saying they are re-issuing my card, it will arrive in 7-10 days, and my old card will work until Jan 4. Love credit unions!
posted by annsunny at 6:49 PM on December 19, 2013 [1 favorite]


Another checking in to state my fraud was to the tune of $700 in Zagreb, Croatia. Shopped at Target for all kids gifts 2 weeks ago.
posted by Jaymzifer at 6:51 PM on December 19, 2013


First: Target IT staff are victims as much as you might or might not be. Stop blaming them for this attack. They did not "let" this happen. Please save your reflexive hostilities for the fucking asshole scumbags who think being threat actors is a wonderful way to earn a living. Target IT staff and your banks are working their asses off under serious pressure to identify the fraud and take care of it. Believe me when I say people are losing sleep in a major way over this, Target does care. That this was discovered as quickly as it was indicates they have their shit together. The heartland and TJ breaches occurred over months and months, and were not revealed for a loooong time afterwards. This was a what, a few weeks? The discovery and containment cycle Target has pulled off across almost 1700 stores is pretty fucking awesome IMO, and I wonder how many organizations would be able to do the same. I know the large, multinational retailers I worked for as a network engineer would not have been able to pull off as swift a response as Target did. So, please, a little respect, this is complicated, super-stressful and barely-worth-the-money work.

Second: I wonder if the POS terminals are running as virtual lanes on a VM and if the MSR's are dependent on the POS terminals or if they function as standalone units. If they are little linux hosts that form encrypted tunnels to their POS lane, and if those lanes are all hosted as VM's on a server in the back office, then one could potentially break into the VM and have access to the encryption keys between the MSR and POS lane. At that point, all I need is to be able to do is perform a tcpdump on the trunk port to the physical server hosting the VM's. With the encryption keys I would be able to see into the data payload of the flows between the Virtual POS lane and the MSR out on the floor. I would think a lightweight app could easily watch those flows, copy out the credit card data and then send the relevant info to whatever eastern bloc crime ring was hosting this operation. The next hurdle is to get the data off a PCI-compliant network restricted from accessing the internet. This is where the beauty of a trunk port to a VM comes in-if I am on the VM management console I can see the traffic from all VLAN's at the virtual switch. This allows me to run my bad application to sniff traffic on the PCI segment, while residing on a host that sits another VLAN outside PCI scope with access to the internet. This is why trunk ports are dangerous...Anyway, if I wanted to be a total bitch and ruin someone days by stealing their honey, that's the first place I'd go looking, which incidentally, are the first things I secured back in the day when I was designing secure and PCI-compliant network architectures for large multinational retailers...
posted by Annika Cicada at 6:57 PM on December 19, 2013 [9 favorites]


I wonder if the POS terminals are running as virtual lanes on a VM and if the MSR's are dependent on the POS terminals or if they function as standalone units. If they are little linux hosts that form encrypted tunnels to their POS lane, and if those lanes are all hosted as VM's on a server in the back office, then one could potentially break into the VM and have access to the encryption keys between the MSR and POS lane.

Apparently you did not read my link to the analysis by Ars Technica

Credit card fraud comes of age with advances in point-of-sale botnets
Researchers: 20,000 cards compromised in active campaign hitting US merchants.

The answer appears to be, no, POS terminals don't have those features, until the hackers install them so they can connect to their botnet.
posted by charlie don't surf at 7:22 PM on December 19, 2013 [2 favorites]


I read about stardust weeks ago. Maybe Dexter is in play here?

