Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Target Credit Card Data Was Sent To a Server In Russia

Soulskill posted about 10 months ago | from the really-just-a-misformatted-order-for-vodka dept.

Security 137

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

Sorry! There are no comments related to the filter you selected.

POS (5, Funny)

tompatman (936656) | about 10 months ago | (#45985635)

Target's terminals are aptly named.

Re: POS (5, Insightful)

Anonymous Coward | about 10 months ago | (#45985725)

Considering that the terminals in question were running un-patched, net booted XP SP2 WinPE instances with an old Java 4 version, the fact that there were attack vectors should be a long ways from shocking.

Re: POS (5, Insightful)

Anonymous Coward | about 10 months ago | (#45985855)

Target doesn't really care. They had $100 million in cyber security insurance so most of the cost of this will be covered. AFA the public not trusting Target, well, it will pass quickly because the masses have a short attention span.

Re: POS (0)

Anonymous Coward | about 10 months ago | (#45985885)

Do you think their insurance rates might, just might, go up? Do you think their reputation might, just might, suffer a bit? Yeah, they care.

Re: POS (5, Interesting)

Anonymous Coward | about 10 months ago | (#45986153)

They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

Traget outsourced IT operatations (3, Insightful)

Joe_Dragon (2206452) | about 10 months ago | (#45986383)

Traget outsourced IT operatations and field work is subbed out as well.

So maybe the IT people within the company that see the problems and may know how to fix them are so far apart form the people who work that team that they can't get stuff down or things are setup up that way so it's easier to sub work out vs locking stuff down and giving each Subcontractor there own logins / private email / info on the system.

Using common logins / just giving the info contractors who then giving that info out to the subcontracts is easier and makes it easier to change firms on each level. But then that info may not get changes / ends in the hands of non tech people who may not give it the security it needs.

Re: POS (2)

chipperdog (169552) | about 10 months ago | (#45988263)

I usually don't post comments asking people with moderator points to mod a comment up, but mod up this parent....

There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

Is likely the most accurate statement I've seen in a while. In my 20+ years in the tech/IT/OT field, what a salesman is selling to (non-tech) management seems to trump the feedback that is received from tech departments. Case in point, just this week there is a copier/printer vendor that insists on installing a software agent [fmaudit.com] that is suppose to report back meter readings and troubleshooting info to them (and "managing our printing costs"), but looking into it, it has capability of scanning entire network and reporting on every device it sees. As lead network and systems administrator, I say no way will I allowed an externally controlled and reporting network scanner on any of our secure networks - and I'm being framed as being uncooperative, not considering my report that the vendor solution will break many layers of security,...I may have to make sure the agent is disallowed in group policy, in case it can be installed in user space without elevated rights on the machines (wouldn't surprise me that they'll just try installing it on a user's workstation)...

Re: POS (4, Informative)

jythie (914043) | about 10 months ago | (#45986609)

It is also possible that their underwriters could claim that Target did not take due diligence in protecting its network and thus a full payout is not warranted. Insurance companies do not like being treated like a blank check to not take precautions.

Re: POS (4, Interesting)

ChromaticDragon (1034458) | about 10 months ago | (#45986035)

I am curious regarding your information. Got source?

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.

Re: POS (1)

Anonymous Coward | about 10 months ago | (#45986131)

Here's one [businessinsurance.com]

Re: POS (2)

egcagrac0 (1410377) | about 10 months ago | (#45986471)

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

While $200 million is a lot of money to a lot of people, it's less than 10% of Target's typical annual profit. Some financial summaries [target.com]

So yes, it will sting a bit, but it's not going to put them under.

Re: POS (1)

NatasRevol (731260) | about 10 months ago | (#45986853)

And on the plus side, it will hurt the CxO types (less bonuses & dividends) who would have blocked the decision to upgrade to a better, but more expensive, POS.

Re: POS (1)

gl4ss (559668) | about 10 months ago | (#45986109)

there shouldn't be insurance for breaking the rules.

the insurance company should just fuck 'em at this point for not keeping up their part of the deal - there's certain ways of acting that was expected from target - and well, if they happen this often then they should charge them 15 million per year for the insurance at least.

oh and you know, the fucking big cc companies should just treat them the same as any smaller business, but they don't. if some mom'n'pop had similar happening they wouldn't be charging any credit cards anytime soon.

Re: POS (5, Interesting)

Megane (129182) | about 10 months ago | (#45986077)

The thing that bugs me most is that they were on a network that was routed to the entire internet. Yeah, I don't think a POS terminal needs to be able to check Google or Facebook, much less "chernyykhod.ru". Even simply putting them on a VLAN with a very restrictive firewall to the public internet would have avoided the problem. And a RFC-1918 network doesn't count if it's behind a NAT router, since these packets went outbound from the POS. Belt and suspenders.

