Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 12-20-2013, 12:39 PM   #41
Full time employment: Posting here.
JakeBrake's Avatar
 
Join Date: Sep 2008
Location: Southeast USA
Posts: 548
Don't blame Target. I haven't been to Target in months, but last week I Discovered $9K of fraudulent charges on my Discover Card. I suspect a local restaurant, but I have no evidence to back that up yet. Discover says that I'm not responsible for the fraudulent charges. Discover closed that account and sent me a new card the next day. They said that because of the amount ($9K) They will probably want a police report. They will let me know. The fraudulent charges were made to online retailers all over the USA.

I manually enter all my transactions into Quicken every evening, Then, I download online every evening. If any downloaded transaction doesn't match my manually entered transactions, I immediately investigate. That's how I Discovered the fraudulent charges.

Interestingly, the perpetrator had changed my account mailing address and contact phone number. The fraudulent mailing address and phone number were legitimate USA numbers. So, If Discover had called about the unusual charges, they would have been talking to the perpetrator. The Discover representative had to check my records before the fraudulent changes to establish my identity. The fraudulent charges and the changes to my account were all made the same day online. My account spending limit had not not been reached.
__________________

__________________
Matthew 6:34 (KJV)
Take therefore no thought for the morrow: for the morrow shall take thought for the things of itself. Sufficient unto the day is the evil thereof.
JakeBrake is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-20-2013, 01:19 PM   #42
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,454
If this didn't occur at point of sale, but rather downstream from it, then why is sensitive info like CVC and PIN being passed downstream? Can't the POS terminal verify the transaction and not save those numbers? Poor security design. I guess they don't expect hackers?
__________________

__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 12-20-2013, 01:24 PM   #43
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,077
Quote:
Originally Posted by audreyh1 View Post
Didn't know that. I am occasionally asked for it at point of sale.

If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.
If the code is a CSC code printed flat (not embossed) on the back of the card then that code is not embedded in the magnetic strip. Not sure what the CVV codes in the article above that was stolen was referring to.

Quote:
The second type of CSC is a three- or four-digit value printed on the front of the card or on the signature strip on the back. It is not encoded on the magnetic stripe but is printed flat, not embossed like the card number.
  • American Express cards have a four-digit code printed on the front side of the card above the number.
  • MasterCard, Visa, Diners Club, Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip.[3] This has been done to prevent overwriting of the numbers by signing the card.
Quote:
As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed.[4] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.
Card security code - Wikipedia, the free encyclopedia
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 12-20-2013, 01:44 PM   #44
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,675
Maybe this Target incident will provide the impetus to move to smart cards in the US.
__________________
walkinwood is offline   Reply With Quote
Old 12-20-2013, 04:19 PM   #45
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,317
From the Consumerist blog

Quote:
The card numbers are being sold in batches of one million each, and commanding prices of $20 to $100 per card (so, $20 million to $100 million per batch).




More information from the guy who broke the story is here:
Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security

Quote:
his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.


Quote:
Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.



Quote:
Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is online now   Reply With Quote
Old 12-20-2013, 04:36 PM   #46
Thinks s/he gets paid by the post
 
Join Date: Jul 2012
Location: Mississippi
Posts: 1,878
And now the email from Target explaining the problem and warning is being copied as a phishing scam

http://www.marketwatch.com/story/sca...dist=afterbell
__________________
rbmrtn is online now   Reply With Quote
Old 12-20-2013, 04:45 PM   #47
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,818
Those that DID get hit with unauthorized charges (from Target or TJ Max or any of the other places that have insufficient technology protections) from get hit with inconvenience of straightening-out those transactions. But EVERYBODY with any kind of plastic gets hit with the cost of these breaches. Usually, the money from those unauthorized transactions is gone-gone, and that makes for higher fees to retailers. And of course they need to pass-on those costs to consumers. We all pay when a retailer can't secure their data.

Why-o-why doesn't the US adopt chip and pin?
__________________
sengsational is offline   Reply With Quote
Old 12-20-2013, 05:06 PM   #48
Thinks s/he gets paid by the post
 
Join Date: Jan 2004
Posts: 2,049
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
__________________
eridanus is offline   Reply With Quote
Old 12-20-2013, 05:18 PM   #49
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
REWahoo's Avatar
 
Join Date: Jun 2002
Location: Texas Hill Country
Posts: 42,072
I see an announcement that starting December 21, Target retail stores will take 10% off storewide due to the recent in-store security breach.

