> We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).
CVV/CSC, eh? The whole point of CSC is it should be non-stored and therefore much harder to steal than the CC#, right? Apparently that didn't work. Has CSC accomplished anything other than giving users more random-looking numbers they have to enter in online forms?
The article mentions PIN numbers potentially being stolen as well, which is also supposed to never be stored, and used only during the process of authorization then discarded.
This leads me to conclude that either Target's software architecture is completely brain dead and they're storing PINs and CVV2's somewhere, or that the attack somehow managed to get insinuated into the credit card authorization process. As someone who has worked with credit cards for many years, as well as with high level people within both Target and Wal Mart, it's easier to believe the latter than the former.
The attack seemed to be malicious software on the POS systems themselves. So the data was likely stored out-of-band and sent to remote destinations owned by the attackers.
How were they capturing the CVV? It's not in the magnetic stripe and you don't hand your card to anyone to check-out. Bad news for them though because storing the CVV in any manner is very much against the rules.
"Track data is the information encoded in Track 1 and 2 within the magnetic stripe on the back of a Visa card. This information is read by a merchant’s point-of-sale (POS) system. Some merchant POS systems improperly store this data post authorization. This is a violation of Visa Operating Regulations. Hackers are aware of this vulnerability and are targeting vulnerable POS systems to steal this information."
It seems chances are this data was grabbed at the time it was transmitted for authorization, not from being incorrectly stored.
When I read about massive data breaches such as these it makes me wonder why we don't have a system in place to where we as the customer can generate a unique authorization code for a one-time charge to our cards without having to actually reveal our credit card information.
It's bad enough that someone can buy a card reader and walk down a sidewalk and capture credit card data by just being within a few feet of someone.
I use it all the time. I use one with every single online merchant except Amazon and Newegg. It's also great for places that like to auto-bill. Or if you are worried they will charge without permission.
If you are going to get a credit card, get it with one of the few banks that offer these numbers.
It's also great for asking someone to buy something for you: Create a number with a dollar limit and have them tell the merchant the number. Small merchants usually have no problem with this.
Can't get to the Target Visa site (http://rcam.target.com) even though downforeveryoneorjustme.com says it's up. Hm.
A few years ago, the Target Visa card had actually pioneered a move toward chipped credit cards. My Target card was the only chipped credit card I had, though, and AFAIK even my local Target stores were never equipped with chip-reading card readers. When my card expired, the replacement didn't have a chip.
It bothers me very much to realize that even though there was nothing I reasonably could have done to protect myself (except avoid credit cards entirely), this will ultimately be my problem to deal with. Not Target's problem. Not really. Not in the same way that it's mine.
I'm expected to "take... steps ... to protect [myself] against potential misuse of [my] credit and debit information." [1]
I realize that this is just the way the system works, but why does it work that way? The credit card system, instead of making the investments necessary to really secure credit card transactions, has externalized much of the tricky fraud-detection work onto the card users.
They gave away chip "readers" for a while. I've still gone one somewhere. I think the idea was to be able to load digital coupons (similar to other loyalty cards or Target's own "cartwheel" app now).
No problem if you're not a paycheck-to-paycheck person and the card is truly your credit-card, not your ATM Debit card that functions like a Visa(as mine does). This could make some people's checks bounce. Sure after you make some calls it'll be reversed, but the trouble it may cause in the meanwhile...
Reminds me of when Best Buy discovered people wardriving their parking lots and plucking CC#'s out of the air via their unencrypted, wireless POS network. Surprised Target got hit, they're pretty rabid about security/loss prevention (internal and external).
Do you have a link to this? I'm surprised that a large chain retailer would have a wireless POS. It's not like they move terminals around, why would you need wireless anyway?
How does PCI compliance not cover these things? Is Target liable for losses here?
It would seem to me that if you can't secure the data, you shouldn't keep it (which is the reason I use stuff like Stripe . I don't want to see the card number).
From an outside perspective it very much looks like data was acquired off the wire as it was sent for authorization. The data captured included a number of things that the retailer would not be storing at all.
That would indicate that either strong encryption has been cracked, there was something on the inside of their datacenter for processing, or they weren't using encryption right?