It wouldn't surpise me, but I have to say, to go from a botnet variant being released in August to full-scale compromise in november? Either inside job, or it was a different attack vector.
posted by Annika Cicada at 7:31 PM on December 19, 2013


Whose responsibility IS risk management in POS terminals processing credit cards if not the IT group responsible for the swipes?
posted by mikelieman at 7:38 PM on December 19, 2013


C-Level executives are personally liable.
posted by Annika Cicada at 7:45 PM on December 19, 2013 [1 favorite]


Well, I say that, most likely not. They are responsible, the IT staff does the best they can, it's a huge, complicated situation, and solving for unknown threats is impossible. You do the best you can, but someone will always find a way piss in your bowl. If someone picks your pocket in a Target, was it the store manager's fault? No, they do they best they can and let law enforcement handle the rest.
posted by Annika Cicada at 7:47 PM on December 19, 2013 [2 favorites]


If someone picks your pocket in a Target, was it the store manager's fault?

I'm unsure if that's the best metaphor to use. I'm not sure we need a metaphor for the situation where Target has a clear, positive duty to do everything practicable to ensure the security of the data used to process the transaction.

I don't think that auditing and locking down the credit card terminals is unreasonable. It might not be desirable from a Target Point of View, but I'm not real concerned about how a corporation FEELS about anything.

At the very least, isn't the guy who faked the PCI compliance expected to take the fall?
posted by mikelieman at 8:28 PM on December 19, 2013


Whose responsibility IS risk management in POS terminals processing credit cards if not the IT group responsible for the swipes?

Alright, I'll go down the rabbit hole...

That requires us to look at the process of how a POS system gets implemented...

POS and MSR Developers and OEM's all build their systems to a certain level of security. They are required to meet certain PCI mandates in order to call themselves PCI approved, but by no means are they required to be secure or PCI approved in order to sell to retailers. For a POS system actually be secure and PCI approved falls on the companies that buy the software having robust security requirements that list PCI approval as a requirement.

Here's the list of PCI approved companies: https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true

Approved PIN Transaction companies: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

The process begins when the CIO works with the retail VP and sometimes outside consultants to begin the process of vetting POS vendors and forming high-level requirements. Once chosen those are fielded out via RFP, and eventually after extensive meetings and discussions with prospective vendors and consultants a decision is made.

Then comes the first real set of contract negotiations. The seller's and purchaser's Legal teams, Purchasing Teams, IT teams, Securty Teams, Fraud Teams, Audit Teams, CIO and CFO and usually an outside consulting group all engage in a big dance of redlining and discussing and proof-of-concepting and dining and arguing and grousing until finally a Master Services Agreement, Legal Agreement, Support Agreement and Purchase Agreement are all in place. At this point about 200 people across the entire organization have all participated in building the contractual framework of what will eventually become an actually implemented POS system. That dance goes on for about 6 months before what people typically consider the "IT team" actually gets involved in a meaningful way. Usually the IT group has a pretty good say in what is purchased, but the IT team rarely has little to do with the actual decision to purchase the system. That's at a VP level and above.

So at this point, we have a legal framework in place between the POS developer and the purchasing company. The legal framework has negligence and indemnification clauses in place. This is the first place risk is managed. This has very little to do with IT. Also, this is the point at which the risk management group will sometimes work within the process to figure out how to purchase insurance policies to protect against data breaches, 50K for a stolen POS lane, 500K for a data breach of x-size and so on and so forth. That way if a qualifying event occurs, you pay the deductible and get a payout to cover the costs that come with a data breach. Those costs can be brand dilution, legal costs, lost sales, labor costs, etc.

So you have legal contracts and insurance policies at this point, with a Letter of Intent to purchase that comes with a penalty if the purchaser gets cold feet and decides to walk away.

One thing that usually shakes out of all this is a murky contractual understanding of what is considered an environmental security control (owned by the business) or an application security control (owned by the POS developer) . This line is vigorously defended on both sides. Here's the first chance the IT team has to become aware of the system and start raising hackles (We're talking 3-6 months after the RFP has concluded) with the VP's and up trying to get the POS developer to fix application security holes, with the POS developer pushing back on the purchaser's security and legal teams to punt the issue back into the IT team's court. It is um. a vigorously defended space on both sides, however, it is ultimately cheaper in the long run to put environmental controls in place, which fall upon the internal IT staff to manage and maintain than it is to require a POS developer to re-write their app to support your particular IT security requirements.

