|
|
12-20-2013, 11:39 AM
|
#41
|
Full time employment: Posting here.
Join Date: Sep 2008
Location: Southeast USA
Posts: 548
|
Don't blame Target. I haven't been to Target in months, but last week I Discovered $9K of fraudulent charges on my Discover Card. I suspect a local restaurant, but I have no evidence to back that up yet. Discover says that I'm not responsible for the fraudulent charges. Discover closed that account and sent me a new card the next day. They said that because of the amount ($9K) They will probably want a police report. They will let me know. The fraudulent charges were made to online retailers all over the USA.
I manually enter all my transactions into Quicken every evening, Then, I download online every evening. If any downloaded transaction doesn't match my manually entered transactions, I immediately investigate. That's how I Discovered the fraudulent charges.
Interestingly, the perpetrator had changed my account mailing address and contact phone number. The fraudulent mailing address and phone number were legitimate USA numbers. So, If Discover had called about the unusual charges, they would have been talking to the perpetrator. The Discover representative had to check my records before the fraudulent changes to establish my identity. The fraudulent charges and the changes to my account were all made the same day online. My account spending limit had not not been reached.
__________________
Matthew 6:34 (KJV)
Take therefore no thought for the morrow: for the morrow shall take thought for the things of itself. Sufficient unto the day is the evil thereof.
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
12-20-2013, 12:19 PM
|
#42
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,145
|
If this didn't occur at point of sale, but rather downstream from it, then why is sensitive info like CVC and PIN being passed downstream? Can't the POS terminal verify the transaction and not save those numbers? Poor security design. I guess they don't expect hackers?
__________________
Retired since summer 1999.
|
|
|
12-20-2013, 12:24 PM
|
#43
|
Administrator
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,130
|
Quote:
Originally Posted by audreyh1
Didn't know that. I am occasionally asked for it at point of sale.
If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.
|
If the code is a CSC code printed flat (not embossed) on the back of the card then that code is not embedded in the magnetic strip. Not sure what the CVV codes in the article above that was stolen was referring to.
Quote:
The second type of CSC is a three- or four-digit value printed on the front of the card or on the signature strip on the back. It is not encoded on the magnetic stripe but is printed flat, not embossed like the card number.
- American Express cards have a four-digit code printed on the front side of the card above the number.
- MasterCard, Visa, Diners Club, Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip.[3] This has been done to prevent overwriting of the numbers by signing the card.
|
Quote:
As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed.[4] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.
|
Card security code - Wikipedia, the free encyclopedia
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
|
|
|
12-20-2013, 12:44 PM
|
#44
|
Thinks s/he gets paid by the post
Join Date: Jul 2006
Location: Denver
Posts: 3,519
|
Maybe this Target incident will provide the impetus to move to smart cards in the US.
|
|
|
12-20-2013, 03:19 PM
|
#45
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,265
|
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
12-20-2013, 03:45 PM
|
#47
|
Moderator
Join Date: Oct 2010
Posts: 10,725
|
Those that DID get hit with unauthorized charges (from Target or TJ Max or any of the other places that have insufficient technology protections) from get hit with inconvenience of straightening-out those transactions. But EVERYBODY with any kind of plastic gets hit with the cost of these breaches. Usually, the money from those unauthorized transactions is gone-gone, and that makes for higher fees to retailers. And of course they need to pass-on those costs to consumers. We all pay when a retailer can't secure their data.
Why-o-why doesn't the US adopt chip and pin?
|
|
|
12-20-2013, 04:06 PM
|
#48
|
Thinks s/he gets paid by the post
Join Date: Jan 2004
Posts: 2,049
|
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).
PCI compliance score = F
|
|
|
12-20-2013, 04:18 PM
|
#49
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2002
Location: Texas: No Country for Old Men
Posts: 50,021
|
I see an announcement that starting December 21, Target retail stores will take 10% off storewide due to the recent in-store security breach.
A Message from CEO Gregg Steinhafel about Target
Suggestion: If you take them up on the offer, don't use plastic to pay for it.
__________________
Numbers is hard
|
|
|
12-20-2013, 04:22 PM
|
#50
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2008
Location: NC
Posts: 21,304
|
I wonder if Square (I have used) and/or eWallet (not used yet, but looking forward to it if secure) are any more secure?
__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57
Target AA: 50% equity funds / 45% bonds / 5% cash
Target WR: Approx 1.5% Approx 20% SI (secure income, SS only)
|
|
|
12-20-2013, 04:39 PM
|
#51
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,145
|
Quote:
Originally Posted by eridanus
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).