My wife just got the Target Red debit card a few weeks ago, after a number of protests from me about security loopholes. She seemed to think getting 5% off of all purchases for bestowing the ability to a 3rd party to deduct money from your bank account at will is worth the risk of someone maliciously draining your bank account one day. Going to use this for a bit of "I told you so" nagging today
Anybody have any idea if there is a way to tell if your card was part of the breach? I have a family member who shopped at target during the dates mentioned.
I'm wondering what percentage of transactions were affected. Is 40 million 90%? 50%? There's no way to tell. It'd be nice if we knew whether or not to report it to the bank.
So far it doesn't look like Target has released any way of checking, all they say is to watch your card for suspicious activity. Hopefully they can get something together in the next couple of days.
I called my credit union because I shop at Target a lot and they told me they were working to match up debit card numbers they issues against those there were breached. They would let me know if mine was part of the breach.
The funny thing is the day that this was happening they were trying to sign me up for their checking account program. Where I give them my checking account info and I save 5% on every purchase. They gave me the hard sell too and wouldn't quit. I then conveniently typed in my pin so I'm f'd.
Security is hard, and good attackers will always have an advantage over the security team. This breech sounds like it may have been fairly off-line in nature, so a SIEM or IDS might not have caught it.
On the flip side, there are ways stores can catch this thing offline as well. Good in-store security and employee training to prevent skimmers or modified POS systems, etc. Without more details on how this breech happened, it's only guesses. I can feel their pain, but I don't know exactly how sorry I feel for them without knowing how preventable this attack could have been.
I've never liked Target for its intrusive tracking of customer spending[1] through their branded credit cards and other loyalty card schemes, because those never add any value for me. (I grew up shopping at the third Target store in the whole country, my sister used to work at Target, and we live a short walk from a Super Target, but the company's emphasis on gathering data over genuine customer service[2] turns me off.) Because Target is the closest brick and mortar store to our house for many kinds of items, we still buy things there. I usually try to pay in cash. I'll have to check our credit-card records [sigh] and see what's going on in our accounts.
[2] Personal anecdote alert: Target once had an in-house captive brand (not a Target brand, but a brand available in no other store) of "oven bakeware" that didn't even meet the Uniform Commercial Code warranty of merchantability, as it would shatter if you used it in an oven to bake something. We found that out just before a meal when we were all hungry. The local store gave us all kinds of run-around about simply refunding our money for the defective product. That was ill-timed for Target, as one of my wife's students had just given us a gift certificate for Sam's Club, and we discovered that the much-maligned Sam's Club is better about returns and about customer service in general than Target. We have shifted THOUSANDS of dollars a year from Target, my home-town store I grew up with, to Sam's, the store everyone is inclined to decry, in the years since then. When a store sells a defective product and doesn't make that right, I don't give it a lot of second chances. (My sister's former job at Target was to be a buyer, and she thought that if a Target buyer screws up and purchases a bad product, Target should make that right, period.)
By contrast, I recently bought what was labeled as an "Epson ink-jet printer cartridge" through a third-party seller on Amazon, and when the product arrived it was labeled "Not an OEM product," and plainly wasn't identical to an actual Epson printer cartridge. I contacted Amazon about the purchase, and an Amazon representative said my money would be refunded and I didn't have to return the product. That is the way to use big data to build a better customer experience--Amazon could verify how the product was labeled on its site, and perhaps had another customer complain to verify that I wasn't making this up. Amazon consistently treats me like my user experience is more important that Amazon's next-quarter bottom line, and that builds immense customer loyalty for me.
I've never liked Target for its intrusive tracking of customer spending through their branded credit cards and other loyalty card schemes, because those never add any value for me.
They give you 5% off your purchase when you use the card. I consider it a fair trade in value given how much I spend there.
That "intrusive" tracking...I don't know if I feel the same. You're in their store. If they choose to watch how you shop there, you can stay or you're free to walk. They can't forcibly drop items into my basket...yet. If I choose to buy something personal that I feel Target shouldn't remember or relay to others, I'll pay cash.
It is not ok for a retail company to profile your underage daughter, find out that she is probably pregnant (before you do!) and then do targeted advertisement. That is wrong and more than a little creepy.
