Credit Cards Compromised

eridanus said:
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
Click to expand...
So - here we have a merchant that was ignoring PCI compliance for whatever reason.

All the criminals had to do was keep targeting merchants until they found one with poor compliance.

Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
 
sengsational said:
Why-o-why doesn't the US adopt chip and pin?
Click to expand...

October 2015 is the deadline for merchants, and I'd read somewhere else that a year later for pay-at-pump gas stations.

U.S. rolling out chip card technology, ever so slowly

Concern about the upswing in credit card fraud is one reason U.S.-based card issuers, financial institutions and retailers have set a deadline of October 2015 to put an EMV payment system in place. That's when liability for counterfeit fraud shifts from the issuers to merchants and their acquirers if their equipment does not support EMV.
Click to expand...
 
eridanus said:
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
Click to expand...

audreyh1 said:
So - here we have a merchant that was ignoring PCI compliance for whatever reason.

All the criminals had to do was keep targeting merchants until they found one with poor compliance.

Can't believe these merchants are so sloppy with their systems. Who are they buying their software from?!?!?!?!
Click to expand...

Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
 
ERD50 said:
Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
Click to expand...
Yes, in my case I was definitely jumping to conclusions.

Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.

Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.

And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
 
Last edited:
audreyh1 said:
Yes, in my case I was definitely jumping to conclusions.

Why does the system have to keep any PINs? Once the transaction is verified at the POS terminal, why would this info be passed to the next level.

Someone pointed out CVV codes were not supposed to be saved according to PCI compliance rules.

Yes, I'm assuming it was hacked "downstream" from the terminals.
Click to expand...
I recall a breach a few years ago with IBM POS terminals where the application SW was storing customer information that was specifically prohibited in the agreement with the CC company. It would not be a surprise to find out this still happens. This is a world of little regulation and no requirement for disclosure, so we have no way to know.
 
ERD50 said:
Are you jumping to conclusions?

It seems that the Target systems were hacked. So we can't say that these issues of not encrypting the PIN, or any other issues were the fault of Target (other than allowing their system to get hacked in the first place).

-ERD50
Click to expand...

You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.
 
Last edited:
audreyh1 said:
And yes, I'm assuming it was hacked "downstream" from the terminals given the number of terminals involved.
Click to expand...

According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
 
Chuckanut said:
According to a source of the WSJ, malware made its way to the POS terminals, the devices customers swipe their credit cards on when buying something. If this is correct, it seems that the criminals found a way to sneak the malware into each 'cash register'.
Click to expand...
1700 of them?

"Made its way" implies it was downloaded somehow I suppose.

Certainly if the system was hacked in such a way that malware was downloaded to the POS terminals all bets are off in terms of any type of security.
 
Last edited:
Rustward said:
You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

I have worked in some very large IT installations, including one whose company used a red bull's eye logo, for a couple of years in the late 1990's. But I didn't work with POS or PCI, however, I did some repair work to Lullaby Club and Club Wed -- AKA Gift Registry, even though that was not what I was there for (I was there for infrastructure) -- but I had to fix the Club stuff to get the other groups to cooperate.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.
Click to expand...

It ain't easy. Our systems were supposed to adhere to PCI, even though they had nothing to do with CC. What a challenge, the audit firm had windows experience, we didn't run on windows. Then the tech teams had to attempt to figure out how to comply with an issue that couldn't happen on these type systems.

I worked on SSAE and SOC audits, they were about as much fun as having your teeth ground off.

Have to agree with ERD50, and Rustward, the exact issue hasn't been published. Now audits like SSAE do adress controls to prevent unauthorized acesss. There's a difference between a control and its implementation.

MRG
 
audreyh1 said:
Didn't know that. I am occasionally asked for it at point of sale.

If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.

And why on earth would debit card PINs be stored?!?
Click to expand...

I don't recall ever being asked for the security code on the card at a cash register. Sometimes I am asked to prove id with a driving license, but that printed 3 or 4 digit security number should only be required by online merchants to prove that you are in possession of the card since they can't physically see it.
 
Rustward said:
You make a very good point, ERD50.

Until we know what happened, we do not know what happened.

It is so easy to be an internet expert these days.

If anyone thinks it is so easy, just go try it in real life, and report your experience.
Click to expand...


+1

It ain't easy
 
I doubt if we will ever know much about what happened other than a general overview.

Most IS organizations do not publicize security problems for fear that other criminals will exploit them. Even if Target has fixed its problem(s), other retailers, including small ones without a staff of experts, may still have the same flaw in their systems. For all we know, the flaw may exist in ATM's, building security systems, etc.

The ability to compromise thousands of machines in such a large organization, and have it go undetected for weeks is scary.
 
Meanwhile, on the bright side ...

One of my credit cards (a Visa from PenFed) is due to expire next month. Today in the mail, I received a replacement card, and much to my surprise it's a chip & PIN card.

I hadn't asked for one specifically, but apparently PenFed is proactively issuing chip & PIN cards now to everyone. Good for them!
:)
 
I checked USAA and they allow you to place an email/sms txt alert if your card is used over an amount you choose. As I had my card cloned just last month, and shopped at target on both the 14th and 15th, I set a $75 limit. When my card was cloned they ran up about $1,000 in charges in less than 24 hours. There were six charges and all but one was over $75. I'll admit all this is going to do is let me know sooner, and USAA absorbed all the fraud. However, as it cost nothing to put it on, and nothing to get an email, I figured why not.
 
braumeister said:
Meanwhile, on the bright side ...

