dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
17321
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to mackey

Premium Member

to mackey

Re: Credit card data breach at Target

So, you disagree with what leibold See Profile said?

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

said by Mele20:

So, you disagree with what leibold See Profile said?

What? No, he just stated what Europe does. I said you were funny with the comment
said by Mele20:

This will mean the death of credit and debit cards. Back to checks and cash.

That's just plain nonsense. It didn't happen in Europe and it's not going to happen here.

/M
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

No, he stated the RESULT of Europe deciding to shit on all credit card customers (debit card customers have always been shit on in Europe and USA).

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to Mele20

Premium Member

to Mele20
I have some reason to disagree.

»bucks.blogs.nytimes.com/ ··· ogs&_r=0

It's not a given that EMV will usher in a liabilitypocalypse.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

IF what is stated in that article proves to be true then, yes, EMV may bring more good than bad. With a Visa spokesperson being quoted that is encouraging. I vividly recall what happened in Britain about 5-6 years ago but IF the USA keeps the same consumer liability laws we currently have then the move may be a positive step. However, I don't want to have to carry a special wallet for one of these cards. I returned one to Chase not long ago (ugly also and funny sized so doesn't fit right in wallet slots) because I didn't want to have to wrap it in aluminum foil and then how would I carry it (would not fit in my new wallet wrapped up) and I'd be apt to lose it if left loose in my purse. So, I asked for a regular card instead.

mackey
Premium Member
join:2007-08-20

mackey to Mele20

Premium Member

to Mele20
said by Mele20:

No, he stated the RESULT of Europe deciding to shit on all credit card customers (debit card customers have always been shit on in Europe and USA).

What? You are not making any sense. Are you saying Europe does not in fact do what he said?

/M
mackey

mackey to Mele20

Premium Member

to Mele20
Lets start over, shall we? Forget the back and forth for a moment and lets go back to this quote:
said by Mele20:

This will mean the death of credit and debit cards. Back to checks and cash.

That's just plain nonsense. "The death of credit and debit cards" didn't happen in Europe and it's not going to happen here.

/M

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Mele20

Premium Member

to Mele20
The article mentions a law that went into effect in the UK in 2009 that put the burden back on the banks. I seem to remember linking to an article about that law earlier in the thread.

Also, we're not talking about NFC chips, although chip cards can certainly offer that.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

All cards I've been offered with RFID also have NFC. Why wouldn't they? That was the main reason for these cards, seems to me, until the Target breach. So, the consumer will be able to specify a card with or without NFC? Won't all these new terminals that have to be put in have NFC capability and, thus, won't the banks issue cards with it?

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 recommendation

antdude to Zoder

Premium Member

to Zoder

ASSESSMENT: The Target Hack As An APT Style Attack

»krypt3ia.wordpress.com/2 ··· -attack/ from »arstechnica.com/security ··· -e-mail/

mackey
Premium Member
join:2007-08-20

1 edit

1 recommendation

mackey to Mele20

Premium Member

to Mele20

Re: Credit card data breach at Target

said by Mele20:

All cards I've been offered with RFID also have NFC.

Well duh, they're almost the same thing. NFC is just RFID with a few extra capabilities (like 2-way data transmission).

And no, not all terminals will have NFC capability, only EMV/chip card is being required. EMV/chip card tech is completely separate from NFC/RFID and one does not require the other. Even though EMV/chip cards are being required, you can still get cards with or without NFC capability.

/M

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to Zoder

Premium Member

to Zoder
Apparently, the mechanical company that's been mentioned as the conduit for the Target attack used Malwarebytes free on-demand scanner as their defense against malware.

There is no question that, like Target, Fazio Mechanical was the victim of cybercrime. But investigators close to the case took issue with Fazio’s claim that it was in full compliance with industry practices, and offered another explanation of why it took the Fazio so long to detect the email malware infection: The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.

»krebsonsecurity.com/2014 ··· -target/

It's a great product for its purpose, but I don't see it as meeting standards for the primary method of malware detection in business critical infrastructures.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

3 recommendations

Blackbird

Premium Member

I believe it's a problem condition that's far more widespread than we realize. A small start-up company provides contractor or similar services to a very local service area, is successful and expands into a region, gets even bigger contracts, and finally gets more national business exposure. But the "start-up thinking" that got it there is too often still "mom and pop" in nature, focused on the specifics of the contracting work itself, rather than the nuances (and risks) of the "business" end of things when it's conducted at higher levels beyond local.

What might have been reasonable (or at least survivable) with a single "inventory" computer of their own in the back room in those early days is no longer reasonable in a different era at a national-exposure level when directly doing full-blown interaction with clients having complex data networks. But the operators of the contractor business, focused as they are on the details of their areas of trade expertise, too often are utterly ignorant of all the other things that are now relevant factors and risks.

It's the reason a wise large company will thoroughly vet and educate its suppliers and contractors in a multitude of areas, and it's the source of untold annoyance to those suppliers/contractors because they have to jump through so many hoops. Unfortunately, even large companies (perhaps because they too were once small) fail to fully grasp the areas and extent where vetting needs to occur. Then they all make headlines...

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

Great observations! I've seen this in small accounts of mine where they insisted on allowing music sharing, resisted password management and opposed locking down desktops to limited user state.

Then ,when they needed to connect with federal LEO systems, court systems, banks, insurance, medical etc. They had to change their ways.

I even had to fight a library director's insistence that their admin passwords needed to be changed from the last four digits of their phone number. Every kid in town knew it, but it made no difference.

I finally left the place after they demanded that I upload copyrighted content to their server for public use without the holder's permission.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 recommendations

Blackbird to Zoder

Premium Member

to Zoder
Oh, Target!! What did you do... or, better put, didn't do?