And this has never happened in small towns where merchants know everyone's business and gossip. There's always a backchannel of data when you are out in public.
The pregnant teenager outlier certainly made for an interesting and headline-worthy story. Hopefully future big data projects like this put a bit more thought into the human side of the equation, but never count on it I suppose.
Yeah... But we used to gossip about regulars and what they were buying (and why) all the time when I worked retail. We weren't as efficient as an algorithm of course, but we did use that knowledge (hunch) to recommend things as well. It's just weirder when a computer does it, rather than a person -- which is fair enough, and kinda interesting to think about!
You make some good points, hence my upvote to your reply to my comment. Replying to you here, let me respond to some of those points. I am aware that companies track my consumer behavior when I buy from their store. Amazon, of course, is very conspicuous about doing that. ("Customers who bought X also bought Y.") But Amazon's way of tracking my purchases provides a lot of added value. Some of my favorite books and other products were things I had never heard of until Amazon recommended them to me.
At an in-person store, I expect to develop a reputation with people who work there if I shop there often enough to recognize the customer service staff by sight (as I formerly did at our local Super Target). I didn't establish this context up above in my original comment, but I actually began shopping at the local Super Target three days before its official grand opening. (The grand opening was on a Sunday, but the store was open for business the Thursday before.) I bought a TV set (we had just returned to the United States from overseas, and didn't yet have a TV) and some other items from a newly hired cashier. During my conversation with the cashier (partly in Chinese, as I could see she was Chinese) the cashier was distracted, and DIDN'T RING UP the TV. So I got home, and my wife looked at the receipt and said, "How did you spend so little when you just got a TV?" We realized the TV wasn't listed on the receipt. So the next day I took the TV box with its store barcodes and my receipt to the customer service desk, and apologized for walking out of the store without paying for the TV, and asked the customer service staff to ring up the TV so that I could pay for it. The customer service staff were amazed (even here in the honest upper Midwest) that I came back to the store to incur that bill. But I wouldn't think of doing otherwise. I was a little worried that the new cashier would get in trouble for that mistake, but in fact she continued to work at that Target store for at least a year afterward, so the company evidently just treated that as a human-error mistake.
After that we shopped at our local Super Target ALL THE TIME. It's a comfortable walking distance from our house, and our children learn to navigate our neighborhood in large part by taking that walk. But a few years later, new management at Target became more responsive to outside shareholders and a bean-counter mentality took over, and customer service degraded badly. That's when I chanced to purchase the "oven bakeware" that shatters if you put it in an oven to bake something. We never did get our money back on that defective product, and the hassle we received at the same customer service desk, with people we knew by sight looking on, made us feel like thieves while we were asking for legitimate customer recourse under the Uniform Commercial Code. You see, I was demonstrably NOT a thief--I was the guy who had brought the TV box back to the store specifically so that I would be billed for it. If I can't develop a reputation for honesty by being honest at the local store where I shop the most, then their corporate policies can go take a flying leap while I take my business elsewhere. Anyone in the retail business has to provide good customer service as Job One. That's how retail is done. (My sister, if I may be allowed to repeat myself, knows that from when she worked at Target.) So if the company tracking doesn't work to my benefit, I'm out of there.
I've never liked Target for its intrusive tracking of customer spending ... We have shifted THOUSANDS of dollars a year from Target, my home-town store I grew up with, to Sam's, the store everyone is inclined to decry...
I thought an important part of the "members only" business model was that they pioneered exactly the sort of tracking you mention. My understanding was that at Costco and BJ's and Sam's Club, you're required to present your membership card even if you're paying cash. Perhaps I'm mistaken.
I've always been pleasantly surprised what good luck I've had returning things at all the big-box stores: Wal-Mart (which I mostly avoid these days), Target, Home Depot, Lowe's, etc. I wonder if it's a regional thing. It may help that I generally pay with a credit card, so I'm just asking for credit, not cash.
Of course, today, it sounds like that habit is biting me in the ass.
You actually hit the nail on the head with the regional comment. My experience in Mississippi at Home Depot and Walmart was a complete 180 from my experience in Texas. There seems to be less trust in MS.