Re: POS (0)

Anonymous Coward | about 10 months ago | (#45986461)

They do when your POS system is hosted for you by some other company in a well known city, and the only way to reach them is via throwing an IPSEC Tunnel up over a public internet connection. However, that isn't to say that Target couldn't have put a firewall rule or two on those ASAs that they have installed at all of their sites to facilitate said L2L VPN.

Re: POS (4, Informative)

mythosaz (572040) | about 10 months ago | (#45987627)

Doesn't appear that way to me..

The actual report on the software installed on the agent makes it pretty clear that the information was being gathered locally and forwarded internally to a collection point before being sent to Russia, like I suggested in previous threads:

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf [krebsonsecurity.com]

The point of sale machines try to make a connection to \\10.116.240.31\c$\WINDOWS\twain_32 -- an obvious store-and-forward point on the network for exporting the card data otuside of Target. Hackers compromised this box, likely named ttcopscli3acs, since the credentials passed to 10.116.240.31 were ttcopscli3acs\Best1_user with a password of BackupU$r.

It also made port 80 requests to 10.116.240.31 -- the server the hackers "owned" inside of Target.

The rest of the breakdown only details the registry changes that happen when you install a service -- which was the install vector. There isn't a discussion of how the skimming/scanning/card-stealing software was distributed, but...

IT WAS OBVIOUS THEY WERE ALREADY INSIDE THE NETWORK - they (p)owned servers - so it's a reasonable guess that they just deployed the software without needing any hole on the workstations.

The twain_32 folder is one of those things that casual inspection would overlook - and obviously did.

Re: POS (1)

mythosaz (572040) | about 10 months ago | (#45987799)

....one obvious conclusion jumped to is that the test box for ThreatExpert might also just be called "ttcopscli3acs" but the means by which this works (fowards data to an internal box) remains the same.

Re:POS (3, Funny)

JoeMerchant (803320) | about 10 months ago | (#45986779)

In Soviet Russia: Credit Cards -> Target -> YOU.

Seriously, though, this means that the perps were able to setup a relay station in Russia. I would hope that a person/organization capable of this kind of operation would have the resources/foresight to relay data through several foreign countries.

How embarrassing would it be for the Target data to have been heisted straight to young Matthew Broderick's bedroom? Even if something like that did happen, I'd expect the circulated news stories to tell tales of a massive, sophisticated, international syndicate of PhD hackers, who have now been arrested and jailed, or terminated by drone strike if they were hiding in uncooperative countries. Which story inspires more confidence in the safety of our financial systems? That is likely the story that will be told.

Re:POS (1)

LifesABeach (234436) | about 10 months ago | (#45987329)

Ho! So if my Tickel-Me-Elmo needs to be returned; Target is saying, "You have to go to our Moscow Store?"

Slashdot sucks nigger cocks (-1, Troll)

fucck slashdot (3503541) | about 10 months ago | (#45985651)

Welcome to the worst site on the internet, I hope you get raped by horses

Re:Slashdot sucks nigger cocks (-1)

Anonymous Coward | about 10 months ago | (#45985719)

I hope you get raped by horses

please be black stallions!

Re:Slashdot sucks nigger cocks (-1, Troll)

Anonymous Coward | about 10 months ago | (#45985827)

Teehee you said nigger! I love when people do that! Every time anyone says nigger it's one more step towards a saner world where people stop feeling threatened by mere words. There is no better guarantee of free speech.

Sadly in the meantime the easily offended bedwetters will blame everyone and anyone but themselves for their own decision to allow their happiness to be determined by what other people say. Remember "I'm offended!" is just another way of saying "you must say only what I approve of, now bow to me or I will shame you and embarass you and downmod you to force you to comply!"

Only actual threats of real physical harm should be sanctioned. Just saying "nigger" is not a threat. Stop acting like it is please.

Re:Slashdot sucks nigger cocks (-1, Offtopic)

Anonymous Coward | about 10 months ago | (#45986003)

Teehee you said nigger! I love when people do that! Every time anyone says nigger it's one more step towards a saner world where people stop feeling threatened by mere words. There is no better guarantee of free speech. Sadly in the meantime the easily offended bedwetters will blame everyone and anyone but themselves for their own decision to allow their happiness to be determined by what other people say. Remember "I'm offended!" is just another way of saying "you must say only what I approve of, now bow to me or I will shame you and embarass you and downmod you to force you to comply!" Only actual threats of real physical harm should be sanctioned. Just saying "nigger" is not a threat. Stop acting like it is please.

