dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
17322
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Snowy

Premium Member

to Snowy

Re: Credit card data breach at Target

I am more confused now. You are saying a debit card that is used as a credit card will put the sign window on the screen even though the store has the machines set to NOT require a sig (in other words, not put the sig screen up) unless the purchase amount is over $50 (and at some stores now the purchase has to be over $100 to get the sign screen)?

So, in these stores (most stores now) if you use a real credit card and your purchase is not over $50 then you can't sign even if you want to. Signing is not an option much less a requirement. You swipe the card and then you are handed the receipt by the cashier. I thought the same thing would happen if you use a debit card as a credit card for a purchase under $50. Target is one of the stores that does not allow signing unless the purchase is over $50. So, I thought the thief must have known which stores she needed to spend more than $25 in to get a sign screen (CVS, Safeway) or more than $50 in (Ross, SackNSave, etc) or more than $100 in.
scross
join:2002-09-13
USA

scross to Snowy

Member

to Snowy
said by Snowy:

I'm not trying to give you a hard time at all but I'm not understanding what you're saying.
What does "bogus" refer to in this:
These bogus calls would come in appearing as if they originated at the card owner's residence ...
That answer might gel it for me.

These bogus [as in, made by the credit card thief, who has your new credit card in his or her possession] calls would come in appearing as if they [physically] originated at the card owner's residence - which in fact they may have.

mackey
Premium Member
join:2007-08-20

1 edit

1 recommendation

mackey to Mele20

Premium Member

to Mele20
said by Mele20:

said by Name Game:

A chase debit card tied to a checking account is a visa card with Chase name on it and can be used as a debit card with pin or like a credit card with signature.

She must have made sure to charge more than the minimum required at each store to generate the need to sign right?

said by Mele20:

You are saying a debit card that is used as a credit card will put the sign window on the screen even though the store has the machines set to NOT require a sig (in other words, not put the sig screen up) unless the purchase amount is over $50 (and at some stores now the purchase has to be over $100 to get the sign screen)?

No, you're just splitting hairs over Name Game See Profile's reply. When using a check card at a store, most terminals ask you for a pin. If you press the "Cancel" button (or ask that it be run as "credit" for the terminals which don't do this) it will then either bring up the signature box if needed for that transaction or the clerk (or machine) will simply give you your receipt if no signature is needed.

/M
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

2 recommendations

SpHeRe31459

Premium Member

Newest bits of info:

Hackers gained access using stolen vendor credentials:
»news.msn.com/us/target-h ··· dentials

Also apparently there was a known backdoor that was exploited as well:
»arstechnica.com/security ··· oftware/

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by SpHeRe31459:

Newest bits of info:

Hackers gained access using stolen vendor credentials:
»news.msn.com/us/target-h ··· dentials...

From: »news.msn.com/us/target-h ··· dentials :
quote:
... She declined to elaborate on what type of credentials were taken, who the vendor was, or to provide other details.
Nevertheless, it shouldn't be long before we know for certain the identity of the vendor, since the class-action lawyers will soon be demanding it, so as to widen their net of blame and deepen the potential pockets for their lawsuits.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Krebs seems to be on to something here...»krebsonsecurity.com/2014 ··· -breach/
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

SpHeRe31459

Premium Member

said by sivran:

Krebs seems to be on to something here...»krebsonsecurity.com/2014 ··· -breach/

Yikes, the PoS malware code has been seen by the FBI since 2011. It seems like security professionals could have enacted ways to detect and/or block it by now? Of course that would require willing and able retail partners :-/
quote:
Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases dating back to at least 2011, and that these attacks are likely to continue for some time to come.
scross
join:2002-09-13
USA

1 recommendation

scross to Zoder

Member

to Zoder
On the potential risks involved in having your email information taken, ala the recent attack on Target. Note that Yahoo is pointing the finger here at theft of an undisclosed third-party's database.

»arstechnica.com/security ··· d-reset/ .

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Zoder

Premium Member

to Zoder
Tor-enabled malware stole credit card data from PoS systems at dozens of retailers
quote:
Payment card data was stolen during the past three months from several dozen retailers that had their point-of-sale systems infected with a memory-scraping malware program called ChewBacca.

The cybercriminal operation was investigated by antifraud researchers from RSA, the security division of EMC, who analyzed the malware and its command-and-control infrastructure.
»www.pcworld.com/article/ ··· ers.html
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Zoder

Premium Member

to Zoder
25,000 credit and debit cards have been replaced by Hawaii banks (not including credit unions) at a cost of $250,000 because of the Target breach.

Plus, Hawaii residents have been warned by the state commissioner of financial institutions to NOT used debit cards for gasoline, restaurant, rental cars, hotels, airline tickets, furniture or ANY high cost item. Credit cards should be used for everything except low risk items.