>one of my wife's students had just given us a gift certificate for Sam's Club, and we discovered that the much-maligned Sam's Club is better about returns and about customer service in general than Target
I just want to mention something about Sam's Club here. I've asked for a Sam's Club membership for the past two Christmases, and it's been so helpful. I get boneless, skinless chicken breast for $2/lb there (!), which is about half as much as my local Publixes. Just about everything is absurdly cheap and still the same brand/quality as anywhere else, you just have to buy more of it.
Since shopping at Sam's Club, I eat way healthier than I ever have in my life - I eat a ton of vegetables for instance, just because I like them - and I still manage to hit my high caloric and macronutrient requirements for my diet/training program (which are pretty strict, can be crazy expensive), all for about $5/day.
I worked for Stores Development at Target about 6 years ago. honestly, this really surprises me. After the JCPenny incident, anything security related practically got rubber stamped.
I didn't take a ticket and instead swiped my CC to get into the lot. They repeatedly mentioned to don't lose your card since the day I left is tagged to it (I assume).
Given the chaos of this, I probably won't even get my new card until I'm back from vacation.
Does anyone know if all I need is another card with my name on it or if I can just allow for 30-60 minutes of searching through records to locate my original swipe in?
Another reason for EMV compliance. The track data is stored on the magnetic stripe, which shouldn't even be stored on the machine, but it is for some reason.
Also, PCI Compliance - personal information should not be stored unencrypted when at rest or when being transferred.
Chase sent me an text message on Monday notifying me that my card was at risk of fraud because a 3rd party merchant was compromised. Followup email said they were creating new a card for me. Your credit card company probably knows which cards were at risk. You're not liable for the fraud, so its in their best interests to sort it out.
All joking aside, this isn't good. Does this mean a lot of other stores are in the danger zone as well? I know a lot of stores use the same software to run their everything.
" I know a lot of stores use the same software to run their everything."
It's been 6 years since I've worked there, but at the time everything was pretty much custom. The original system was created in 1993 I believe, since then there's been so many things built on top of it I can't image how they'd replace it.
If payments could be initiated from a smartphone, the attack surface would be the phone, the bank. Not every shop or website where you enter your credit card details.
The type of data stolen — also known as “track data” —
allows crooks to create counterfeit cards by encoding the
information onto any card with a magnetic stripe.
So it's not just the credit card numbers, but it's the full magstripe that was read and transmitted as-is to some central location where it was lifted. Debit cards and PINs, too, presumably.
I'm not surprised they store something like this, when you return something you can scan your card to verify that you were the original purchaser. But why not store an irreversible hash instead of the actual magstripe?
Why do you presume that debit card PIN numbers are stored on the card? (They aren't, as far as I know - how else could you change your PIN over the phone or on the card issuer's website?)
He's not presuming the PIN is ON the card, but that the transaction was the point of compromise (i.e. you punching in your PIN and the software running a verification of if that PIN is correct).
Sorry, I should have been more clear. PINs have not been confirmed compromised in any reports I've read so far, but it's been mentioned as a possibility. If magstripes were transmitted/stored by Target to perform the authorization, then it's possible that PINs for debit cards were transmitted/stored as well.
I got the impression that the hack was more of an intricate skimmer that exploited the POS system's network - basically intercepting credit card track data and PIN numbers between the POS terminals and the processor.
I agree with mpg33, this sounds like a situation that would never happen with Bitcoin. Yes, the damage potential is probably more severe, but (assuming I control my own wallet) how does one use stored information of a third-party against me to steal my BTC? This is very easy to do with leaked credit card data. Furthermore, if your wallet is well-encrypted, you cannot forget about it in an ATM and leave it behind for Joe Jackass to use to rip you off.
Ignoring the absurd interest rates, fees, insurance that cc companies charge...you assume that credit card/debit card theft costs are never passed on to the consumers
https://corporate.target.com/discover/article/Important-Noti...
CVV/CSC, eh? The whole point of CSC is it should be non-stored and therefore much harder to steal than the CC#, right? Apparently that didn't work. Has CSC accomplished anything other than giving users more random-looking numbers they have to enter in online forms?