So, the IT staff end usually ends up being forced to spend an amazing amount of time engineering IT systems that place PCI-compliant security controls around POS systems that do not *quite* slot into the existing internal IT security framework just right. This space is where I earned my living as a network engineer, and I can assure you I felt zero ownership of a breach, because in my role, I was fighting not just my own PMO, Legal team, VP and CIO, but the POS developers PMO, legal team VP and CIO. I was placed in a position where I had to do the best I could against all odds, and everyone above me took out insurance policies to insulate themselves. So, I did the best I could because I take pride in my work and if I want a job, I have to be able to say I delivered the best possible system given the requirements, but am I responsible for a breach?

Hell No.
posted by Annika Cicada at 8:57 PM on December 19, 2013 [8 favorites]


At the very least, isn't the guy who faked the PCI compliance expected to take the fall?

Is there a link that proves this statement as true?
posted by Annika Cicada at 9:03 PM on December 19, 2013


Once again we learn the American credit card system has a fundamentally flawed security model. The whole premise of the system is your credit card number is a secret, maybe in combination with the expiration date or the CVV. Except, that's the exact same data you give to every single merchant you buy something from. It doesn't work very well.

The chip&pin system in common use in Europe is a significant improvement on security, at least for card present transactions. We don't do that in the US because the credit card companies shift the cost of fraud to the merchants and (to a lesser extent) consumers.
posted by Nelson at 2:16 AM on December 20, 2013


I thought Chip and PIN was brought in for the express purpose of shifting the responsibility of fraud on to the consumer. As it turned out the card companies realised this was a stupid idea because accuse too many people of "not securing their PIN" and everyone will just stop using your cards.
posted by fullerine at 2:24 AM on December 20, 2013


Is there a link that proves this statement as true?

If everything was done 'by the book', this incident would not have happened. The fact that it happened shows the system failed, and since it rotates around the CIO/VP who signs off on PCI compliance, shouldn't THEY be held accountable?

And you not feeling ownership of your area of responsibility? That's an issue between you and your boss. From where I sit, **EVERYONE** in the chain of processing the transaction is responsible for the security of the data entrusted to them. That's a problem between ME and your boss. That's how I see it.

Failure all up and down the line. 40 million american's financial security put at risk, and I still suspect there won't be ONE congressional hearing to 'get to the bottom of this'...
posted by mikelieman at 5:35 AM on December 20, 2013


So, the IT staff end usually ends up being forced to spend an amazing amount of time engineering IT systems that place PCI-compliant security controls around POS systems that do not *quite* slot into the existing internal IT security framework just right.

And this is why I love the retailer I work for. I (normally) get input on these things when we're talking to vendors and looking at solutions. Our management is committed to security requirements being part of the purchase process.

If everything was done 'by the book', this incident would not have happened. The fact that it happened shows the system failed, and since it rotates around the CIO/VP who signs off on PCI compliance, shouldn't THEY be held accountable?

Wrong on two counts. First, perfect security is impossible except in formally verified systems that are small and cost prohibitive to develop for anything short of national defense applications. There is _always_ residual risk.

Secondly, with a retailer of Target's size, they're required to receive an independent 3rd party's attestation of compliance -- basically a clean audit report. So it's not just a VP sign off, most in house blue teams (defenders) don't have rock star red team (attacker/penetration tester) skills to validate the results of the 3rd party test themself, and you often run into the case that the business is reporting inaccurate information about security configurations to the infosec team. The responsibility for residual risk falls on a lot of different people.

Again, it's too early to say Target was irresponsible, and it's too early to say Target is completely a sympathetic victim. We need technical details on how this happened, and we need discussion in the community as to whether this was a novel attack or whether this was just a shitshow of security practice.
posted by bfranklin at 5:55 AM on December 20, 2013 [2 favorites]


I asked "am I responsible for a breach" and the answer is "hell no" because I do things to the best of my ability given the context and situation I am in. I may FEEL responsible, which is something different. If some launches an APT at me, it's impossible to prevent an attack from succeeding 100% of the time. You fall back to forensics and law enforcement in those cases that are successful.

