Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A few security lessons from the Target breach


  • Please log in to reply
No replies to this topic

#1 LilBambi

LilBambi

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:57 AM

Posted 29 January 2014 - 04:11 PM

A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com


"The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.


Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.


I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.


These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards."

 
This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systemsWhen fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks
 
I thought it was a must read. I also thought this article from Wired.com was also a must read:
 
Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again by Kim Zetter – Wired Threat Level
 

"A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.


Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.


That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.


The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?"

 
Oh, and just in case you have forgotten them all (I did!), here is a list of all the others:
 

"Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard."


BOLD emphasis mine.
 
Again, much more in the article including sections; What the Target Thieves GotInherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.
And as if that wasn’t bad enough, on January 25th, Michael‘s too:
 
Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com
 

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.


Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

 
I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article noted above was spot on:
 

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

 
Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.
 
I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.
 
If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.
 
And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they (credit/debit cards) will go the way of the dodo.
 
Fix the problem, not the blame.*
 
* Thanks to the movie, Rising Sun for the quote.
 
BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!
 
How you are dealing with these issues? Does this stuff bother you? Are you concerned someone will steal your credit or debit cards, or even your identity.
 
I just saw another article up on Reddit that deals with that a bit: How I lost my $50,000 Twitter Account - TheNextWeb:
 

"PayPal and GoDaddy Facilitated The Attack


I asked the attacker how my GoDaddy account was compromised and received this response:


From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 19:53:52 -0800

Subject: RE: …hello


- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)


- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)


It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification."

 
The entire article is very scary.

Bambi
AKA Fran
My Public Key for Email :: BambisMusings Blog
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users