Your perspective is far too freedom-loving and enlightened for the average slashdot moderator to grasp. Apparently the summaries have so many grammatical errors and generally sloppy writing because the "editors" are too busy searching discussions for words like "nigger" and down-modding them with their infinite mod points.

Freedom means other people might say and do things that you don't approve of. Those things are neither crimes, nor are they wrong in any way when you merely find them distasteful. Saying "nigger" is like that. Anyone who claims to support free speech but down-mods a thoughtful comment on the use of a word is a goddamned hypocrite, to put it mildly.

Re:Slashdot sucks nigger cocks (-1)

Anonymous Coward | about 10 months ago | (#45987039)

There's nothing insightful about that at all. Posting racist language all over a site could be considered vandalism.
According to your logic, I should be able to write "I'm a NIGGER!" or "I LOVE JUNGLE COCK!" all over your clothes...it's just distasteful after all, nothing wrong with that!

Freedom also includes keeping racist language off of your website(if you choose.) Or in this case, "irrelevant conversation" is more accurate and avoids the racism bullshit. Slashdot's website, not ours. Keep in mind, this website is private property. You are only invited here to take part in discussions and read. Not be disruptive just to be an asshole.

They can delete whatever the fuck they want. But they don't, they just downmod it. See, they haven't even taken any freedom except in a moderation tag. So you'll be marked troll if you post blatantly racist trolls, but you can still keep at it if you want. Faggot.

and then moved to a server in China (-1)

Anonymous Coward | about 10 months ago | (#45985677)

Right? Gotta keep that anti-Chinese bias alive somehow.

Re:and then moved to a server in China (0)

Anonymous Coward | about 10 months ago | (#45985881)

and then moved to Iran by North Korean hackers, I mean cybercriminals, and then used to fund terrorism by the Syrian govern- I mean regime.

Re:and then moved to a server in China (0)

Anonymous Coward | about 10 months ago | (#45985919)

Right? Gotta keep that anti-Chinese bias alive somehow.

Yes you are so correct! The People's Republic of China is governed by some of the most honest, kindhearted, honorable people in the world. Who could possibly have a bias against them?!

I mean they're so very thoughtful, when they shoot someone for having the wrong political opinion, they even send the family a bill for the bullet! It's so nice for the family members not to be forgotten during their time of grieving. Considerate! And the glorious sweatshops! What child wouldn't want to work 12hrs a day in there!

Yessir, anyone who doesn't like them is obviously biased.

in soviet russia (5, Funny)

Joe_Dragon (2206452) | about 10 months ago | (#45985695)

In Soviet Russia We Target You!

Re:in soviet russia (3, Informative)

bradgoodman (964302) | about 10 months ago | (#45985967)

I only checked the posts here to read the impending "In Soviet Russia..." jokes.

Re:in soviet russia (0)

Anonymous Coward | about 10 months ago | (#45986607)

I'm convinced that's the only reason Slashdot has any stories pertaining to Russia.

That being said, Joe Dragon's joke was great.

Re:in soviet russia (-1)

Anonymous Coward | about 10 months ago | (#45986809)

In Soviet Russia nasty rancid anuses tonguefucked YOU!

Quietly moved ??? (2, Funny)

amalcolm (1838434) | about 10 months ago | (#45985711)

Does moving data usually make a noise?

Re:Quietly moved ??? (0)

Anonymous Coward | about 10 months ago | (#45985779)

I've heard an Ethernet card make a high pitched whining noise under load.

Re:Quietly moved ??? (1)

GameboyRMH (1153867) | about 10 months ago | (#45985921)

Then there are hard drive noises, tape noises, CD noises...

So I'd say moving data usually makes a noise. Not always, but usually.

Re:Quietly moved ??? (1)

ruir (2709173) | about 10 months ago | (#45986013)

I think they lately invented something obscure called ethernet, or in more layman terms, Internet, that apparently doesn't make mechanical noises.

Re:Quietly moved ??? (1)

GameboyRMH (1153867) | about 10 months ago | (#45986275)

Most of the servers that serve content over the Internet use hard drives ;-)

Re:Quietly moved ??? (0)

Anonymous Coward | about 10 months ago | (#45985799)

Does moving data usually make a noise?

It does when you're drunk no matter how quiet you try to be.