I can't speak for target, but I have over the years interviewed people for various positions from target and they have always been really on the ball. So, I guess if Target is like the places I've worked there are most likely dedicated people doing everything they can. Maybe someone did something wrong, was it negligent? I don't know. But I do know it's hardly a simple situation for them right now and I don't want to speak ill of anyone having to deal with the process of disclosing a data breach of this magnitude.
posted by Annika Cicada at 6:35 AM on December 20, 2013


If everything was done 'by the book', this incident would not have happened.

Not necessarily the case, there may have been a flaw in 'the book.'
posted by Mick at 6:36 AM on December 20, 2013


Doesn't the IT director have a duty to ensure the 3rd party's attestation isn't false? And from what I've seen from the inside of that particular sausage factory, that's a pretty good assumption to begin with... UNLESS you have a vested interest in not looking too hard.

Terry Pratchett, Making Money:
He should have gone down to the vaults on day one, with an alchemist and a lawyer in tow. Didn’t they ever audit the vaults? Was it done by a bunch of jolly decent chaps who’d poke their head into some other chap’s vault and sign off on it quickly, so’s not to miss lunch? Can’t go doubting a chap’s word, eh? Especially when you didn’t want him to doubt yours.
posted by mikelieman at 6:41 AM on December 20, 2013


Here is what happens to the card numbers once they have been stolen.
"Cards stolen in Target breach flood underground markets. I follow one bank down the rabbit hole." "Amazing part about this card shop selling cards stolen from target shoppers: includes city, state, zip of store cards were stolen from, allowing buyers to pick cards stolen from stores near them, to avoid banks blocking out-of-state transactions on known compromised cards."
posted by gemmy at 7:29 AM on December 20, 2013


Annika Cicada, your updates have been really interesting. I'm a programmer but I don't deal with financial data or embedded systems like POS. It's got to be just mind-bogglingly difficult to handle the sorts of situations that come up, especially given the way decisions get made. My personal experience with systems purchases is that ground-level IT/dev people are rarely involved until after the big players (C-level, vendor's Sales VP, etc.) have done their work. Tough place to be.
posted by freecellwizard at 7:38 AM on December 20, 2013 [1 favorite]


In a sausage factory bacteria grows under highly understood conditions that can be mitigated fairly inexpensively, it's a hassle but it's a solvable problem. (one of the retailers I worked for was a food retailer, I worked closely with people who developed meat quality standards, so I have an idea of what I am talking about here)

IT on the other hand, you are trying to mitigate terrible excuses for human beings whose only goal is to compromise your systems. They are irrational actors, you can try to prevent them from succeeding, but at some point they *will* get through. No matter what the playbook, because they are not playing by any playbook, the moment the words are typed into the playbook it's no good. It's a losing battle in the end.

Threat Actors are not bacteria. They are more like weaponized anthrax.

Here's a nice visualization of the problem: Digital Attack Map
posted by Annika Cicada at 7:41 AM on December 20, 2013 [1 favorite]


Can someone who knows such things tell who actually ends up paying for the fraudulent transactions?

I mean, I know that because of Regulation E and the bank, Visa, MC, etc. policies that take steps beyond it that card holders get reimbursed for any fraudulent transactions. My impression has always been that the bank reimburses the customer and the merchant reimburses the bank. Is that true? Are there more steps after that?
posted by VTX at 8:04 AM on December 20, 2013


I keep reading "PoS" as "Piece of Shit" rather than "Point of Sale". Shows you where my mind is.
If you work in retail, the two are normally pretty synonymous.

Yes, that's what we flat out call the "PoS" on the purchasing system at my volunteer job.