PCI compliance score = F
|
So - here we have a merchant that was ignoring PCI compliance for whatever reason.
All the criminals had to do was keep targeting merchants until they found one with poor compliance.
Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
__________________
Retired since summer 1999.
|
|
|
12-20-2013, 04:58 PM
|
#52
|
Moderator Emeritus
Join Date: Apr 2011
Location: Conroe, Texas
Posts: 18,731
|
Quote:
Originally Posted by audreyh1
Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
|
Probably the same guys that designed the ACA website...
|
|
|
12-20-2013, 06:07 PM
|
#53
|
Administrator
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,130
|
Quote:
Originally Posted by sengsational
Why-o-why doesn't the US adopt chip and pin?
|
October 2015 is the deadline for merchants, and I'd read somewhere else that a year later for pay-at-pump gas stations.
U.S. rolling out chip card technology, ever so slowly
Quote:
Concern about the upswing in credit card fraud is one reason U.S.-based card issuers, financial institutions and retailers have set a deadline of October 2015 to put an EMV payment system in place. That's when liability for counterfeit fraud shifts from the issuers to merchants and their acquirers if their equipment does not support EMV.
|
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
|
|
|
12-20-2013, 07:38 PM
|
#54
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2005
Location: Northern IL
Posts: 26,895
|
Quote:
Originally Posted by eridanus
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).
PCI compliance score = F
|
Quote:
Originally Posted by audreyh1
So - here we have a merchant that was ignoring PCI compliance for whatever reason.
All the criminals had to do was keep targeting merchants until they found one with poor compliance.
Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
|
Are you jumping to conclusions?
It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).
-ERD50
|
|
|
12-20-2013, 07:50 PM
|
#55
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,145
|
Quote:
Originally Posted by ERD50
Are you jumping to conclusions?
It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).
-ERD50
|
Yes, in my case I was definitely jumping to conclusions.
Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.
Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.
And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
__________________
Retired since summer 1999.
|
|
|
12-20-2013, 08:02 PM
|
#56
|
Administrator
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,724
|
Quote:
Originally Posted by audreyh1
Yes, in my case I was definitely jumping to conclusions.
Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.
Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.
Yes, I'm assuming it was hacked "downstream" from the terminals.
|
I recall a breach a few years ago with IBM POS terminals where the application SW was storing customer information that was specifically prohibited in the agreement with the CC company. It would not be a surprise to find out this still happens. This is a world of little regulation and no requirement for disclosure, so we have no way to know.
|
|
|
12-20-2013, 08:36 PM
|
#57
|
Thinks s/he gets paid by the post
Join Date: Apr 2006
Posts: 1,684
|
Quote:
Originally Posted by ERD50
Are you jumping to conclusions?
It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).
-ERD50
|
You make a very good point, ERD50.
Until we know what happened, we do not know what happened.
I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.
It is so easy to be an internet expert these days.
If anyone thinks it is so easy, just go try it in real life, and report your experience.
|
|
|
12-20-2013, 09:29 PM
|
#58
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,265
|
Quote:
Originally Posted by audreyh1
And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
|
According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
12-21-2013, 04:02 AM
|
#59
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,145
|
Quote:
Originally Posted by Chuckanut
According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
|
1700 of them?
"Made its way" implies it was downloaded somehow I suppose.
Certainly if the system was hacked in such a way that malware was downloaded to the POS terminals all bets are off in terms of any type of security.
__________________
Retired since summer 1999.
|
|
|
12-21-2013, 09:34 AM
|
#60
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Apr 2013
Posts: 11,078
|
Quote:
Originally Posted by Rustward
You make a very good point, ERD50.
Until we know what happened, we do not know what happened.
I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.
It is so easy to be an internet expert these days.
If anyone thinks it is so easy, just go try it in real life, and report your experience.
|
It ain't easy. Our systems were supposed to adhere to PCI, even though they had nothing to do with CC. What a challenge, the audit firm had windows experience, we didn't run on windows. Then the tech teams had to attempt to figure out how to comply with an issue that couldn't happen on these type systems.
I worked on SSAE and SOC audits, they were about as much fun as having your teeth ground off.
Have to agree with ERD50, and Rustward, the exact issue hasn't been published. Now audits like SSAE do adress controls to prevent unauthorized acesss. There's a difference between a control and its implementation.
MRG
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|