A Message from CEO Gregg Steinhafel about Target

Suggestion: If you take them up on the offer, don't use plastic to pay for it.
__________________
Numbers is hard

When I hit 70, it hit back

Retired in 2005 at age 58, no pension
REWahoo is offline   Reply With Quote
Old 12-20-2013, 05:22 PM   #50
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Midpack's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 11,963
I wonder if Square (I have used) and/or eWallet (not used yet, but looking forward to it if secure) are any more secure?
__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57

Target AA: 60% equity funds / 35% bond funds / 5% cash
Target WR: Approx 2.5% Approx 20% SI (secure income, SS only)
Midpack is online now   Reply With Quote
Old 12-20-2013, 05:39 PM   #51
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,454
Quote:
Originally Posted by eridanus View Post
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
So - here we have a merchant that was ignoring PCI compliance for whatever reason.

All the criminals had to do was keep targeting merchants until they found one with poor compliance.

Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 12-20-2013, 05:58 PM   #52
Moderator Emeritus
aja8888's Avatar
 
Join Date: Apr 2011
Location: The Woodlands, TX
Posts: 7,131
Quote:
Originally Posted by audreyh1 View Post
Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
Probably the same guys that designed the ACA website...
__________________
aja8888 is offline   Reply With Quote
Old 12-20-2013, 07:07 PM   #53
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,077
Quote:
Originally Posted by sengsational View Post
Why-o-why doesn't the US adopt chip and pin?
October 2015 is the deadline for merchants, and I'd read somewhere else that a year later for pay-at-pump gas stations.

U.S. rolling out chip card technology, ever so slowly

Quote:
Concern about the upswing in credit card fraud is one reason U.S.-based card issuers, financial institutions and retailers have set a deadline of October 2015 to put an EMV payment system in place. That's when liability for counterfeit fraud shifts from the issuers to merchants and their acquirers if their equipment does not support EMV.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 12-20-2013, 08:38 PM   #54
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,260
Quote:
Originally Posted by eridanus View Post
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
Quote:
Originally Posted by audreyh1 View Post
So - here we have a merchant that was ignoring PCI compliance for whatever reason.

All the criminals had to do was keep targeting merchants until they found one with poor compliance.

Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
__________________
ERD50 is online now   Reply With Quote
Old 12-20-2013, 08:50 PM   #55
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,454
Quote:
Originally Posted by ERD50 View Post
Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
Yes, in my case I was definitely jumping to conclusions.

Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.

Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.

And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 12-20-2013, 09:02 PM   #56
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,411
Quote:
Originally Posted by audreyh1 View Post
Yes, in my case I was definitely jumping to conclusions.

Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.

Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.

Yes, I'm assuming it was hacked "downstream" from the terminals.
I recall a breach a few years ago with IBM POS terminals where the application SW was storing customer information that was specifically prohibited in the agreement with the CC company. It would not be a surprise to find out this still happens. This is a world of little regulation and no requirement for disclosure, so we have no way to know.
__________________
MichaelB is online now   Reply With Quote
Old 12-20-2013, 09:36 PM   #57
Thinks s/he gets paid by the post
Rustward's Avatar
 
Join Date: Apr 2006
Posts: 1,572
Quote:
Originally Posted by ERD50 View Post
Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.
__________________
Rustward is offline   Reply With Quote
Old 12-20-2013, 10:29 PM   #58
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,317
Quote:
Originally Posted by audreyh1 View Post
And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is online now   Reply With Quote
Old 12-21-2013, 05:02 AM   #59
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,454
Quote:
Originally Posted by Chuckanut View Post
According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
1700 of them?

"Made its way" implies it was downloaded somehow I suppose.

Certainly if the system was hacked in such a way that malware was downloaded to the POS terminals all bets are off in terms of any type of security.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 12-21-2013, 10:34 AM   #60
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,560
Quote:
Originally Posted by Rustward View Post

You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.
It ain't easy. Our systems were supposed to adhere to PCI, even though they had nothing to do with CC. What a challenge, the audit firm had windows experience, we didn't run on windows. Then the tech teams had to attempt to figure out how to comply with an issue that couldn't happen on these type systems.

I worked on SSAE and SOC audits, they were about as much fun as having your teeth ground off.

Have to agree with ERD50, and Rustward, the exact issue hasn't been published. Now audits like SSAE do adress controls to prevent unauthorized acesss. There's a difference between a control and its implementation.

MRG
__________________

__________________
MRG is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


 

 
All times are GMT -6. The time now is 03:14 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.