»www.hawaiinewsnow.com/st ··· xclusive
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to Zoder

MVM

to Zoder
And here we go again.

»edition.cnn.com/2014/02/ ··· hacking/
said by CNN :

White Lodging -- a company that maintains Hilton, Marriott, Sheraton and Westin hotel franchises -- has apparently suffered a data breach that exposed guests' credit and debit card information in 2013, independent security researcher Brian Krebs said.


DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ

Premium Member

It wouldn't surprise me if at this point it's really a question of who isn't infected...
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

SpHeRe31459

Premium Member

It keeps getting worse for Target's own internal security policies...

Target Hackers Broke in Via HVAC Company:
»krebsonsecurity.com/2014 ··· company/
quote:
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
quote:
It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

1 recommendation

PX Eliezer1

Premium Member

said by SpHeRe31459:

....the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers....

Geez, the 21st century version of a burglar [physically] coming in through the HVAC ducts!
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to SpHeRe31459

MVM

to SpHeRe31459
quote:
It's not immediately clear why Target would have given an HVAC company external network access, or why that access would

not be cordoned off from Target's payment system network.
a) said HVAC company was too [insert here] to get their own external access -- eg. USB 3G dongle

b) Target too [insert here] to implement proper network segmentation.

c) ...the list goes on.

:facepalm moment of stupid:

Regards

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

3 recommendations

Blackbird to Zoder

Premium Member

to Zoder
Hey... so your furnace won't heat, your air conditioner won't cool, or your POS terminal is running slow? Who you gonna call? Byte-Buster's Heating, A/C & Point-of-Sale Repair Company, of course! Our motto: "If you can break it, we can fix it! With Byte-Buster's, you always get more than you paid for."
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to Zoder

Premium Member

to Zoder
This is pretty big news!

»blogs.wsj.com/corporate- ··· it-card/
scross
join:2002-09-13
USA

scross to Zoder

Member

to Zoder
More news.

Target security breach lasted longer than previously thought

»www.latimes.com/business ··· 95.story

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to ke4pym

Premium Member

to ke4pym
Love the "liability shift" terminology.
said by Quoth AmEx :
Who is responsible for the liability for losses resulting from Card fraud?

If your PIN has been used with a fraudulent transaction, we will always examine the circumstances in which this occurred. If your PIN has been compromised through no fault of your own, you won't be held responsible for any fraud that occurs. If you have not taken reasonable care to protect your Card and PIN you will be held liable for any fraudulent transactions.

So, how do they determine that?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by sivran:

Love the "liability shift" terminology.

said by Quoth AmEx :
...If you have not taken reasonable care to protect your Card and PIN you will be held liable for any fraudulent transactions.

So, how do they determine that?

If it follows the path I expect, it will eventually be defined by a bunch of lawsuits over coming years. The CC companies will argue that victimized customers failed to exercise reasonable care, the customers will argue they did exercise such care or were prevented from doing it by something beyond their control. In the end, lawsuit outcomes will establish the parameters of "reasonable" - but not without a fight.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

....and the lawyers get rich regardless....

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by PX Eliezer1:

....and the lawyers get rich regardless....

But of course. The entire conflict-resolution system is crafted, staffed, and judged by lawyers. They'll be the first to tell you the only alternative is fighting in the street.

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

garys_2k to sivran

Premium Member

to sivran
said by sivran:

If you have not taken reasonable care to protect your Card and PIN you will be held liable for any fraudulent transactions.

Sirvan, where did you see that? It wasn't in the article that ke4pym posted.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Naturally because I got it from, and attributed it to, American Express.

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

garys_2k

Premium Member

Found it, thanks.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to sivran

MVM

to sivran
If it follows the example of Europe, the card issuers and banks don't have to determine anything. The presumption is that there would have been no fraudulent use of the account if the consumer had taken reasonable care to protect card and pin.

The burden then falls onto the consumer to prove that they did in fact do nothing wrong in court against a big stack of expert testimony from the card companies stating that pin and chip are 100% secure.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yes. This will mean the death of credit and debit cards. Back to checks and cash.

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

LOL! You're funny!

/M
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

You are referring to me? If so, nice you are so wealthy and young enough to withstand all the stress of fighting in courts over what is bound to happen. I'm not sure how you conclude that my being concerned about this makes me "funny".

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

I'm not saying you're not concerned about it (you should be), I'm saying the fact that none of what you said is happening over in Europe even though they started doing this a few years ago means your statement is absurd. Sure a few people might stop using cards and go back to cash (not a lot of places still take checks around here), but the death of credit and debit cards? Hardly.

/M