Re:Quietly moved ??? (0)

alen (225700) | about 10 months ago | (#45985939)

any IDS worth a damn should be flashing red lights any time a lot of traffic is sent to russia, china and anywhere else east of the iron curtain

Re:Quietly moved ??? (0)

Anonymous Coward | about 10 months ago | (#45986007)

any IDS worth a damn should be flashing red lights any time a lot of traffic is sent to America

Get with the times.

Re:Quietly moved ??? (2)

ruir (2709173) | about 10 months ago | (#45986047)

Any connection that doesnt need an Internet presence, or doesnt have DNS sites should cut Chinas IP address space. Less SPAM and specially less cyber attacks. Even when they are not really targeted, they have simply the bigger concentration of all of old unpatched machines, and their mentally of if it works dont touch it, instead of more consumerist views of USA, it is slow, lets bin it and buy a new one, doesnt help too into being a hive of zombie machines.

Re:Quietly moved ??? (1)

BosstonesOwn (794949) | about 10 months ago | (#45986795)

Most IDS systems should trigger alerts and close the route when sending massive amounts of data ANYWHERE !

All my gear is set up that if your sending a pack over 5 megs and you didn't get auth from secops and the mac cleared the route is shut down. Yes it's draconian but it prevents a lot of network abuse and has left me with 2 300 meg circuits instead of 2 gig circuits.

Re:Quietly moved ??? (1)

geogob (569250) | about 10 months ago | (#45986713)

Of course, this is a metaphor, saying they moved the data in a manner not to be detected, although I suspect that is not quite accurate. Most likely they did make a lot of noise while moving the data, but no one listened.

Re:Quietly moved ??? (0)

Anonymous Coward | about 10 months ago | (#45987295)

Only if it's in a forest and no one is around to hear.

It could have been worse... (2)

bogaboga (793279) | about 10 months ago | (#45985717)

If the attackers had left a script behind to effectively re-partition or even reformat the compromised servers' hard-drives.

But what troubles me the most is the common American citizen's perception that we (as Americans), lie at the epitome of technology that works; after all, we have the "biggest and greatest" technology companies, right?

Re: It could have been worse... (0, Interesting)

Anonymous Coward | about 10 months ago | (#45985775)

Considering that all of the servers in question run on vSphere with NFS LUNs mapped against a NetApp, snapshotted hourly and off-sited nightly, the wiping of servers while painful wouldn't be "that bad".

Also, the server VMs RHEL, updated regularly while the POS Terminals are Netbooted WinPE with a very old Java version.

Re: It could have been worse... (0)

Anonymous Coward | about 10 months ago | (#45985871)

Windows was involved in a massive security breach, huh? You don't say!

Too bad they didn't use RHEL for the point of sale system too. Then they could add a PaX/grsec kernel, SELinux, compile everything with canaries, and lots of other good ideas that should be standard fucking practice.

Re:It could have been worse... (0)

Anonymous Coward | about 10 months ago | (#45985787)

When other companies use the NSA back entrances it is called hacking. When NSA use it its called FREEDOM fighting.

Re:It could have been worse... (0)

Anonymous Coward | about 10 months ago | (#45987649)

When other companies use the NSA back entrances it is called hacking. When NSA use it its called FREEDOM fighting.

Exactly, the NSA is fighting against freedom. What else would they call it?

Re:It could have been worse... (1)

Anonymous Coward | about 10 months ago | (#45985917)

But what troubles me the most is the common American citizen's perception that we (as Americans), lie at the epitome of technology that works; after all, we have the "biggest and greatest" technology companies, right?

Who are some of these common American citizens? The figment of someone's imagination.

Re:It could have been worse... (0)

Anonymous Coward | about 10 months ago | (#45985931)

You know what's even funnier?
Americans used to laugh at Soviet propaganda about how great "Mother Russia" was. And now they laugh at Chinese and North Korean propaganda.

Long after America crumbles into decay, Americans will still be laughing at the smug superiority of other countries and how easily the sheeple in those countries are duped.

now go and get some snatch! (-1)

Anonymous Coward | about 10 months ago | (#45985769)

These Guys Are Creating a Brain Scanner You Can Print Out at Home

        - http://www.wired.com/wiredenterprise/2014/01/openbci/ [wired.com]

        -- http://www.openbci.com/ [openbci.com]
        -- https://github.com/OpenBCI [github.com]

        "Bootstrapped with a little funding help from DARPA â" the research arm of the Department of Defense â" the device is known as OpenBCI. It includes sensors and a mini-computer that plugs into sensors on a black skull-grabbing piece of plastic called the âoeSpider Claw 3000,â which you print out on a 3-D printer. Put it all together, and it operates as a low-cost electroencephalography (EEG) brainwave scanner that connects to your PC."