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It

If this turns out to be accurate, Target is going to lose a whole LOT of lawsuits...
SpHeRe31459
Premium Member
join:2002-10-09
Sacramento, CA

SpHeRe31459

Premium Member

quote:
The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers%u2014and 70 million addresses, phone numbers, and other pieces of personal information%u2014gushed out of its mainframes.
Yeesh just pathetic...
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Blackbird

Premium Member

to Blackbird
It is absolutely mind boggling that the security software worked perfectly, caught the hack, then Target's team of security specialists in Bangalore, saw it and flagged Target's security team in Minneapolis. Everything just as it should be except Target's team in Minneapolis DID NOTHING. What is truly sad is that the FireEye software could have been set to AUTOMATICALLY DELETE the malware but Target had TURNED OFF that ability and then proceeded to IGNORE alert after alert!

After reading that report, I am thoroughly disgusted with Target (and shocked because they were trying to be cutting edge by using the FireEye software in the first place but then turned off a significant part of it thus allowing humans at Target headquarters to completely screw up). I seldom go in there now...but they do have some grocery products that no else has here (and happen to be ones that are among my favorites). So, I use cash only now there but I see a lot of fools using credit cards and Target's own debit cards still!

If the report is true, how will Target survive the deluge of lawsuits?

chip89
Premium Member
join:2012-07-05
Columbia Station, OH

chip89 to Blackbird

Premium Member

to Blackbird
Wow just wow! Even AVG can detect viruses then automatically put them in quarantine!
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by chip89:

Wow just wow! Even AVG can detect viruses then automatically put them in quarantine!

What is your point? FireEye can and DID detect the malware. The problem was that the IT idiots in Minneapolis had TURNED OFF the ability of the software to kill and eradicate the malware. Just like the user of an antivirus program can do. The problem was not the software, but rather the idiots that messed with it so they could have final control, but who then slept on the job through repeated alerts...just like a user of antivirus software can do if they have set up the antivirus program to give them final say.

chip89
Premium Member
join:2012-07-05
Columbia Station, OH

chip89

Premium Member

That it should't of been off in the first place. & That they just slept though multiple alerts.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by chip89:

That it should't of been off in the first place. & That they just slept though multiple alerts.

I agree, but I still don't understand your first comment...but that's ok as we do agree.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to chip89

MVM

to chip89
Ignoring the alerts (if that is truly what happened) is not excusable.

However it is not unusual to run security software in detect-only mode and leave the decision on whether or not (or more importantly how) to react for a human being (hopefully someone that is not asleep on the job). The problem with automatic defenses is that they can be turned into a very powerful denial of service weapon (sometimes even accidentally).

This is a hotly debated topic and there are good arguments both for and against automatic countermeasures in intrusion detection systems.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Zoder

Premium Member

to Zoder
Major companies, like Target, often fail to act on malware alerts
quote:
Computerworld - Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.

Case in point: Target, which last year was hit with a major data breach that exposed to hackers data on some 40 million credit and debit cards and personal data on another 70 million customers.
»www.computerworld.com/s/ ··· e_alerts

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Mele20

Premium Member

to Mele20
It is not uncommon for companies to turn off automatic blocking/deleting functions. In addition to the desire for control, there's the need to be assured false positives won't take down essential systems. This goes double, triple, even quadruple when you're implementing a new security tool--and yes, even at 6 months it can be considered new. This, I have learned, is normal.

One hopes that they make up for it with vigilant monitoring. Target failed at that.

I have also learned that incompetence is far too common.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to Zoder

Premium Member

to Zoder
Target breach optioned as Sony feature film
»www.welivesecurity.com/2 ··· re-film/
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd to SpHeRe31459

Premium Member

to SpHeRe31459
said by SpHeRe31459:

quote:
It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network.

Odds are it was remote monitoring of the systems. Many target stores today sell a handful of grocery items(dunno if there are full blown super targets). And the current thing is the HVAC/R is all networked. This allows a manager to monitor problems right from a desktop computer and generate trouble tickets with their repair contractor.

But as to why the system that allows this and the POS system are linked is a mystery.

Of course as usual the bosses were told of a potential breach and did nothing. Once again it was likely this...

What IT said: "We have a potential major security breach into our payment systems network and this should be fully reviewed as of yesterday. As this could set us up for huge liability in the future"

What the execs heard: "Hi I am from IT and we want a nifty new firewall and spend company time to do something called network security."

Every security breach story seems to follow the same path eventually, Someone mentions the breach and the bosses ignore the warning.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

A "handful" of grocery items? No, it is a full grocery with fresh meats, produce, bakery goods, etc. It is much bigger than the grocery items area in Wal-Mart. Neither have a grocery like Safeway's gigantic store but both have, and Target in particular has, a LOT more than a "handful" of grocery items.

Are you claiming that there was no breach that was discovered by the software Target had? You are claiming that Target executives specifically told IT to ignore the breach? Where did "potential" enter? The software caught a hack and Target refused to act. There was no "potential".

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

said by Mele20:

Are you claiming that there was no breach that was discovered by the software Target had?

No. He is not.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to siljaline

Premium Member

to siljaline
said by siljaline:

Major companies, like Target, often fail to act on malware alerts
...
»www.computerworld.com/s/ ··· e_alerts

And, from that same article, some quotes explaining the most likely ultimate reason behind the breakdown:
quote:
"I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise," he said.
...
"Any organization looking to implement security technologies should make the same investment in their people to help configure the technology," he said.
...
"You can have all the alarms you want, but unless you put security in a prominent position in the company and have enough staff to review them, those alarms don't mean anything," he said.
...
Companies also need strong security polices and processes for managing systems -- and for dealing with alerts, she said. "In this case, Target apparently fell short on process and policies -- they had the technology piece down,"