One of my credit cards (a Visa from PenFed) is due to expire next month. Today in the mail, I received a replacement card, and much to my surprise it's a chip & PIN card.

I hadn't asked for one specifically, but apparently PenFed is proactively issuing chip & PIN cards now to everyone. Good for them!
:)
Click to expand...

I recently received a chip and signature card from Fia cardholder services. But checking around it doesn't appear that all card readers in the US will actually do anything but read the mag strip for some time. I hope I read the articles incorrectly.

Edit to ask, when you use the new card does it force you to enter a pin?

MRG
 
Last edited:
MRG said:
when you use the new card does it force you to enter a pin?
Click to expand...

No, that would be only where a chip & PIN card is used as such. Mostly in the Euro zone, but Canada has caught on pretty big already, and USA is beginning to play catchup. Most places in this country, we'll still use chip & PIN cards as if they had no chip, for the time being.
 
Alan said:
I don't recall ever being asked for the security code on the card at a cash register. Sometimes I am asked to prove id with a driving license, but that printed 3 or 4 digit security number should only be required by online merchants to prove that you are in possession of the card since they can't physically see it.
Click to expand...
I have been asked for it occasionally at a Flying J when using the Costco Amex card. 3% cash reward when filling a motorhome with diesel is a nice perk. :)
 
walkinwood said:
I had to call Amex and cancel DW's card (and get a new one) last night after seeing a a fraud charge pop up. She had used her card at Target just after Thanksgiving.

I have set up my card accounts to send me an email when a charge is made, so that helped get notification right away. We have no liability, but it is still a pain to deal with.
Click to expand...

They got my Amex also. Amex called and alerted me to a fraud charge to the Apple store. They sent me a new card and 10 days later that was compromised with multiple fraud charges that Amex approved. No liability for me but I don't know how they got me a 2nd time. I now have a third card. I've never had a problem before. Kinda scary IMO.
 
Bikerdude said:
They got my Amex also. Amex called and alerted me to a fraud charge to the Apple store. They sent me a new card and 10 days later that was compromised with multiple fraud charges that Amex approved. No liability for me but I don't know how they got me a 2nd time. I now have a third card. I've never had a problem before. Kinda scary IMO.
Click to expand...

How peculiar! Any ideas regarding how this could possibly have happened?

Fraudulent activity on the first card is bad enough, but to have the same thing happen with a second card would be very disturbing.
 
W2R said:
How peculiar! Any ideas regarding how this could possibly have happened?

Fraudulent activity on the first card is bad enough, but to have the same thing happen with a second card would be very disturbing.
Click to expand...

Well, on further review of my records it appears that the first compromise happened before my Target purchase and the only time it was out of my hands (except for online purchases) was at a restaurant. The Target charge was made on 12/4 with my first new card and the 2nd fraud happened on 12/12. So just looks like bad luck. The Amex rep did mention that this had been the worst year for fraud so far.:nonono:
 
Bikerdude said:
Well, on further review of my records it appears that the first compromise happened before my Target purchase and the only time it was out of my hands (except for online purchases) was at a restaurant. The Target charge was made on 12/4 with my first new card and the 2nd fraud happened on 12/12. So just looks like bad luck. The Amex rep did mention that this had been the worst year for fraud so far.:nonono:
Click to expand...

Wow, bad luck for sure. Good luck with card #3!
 
I think we will find that it goes back to someone running an MS Windows machine on the Target network introducing a malware. If they can write malware specific to SCADA systems, it should be simple to write malware for a card scanner. Simply insert yourself between the intended destination of the mag stripe data and the reader. Then you buffer raw card data and phone home with it, maybe piggybacking on a 'real' outbound message. As to how it got in the scanners, there's probably a nightly update that pushes changes to the scanner, and it pushed the malware too.
 
Rustic23 said:
I checked USAA and they allow you to place an email/sms txt alert if your card is used over an amount you choose. As I had my card cloned just last month, and shopped at target on both the 14th and 15th, I set a $75 limit. ...
Click to expand...

Why a $75 limit? From what I've heard, they often test the card with a $0.99 charge to iTunes or something similar.

My Visa allows email notifications, and I have it set for anything > $0.00. It really gives me confidence to know I'm getting near real time alerts to any card use.

My Fido Amex does not offer this. :(

-ERD50
 
ERD50 said:
Why a $75 limit? From what I've heard, they often test the card with a $0.99 charge to iTunes or something similar.



My Visa allows email notifications, and I have it set for anything > $0.00. It really gives me confidence to know I'm getting near real time alerts to any card use.



My Fido Amex does not offer this. :(



-ERD50
Click to expand...


When my debit card was compromised at my bank's ATM machine, within minutes three $500 withdrawals were made at a distant ATM--no testing the waters with a negligible amount.
 
You must log in or register to reply here.

Similar threads

easysurfer
MOVEit Hack
Replies
10
Views
878
easysurfer
easysurfer
Brook2
Is paypal more secure than using a credit card?
2 3
Replies
60
Views
5K
sengsational
sengsational
Koolau
BFF 0.5 Million In Debt at 79 Has Passed Away
2 3 4
Replies
92
Views
10K
Koolau
Koolau
L
How Much Does A Credit Card Company Know About Your Other Accounts?
Replies
8
Views
964
cyber888
C
K
2022 Personal Financial Report Card
Replies
14
Views
1K
Dtail
D

Latest posts

Back
Top Bottom