        Archived: http://web.archive.org/web/20140113131516/http://www.wired.com/wiredenterprise/2014/01/openbci/ [archive.org]

Ooo those dirty russians. (0)

Anonymous Coward | about 10 months ago | (#45985795)

has there ever been anything but criminal activity coming out of there?

Color me gobsmacked! (0)

Anonymous Coward | about 10 months ago | (#45985803)

Former Eastern Bloc citizens involved in credit card fraud? Hold the presses! Make way for a new headline!

In all seriousness, some of the brightest programmers I have met over the decades have been from Eastern Europe. The combination of general poverty, lack of access to modern hardware, and (?) vodka forces them to learn about the guts of the hardware in order to make do - much like the original computer hobbyist community in the U.S.

What will be interesting to watch is Putin's reaction if this highly publicized crime originated in Russia. I am sure with uncertainty about Sochi in the wings, he will bring down an - excuse the obvious pun - iron sledgehammer on the responsible parties.

We'll Win This For MOTHER RUSSIA! (-1)

Anonymous Coward | about 10 months ago | (#45985811)

how bout some Snickers
thanks
you get a little horny without it

Is that really.. (0)

Anonymous Coward | about 10 months ago | (#45985849)

Where the data stopped moving? Maybe. If their payload didn't self-destruct then they might have made an additional mistake and used too few hops during the getaway.

Dissapointed Senators (0)

Anonymous Coward | about 10 months ago | (#45985955)

They hoped China could be blamed again.

And the NSA Missed All Of This? (5, Interesting)

littlewink (996298) | about 10 months ago | (#45985973)

Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?

A clear instance of international crime/terrorism and NSA was asleep at the wheel.

Re:And the NSA Missed All Of This? (4, Funny)

ruir (2709173) | about 10 months ago | (#45986057)

NSA is too busy reading their ex emails...

Re:And the NSA Missed All Of This? (1)

Anonymous Coward | about 10 months ago | (#45986209)

I get what your saying but you have the Chinese also "attacking" the US for secrets. I guess the tragic comedy in this, is this quote.

""A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.""

It appears nether the government or companies learn there lessons, government for being pathetically stupid enough to run infrastructure, and classified information onto open networks. Instead of closed loops...

And companies for lacking common sense, your a million/billion dollar company how much could it possible cost to hire a couple of well known security research groups to thoroughly testing.

And the blame comes down to politicians, washington, and the federal agencies that have done nothing to pass laws and regulations to heavily fine any company for not checking with security researchers to limit [the fact remains you cannot eliminate the possibility/probability] any holes that could be accessed. Or even a system that detects when data is being breached.

Re:And the NSA Missed All Of This? (3, Interesting)

swb (14022) | about 10 months ago | (#45986563)

I keep asking myself why the NSA isn't more involved in large-scale financial fraud considering their ample abilities to sample international data networks and their likely considerable focus on Russia and the involvement of shady financial transactions in funding terrorism.

In the case of Russia specifically, I would expect the NSA to be heavily involved in monitoring Russian hackers given the shadowy nexus of hackers, organized crime, ex-KGB agents, and the current FSB.

Re:And the NSA Missed All Of This? (1)

Vitriol+Angst (458300) | about 10 months ago | (#45987331)

Dang it -- you said my comment first!

The only thing I would add is; I've never thought the NSA and agencies like them are interested in the Security of the USA for the people of the USA -- that's just the PR cover story.

The NSA needs all that data, and the CIA needs Facebook, and the TSA has to know everything about Joe Worker but totally ignores who gets on a Leer jet because this is all about the USA Police State. We are clearly on the path from a First Tier Developed Nation to a 2nd Tier and controlling people and political opponents is crucial to Neo Feudalism.

Of course, I could back this opinion up, but it's not like anyone has a book that says; "Secret Diabolical Plans." It's just you get the general notion when a bank can launder drug money and nothing happens, and then a person can smoke some MJ and go to a corporate prison for 20 years that -- this aint the land for you and me.

So thats who it was (0)

Anonymous Coward | about 10 months ago | (#45985979)

It was Snowden

PCI compliance? (5, Interesting)

NynexNinja (379583) | about 10 months ago | (#45986045)

Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

Re:PCI compliance? (2, Insightful)

Anonymous Coward | about 10 months ago | (#45986093)

Because you don't have a choice if you want to stay in business.

Most of us aren't big enough to tell the CC companies to go fuck themselves, and customers kind of require CC processing for online purchases. Many people have learned to stay the fuck away from things like paypal by this point. A business that can't take credit cards is a business about to cease to exist, or shouldn't really be called a business in the first place.