I did wander into Target during that time period, but didn't actually bother to buy any of the stuff I was pondering buying.* WHEW, because finding this out right now would be a whopping pain in the ass.

* No, I didn't shoplift it instead either.
posted by jenfullmoon at 8:34 AM on December 20, 2013


Annika Cicada: I was placed in a position where I had to do the best I could against all odds, and everyone above me took out insurance policies to insulate themselves. So, I did the best I could because I take pride in my work and if I want a job, I have to be able to say I delivered the best possible system given the requirements, but am I responsible for a breach?

Hell No.


The acquisition process described seems pretty accurate, and this last note -- that front-line IT staff do the heavy lifting of the implementation & risk mitigation while everyone else holds meetings and then flees, protected by layers of legal protection -- is the galling reality. There's a reason that the letters "P-C-I" send most IT staff out into the hallway, preemptively flinching and looking a little sick.
posted by wenestvedt at 8:48 AM on December 20, 2013


A key word often overlooked in this area is "risk" because (as was pointed out upthread) it's damn near impossible to make anything provably secure.

So your organization draws up a list of possible Bad Days -- think someone un-ironically musing, "What could possibly go wrong?" -- and then each of those gets thought through. Someone gives it a value for the "impact" metric, and one for the "likelihood" metric, and the product of those two numbers is used to assess the scale of the risk. (This is, of course, just an example of how it gets done.)

After leadership goes through the list, at some point they draw a line and say, "We'll pay for the really bad stuff" -- which is above that line -- "but not for the little things" below the line. Someone throws together a risk acceptance form, somebody else gulps hard and signs it, and you roll out the product.

PCI-DSS requires that you do some of the stuff you don't want to (usually because it's so expensive), but the key is that not all risks can be mitigated, and some must be accepted.
posted by wenestvedt at 8:58 AM on December 20, 2013 [1 favorite]


You knew this was coming, didn't you?
Target is warning customers of phishing emails after more than 40 million credit and debit card accounts were stolen from the company during the holiday shopping season.

The retailer announced Tuesday that it has learned of some incidents of scam emails related to the data breach and is setting up a section of its corporate website to post copies of all official communication.
posted by Chocolate Pickle at 1:52 PM on December 24, 2013


"Krebs sifted through posts from a series of shady forums, some dating back to 2008, to determine the likely real-life identity of one fraudster [behind the recent Target credit card hack]. He even turns down a $10,000 bribe offer to keep the information under wraps." (/.)
posted by jeffburdges at 8:00 AM on December 25, 2013 [1 favorite]


Wow, I just received and activated a replacement debit card. That was fast. But why doesn't the whole credit card industry take this opportunity to update to smart cards with an encryption chip?
posted by charlie don't surf at 2:40 PM on December 27, 2013


I've never research actual ownership, lobbyist presence, etc., but.. I've always assumed American companies avoided smart cards because some Europeans owned the patent, while Americans foisted their asinine RFID passport technology onto everyone because Americans owned those patents.
posted by jeffburdges at 7:26 PM on December 27, 2013


I think the appalling US credit card security is just a cost issue. It's expensive to issue Chip & PIN readers to merchants, so why not just accept some fraud and pass the cost on to merchants and customers? Also the chip systems don't really solve online payments (although some countries have awkward systems that try.)
posted by Nelson at 7:44 PM on December 27, 2013


But why doesn't the whole credit card industry take this opportunity to update to smart cards with an encryption chip?