--BitStream

Re:PCI compliance? (0)

Anonymous Coward | about 10 months ago | (#45986545)

Well, a card not working at target would be a major disadvantage and something other card manufacturers can even advertise with that theirs does.

Re:PCI compliance? (3, Interesting)

alen (225700) | about 10 months ago | (#45986649)

it's like SOX and HIPAA
you do a lot of work "certifying' that things work according to someone's checklist and repeat next year

they are nothing more than jobs programs for auditors and a get out of jail free card for everyone involved

Re:PCI compliance? (0)

Anonymous Coward | about 10 months ago | (#45987079)

Bingo. And the company pays the auditors for the annual review. The auditor is motivated to give a good rating so they are hired back next year.

Re:PCI compliance? (0)

Anonymous Coward | about 10 months ago | (#45986667)

Not being PCI compliant only means you pay a 0.5% surcharge directly to Visa on all transactions until you come back into compliance. Visa WANTS you to be non-compliant, because they make BILLIONS from it.

Re:PCI compliance? (0)

Anonymous Coward | about 10 months ago | (#45987003)

That the kind of situation who shout for : "Computer Engineer Order to protect the public, like all other real professions have".

Re:PCI compliance? (2)

cdrudge (68377) | about 10 months ago | (#45987103)

By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant

If reports are to believed, the malicious programs grabbed the information from memory on the infected POS machines. This wasn't a database that was dumped that had all the information in nice organized columns all in the clear.

While PCI compliance does call for not storing, encrypting, and/or otherwise taking certain precautions with certain data, I don't believe end to end encryption between the mag stripe read head and the payment processor. It's allowed to be decrypted somewhere and this malware was designed to exploit when it was available decrypted.

Won't shop there again, but... (2)

DruidWheresMyCar (3493635) | about 10 months ago | (#45986053)

Did anyone else get an email from them offering free credit monitoring?

Re:Won't shop there again, but... (1)

jandrese (485) | about 10 months ago | (#45987629)

Yeah, but it's layered on top of several other free credit monitoring services I apparently have now from breakins at various companies. I'll never have to pay for credit monitoring ever. As usual Target didn't tell me WHO is doing the monitoring, or how they might contact me if something suspicious happens in my name. I expect this to be just as useful as all of the other credit monitoring services I apparently have.

Crime backfiring: card numbers are worthless. (0)

Anonymous Coward | about 10 months ago | (#45986075)

What's happening is that victims are canceling those cards and everyone is on the lookout for. So, when the Russian hackers try to sell or use them, they're not going to work.

Their booty is worthless.

Re:Crime backfiring: card numbers are worthless. (1)

stoploss (2842505) | about 10 months ago | (#45987553)

What's happening is that victims are canceling those cards and everyone is on the lookout for. So, when the Russian hackers try to sell or use them, they're not going to work.

Their booty is worthless.

Who's to say this wasn't the goal? Perhaps the actual goal was to adversely affect Target or the US card processing regime.

Where would one fence eleventy billion credit card numbers, anyway? It's not like this a tenable amount, considering the depth of market for stolen credit card numbers.

Re:Crime backfiring: card numbers are worthless. (0)

Anonymous Coward | about 10 months ago | (#45988029)

Yeah - it's possible that the goal was to steal the card info, short-sell Target shares and then make the information public, along with selling the card information. Win-win.

You wouldn't be able to short-sell a ton, though. I assume that's one of the first places an investigator would look. Maybe 10,000 - 100,000 shares at most.

Re:Crime backfiring: card numbers are worthless. (2)

jandrese (485) | about 10 months ago | (#45987647)

They spent months selling them already. The guys who did this have already made out like bandits.

I don't get it (1)

cripkd (709136) | about 10 months ago | (#45986087)

Do they not care enough to delete the logs or are the logs on another machine somewhere above in the hierarchy?

Re:I don't get it (1)

capedgirardeau (531367) | about 10 months ago | (#45986415)

Could very well be router or firewall logs that saw the packets as they passed out of wherever the compromised server was.

Re:I don't get it (0)

Anonymous Coward | about 10 months ago | (#45986663)

Maybe they asked the NSA where the data went. They should know.

Re:I don't get it (1)

BosstonesOwn (794949) | about 10 months ago | (#45987035)

There is supposed to be multiple log servers, and they get backed up.

So what happens is the logs are kept in the machines as well as shipped to a log server.. Depends on how they went about this.... but everything should be logging to multiple places for just this reason, hackers have automated log scrubbers that they can hide as a binary like say cd. the cd bin will get executed, but after the hook runs and scrubs the logs.

Obviuos question - Who else is infected? (1)

amigabill (146897) | about 10 months ago | (#45986333)

OK, so there's a lot of talk about this situation at Target. At least that one is discovered and allegedly fixed. Do these pranksters only target one store chain? Was this the easiest one to get into, and they are happy with that for now? Or are other stores similarly compromised, but either have not gone public, or do not know it yet?

Re:Obviuos question - Who else is infected? (1)

BosstonesOwn (794949) | about 10 months ago | (#45987101)

They usually target more then 1 chain, but have to taylor it to each chain as the pci-dss standard is enacted differently in each chain. Usually they will breach a big chain and use the same method for others but taylor the way they do it a bit differently and most times this helps them avoid early detection. Often the breach is discovered later, much later because it was not using the same carbon copy methods that were used in another breach.

Re:Obviuos question - Who else is infected? (1)

jandrese (485) | about 10 months ago | (#45987905)

Target's security is especially lax, but part of the problem here is the POS terminals that are apparently stuck running old unpatched versions of Java. That's an industry wide problem. You can limit the exposure with proper network security, but it means if anybody does breach your security they will have no trouble escalating that into full blown card disclosure.

too obvious (1)

Max_W (812974) | about 10 months ago | (#45986597)

To Russia, of course. Where else? The end of an investigation. Very convenient.

Reality is usually more complicated.

It largely doesn't matter (3, Interesting)

Kardos (1348077) | about 10 months ago | (#45986603)

I'm not going to defend Target for being embarrassingly sloppy, however, no matter how you look at it, it largely doesn't matter:

a) It's a business decision to invest in cyber-insurance or cyber-security, they picked insurance. As technical people, we like technical solutions, but maybe insurance was the right choice.

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

c) Everyone gets credit monitoring. If the credit monitoring is not snake oil, then it'll catch cc fraud that's not a direct result of this Target screw up. This may actually be a benefit. People who were dimly aware of how the cc system works will become informed. This is probably a net positive here.

d) Awareness is raised about POS security; other companies who are running the similarly secured systems may be motivated to fix it. Another net positive.

The only people getting screwed are Target (for operating a shit system) and/or the cc issuers (for permitting Target to run a shit system).

Re:It largely doesn't matter (1)

houghi (78078) | about 10 months ago | (#45987681)

and/or the cc issuers (for permitting Target to run a shit system).

The company that issues the card is nota always the same company that handles the payment at the store (or via Internet)

e.g. In Belgium the machines in the stores are most likely from AtosWorline, but the card can, but must not be from them. e.g. I have a card from Beobank and they are the card issuer who work under license of Visa and Mastercard. They would take the loss.

Re:It largely doesn't matter (3, Informative)

Solandri (704621) | about 10 months ago | (#45987755)

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

Fraudulent credit card charges are paid for by the merchant who sold the goods to the fraudster. When you contest a charge, the credit card issuer does a chargeback and reverses the charges on the merchant who made that transaction. The merchant then has to try to prove the charge is legit (e.g. produce a signed receipt whose signature matches the cardholder's), or he is out both the merchandise and the money. The issuer pays nothing for fraud, except for small transactions where they may decide to credit the cardholder without reversing the charges on the merchant (the charge is deemed too small and not worth the expense of investigating).

Your double-digit interest rate pays for other credit card holders who default on their bills. And to line the pockets of the credit card issuer.

Re:It largely doesn't matter (1)

Kardos (1348077) | about 10 months ago | (#45987871)

Ah fair enough, didn't realise it was the merchant got stiffed. But the main point still stands: the consumer doesn't eat the fraud.

I got the notice... (2)

EmagGeek (574360) | about 10 months ago | (#45986639)

I got the email notice from Target at TWO of my email accounts that my information had been stolen.

I pored over my financial data and found that I have not used any credit card at a Target store since 2008. So, obviously the breadth and depth of this attack are a lot more extensive than what they are telling us.

Either that or Target is simply blasting everyone in their email database whether or not they believe the customer's information was stolen, which says that Target still really has no idea whose information was taken and whose wasn't.

It really is a reflection of the vast incompetency of Target management. They don't know ANYTHING, and have just been firing the shotgun since this whole story broke.

Re:I got the notice... (2)

Abalamahalamatandra (639919) | about 10 months ago | (#45986747)

I read an article on this recently, it appears that Target contacted both those whose name/address/email had been compromised AND those who use their credit card there during the time period using the same email. They should have split the two.