Because production time is not instantaneous. Rolling out a chip card requires a designer to design the card, production time, imprint time, new mailers, faq development, contact center support, etc. etc. Many many financial institutions are already in process of rolling out chip cards, but it is a multi-year process. Not to mention the budget - chip cards are much more expensive to produce, so no one had money laying around in their 2013 budget to switch over to cards that cost twice as much. Lucky that it's budget season and these things can be budgeted for next year. Lots of FIs have already been in the planning and project portions of moving to chip and pin (and can provide the "beta" cards if requested), but it won't be until it's mandated that all cards go EMV that they'll toss the old cheap plastics.
posted by stoneweaver at 9:52 PM on December 28, 2013


The acquisition process described seems pretty accurate,

Late to the party but having worked in several companies with a heavily used IT department, usually there is an unpleasant IT head whom knew about this from the very beginning and didn't want to take on the project because they couldn't understand the business need, or felt it was a waste of their time, so repeatedly declines to attend said meetings or send staff. Then, one the business getd to the letter of intent stage, said IT lead kicks up a storm demanding to know why they weren't included, but no one, not even the CEO dare call them on it because they hold the keys to the kingdom.

If this had happened once, or at just one company, I would assume it was a one off thing. But this process has happened in almost the same way at every place I worked, as well as a well known problem many colleagues have faced. So those network engineers who thing you were brought in too late on the project; have a word with the people who were involved early on. Chances are good IT was not only invited, but begged to participate.

Maybe it's just my small sphere of the world. But I doubt it.
posted by [insert clever name here] at 10:45 PM on December 29, 2013 [1 favorite]


Because production time is not instantaneous.

That's not the problem. France has had Chip and PIN since 1995. The reason we don't have Chip & PIN in the States is because the US credit card companies haven't had any reason to introduce it.
posted by Nelson at 2:21 AM on December 30, 2013


The U.S. government today sent a 16-page letter to retailers, about the attack and what to look for. Looks like this might not be limited to Target and NM, not by a long shot.

From the blog of the cyber security agency that consults with the Secret Service:

iSIGHT Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software has potentially infected a large number of retail information systems. This software can find, store, and then transmit sensitive information such as credit card and PIN numbers.

What does this mean?
The identification and dissection of the malicious code provides two immediately important insights:
1. Recent retailer data breaches may not have been targeted attacks, but may well be part of a broader data theft scheme focused on many operators of point-of-sale systems
2. The scope, scale, and reach of recent data breaches is not yet known

posted by jbickers at 1:23 PM on January 16


I got this email today! Apparently information "including name, mailing address, phone number or email address, was also taken." So that's swell.
posted by Elementary Penguin at 5:55 AM on January 17


I got the same e-mail, Elementary Penguin. Target's got the official text of the notice on their site.

What's really strange is that I don't have a target.com account, Target loyalty card, etc. and have never given Target my e-mail address. So I was completely mystified as to how they could have acquired and then lost my e-mail address.

However, I was able to track down the e-mail address. It was one that I had on my Amazon account in 2003. It turns out in 2003 I purchased something from Amazon which was actually a "target.direct" item (Target used to use Amazon for online sales).

Very annoying. I guess I'm now eligible for a year of free credit monitoring. Yay.
posted by RichardP at 6:17 AM on January 17 [1 favorite]


Man, If only we had some actual laws that were enforced or regulation or something that would teach people lessons like, it's LESS expensive to follow the rules.

I think Target should -- in a small effort to begin repairing the damage to their customers -- refund all the charges at any Target store on any affected card during the time in question. Yeah, they'll take a hit, but they can argue about it with their insurers or whatever. Charge it to "Customer Goodwill" and go to lunch early, I guess.
posted by mikelieman at 8:42 AM on January 17 [1 favorite]


Wired Threat Level: The Malware That Duped Target Has Been Found
Washington Post: Target breach may be part of wider attack

These kinds of attacks seem inevitable to me and my guess is this particular breach is just the first big one that happened to become public. The underlying security design of the credit card system is the flaw here and as long as our payment systems keep pretending that a 16 digit number is a secret they will be vulnerable.
posted by Nelson at 9:46 AM on January 17


KAPTOXA Point-of-Sale Compromise (PDF): iSight's report.
posted by Nelson at 10:30 AM on January 17


« Older Beans (SLYT)...  |  Why is there Poverty? An Anima... Newer »


This thread has been archived and is closed to new comments