So it's likely that your personal information was compromised, but not your credit card number. Be on the lookout for phishing attempts.

Re:I got the notice... (1)

ak3ldama (554026) | about 10 months ago | (#45987747)

You think this matters? We should have real concerns. In late October Resers had a listeria recall [fda.gov] on a lot of products produced at one assembly plant for lots of sub-companies. There has been no followup in the news (post november) detailing any further testing by them or the FDA. That original recall was initiated due to testing done in Canada. Should there be any consumer confidence by the American public that we can trust a factory like this to produce safe food? Look at their recall window on those products, it has been expanded now and includes 2014 products. How often do they test!? Why are they still shipping this food if its being recalled? This problem was first exposed in October. How often do they do a thorough cleaning!? I have tried to followup and have not been told of _any_ routine testing done on American soil by either the FDA or the company in question. The Reser consumer rep literally told me consumers do not care about their quality practices and that she did not have any information for me on how often they test for this. I have tried to find out more and all I have to go on is public information in the news. All consumers have are gems like this and more questions: [foodproductdesign.com]

The problem was discovered through microbiological testing by the Canadian Food Inspection Agency. A traceback investigation and follow-up testing by FDA at the facility determined there was potential cross contamination of products with Listeria monocytogenes from product contact surfaces.

Re:I got the notice... (1)

neo-mkrey (948389) | about 10 months ago | (#45987857)

I received an email last Dec about the breach and another one yesterday offering the free credit monitoring. So I called Target and asked when my new card with new numbers was coming. Turns out -- it wasn't. Customers have to specifically call and ask for new cards to be sent. WTF?!?! A simple solution to nip this in the bud -- issue new cards with new numbers -- and they aren't doing it? I guess they would rather eat the bogus charges. If I had any Target stock, I would dump it ASAP.

Limiting outbound access to servers is too tough (2)

Abalamahalamatandra (639919) | about 10 months ago | (#45986701)

So, time for me to rant, but on-topic, for a second.

Everybody knows, I would hope, that best practice is to never allow an Internet-facing server to initiate outbound traffic. This is both because, should the server get compromised, it becomes a new attack vector - as in Code Red or SQL Slammer. This is also because, as in Target's case, it makes it fairly trivial to exfiltrate stolen data.

But services still persist that require that this very access be enabled. My current case in point: ReCAPTCHA. Google hosts the URL for this service, intended to provide additional security, on a www.google.com URL, which means that, at minimum, I have to allow outbound access from any server hosting a ReCAPTCHA on port 443 to everything Google owns. In practice, of course, it's all but impossible to keep track of Google's address space for firewall purposes, so this means that I have to allow that server out on port 443 to the entire Internet. It's either that, or set up a proxy solution that can do URL filtering and then require the CAPTCHA verification code to use that. Not exactly something your typical smaller company using ReCAPTCHA is apt to do.

I've talked to competing, for-pay, services, and they require the same thing, despite the fact that they're smaller and have only a few, well-defined networks, but they won't commit to keeping me up-to-date with network changes.

We really need to start pushing back on this crap. Servers accepting inbound traffic should never need to initiate outbound communications.

Re:Limiting outbound access to servers is too toug (3, Interesting)

trybywrench (584843) | about 10 months ago | (#45987595)

Unless I'm reading it wrong you're basically disabling webservices like making a SOAP call to a third party on behalf of the connecting user-agent. That's a non-starter for just about all companies that have at least one business partner.

Re:Limiting outbound access to servers is too toug (0)

Anonymous Coward | about 10 months ago | (#45987729)

It would be easier to just admit that you have absolutely no idea what you're talking about than to demonstrate it so completely.

More proactive blackholing of Russia? (1)

swb (14022) | about 10 months ago | (#45986877)

Should there be more proactive blackholing of Russia?

Is even practical given the many proxies, hacked non-Russian servers, etc?

Re:More proactive blackholing of Russia? (1)

Kardos (1348077) | about 10 months ago | (#45986951)

That will not effectively stop credit card fraud.

Re:More proactive blackholing of Russia? (1)

jandrese (485) | about 10 months ago | (#45987965)

Proxy servers exist. You've only delayed a Russian hacker maybe 5 minutes with this fix.

I don't see what the big deal is (1)

mandark1967 (630856) | about 10 months ago | (#45986947)

I keep all my important financial information on servers in Eastern Europe and the Balkins.

They think they hacked me, but I'm just using them for free cloud storage.

Computer Engineer Order (0)

Anonymous Coward | about 10 months ago | (#45987093)

What about having a strong Computer Engineer Order to protect the public, like all other real professions have?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?