
Credit card data of 40 million shoppers stolen from Target stores - ibsathish
http://news.yahoo.com/answers-questions-target-data-breach-174055173--finance.html
======
ColinWright
I've seen it suggested that the breach occurred through malware installed in
the POS (that's point-of-sale, not piece-of-shellgrit) devices:

[http://www.businessinsider.com/target-credit-card-
hackers-20...](http://www.businessinsider.com/target-credit-card-
hackers-2013-12)

On HN the main discussion is here:

[https://news.ycombinator.com/item?id=6934248](https://news.ycombinator.com/item?id=6934248)
(cbc.ca) (66 comments and counting)

Another discussion:

[https://news.ycombinator.com/item?id=6930258](https://news.ycombinator.com/item?id=6930258)
(krebsonsecurity.com) (8 comments)

Other submissions:

[https://news.ycombinator.com/item?id=6935413](https://news.ycombinator.com/item?id=6935413)
(boingboing.net)

[https://news.ycombinator.com/item?id=6935142](https://news.ycombinator.com/item?id=6935142)
(cnn.com)

[https://news.ycombinator.com/item?id=6934595](https://news.ycombinator.com/item?id=6934595)
(target.com)

[https://news.ycombinator.com/item?id=6934535](https://news.ycombinator.com/item?id=6934535)
(securityweek.com)

[https://news.ycombinator.com/item?id=6934216](https://news.ycombinator.com/item?id=6934216)
(wsj.com)

[https://news.ycombinator.com/item?id=6934038](https://news.ycombinator.com/item?id=6934038)
(rt.com)

[https://news.ycombinator.com/item?id=6933163](https://news.ycombinator.com/item?id=6933163)
(chicagotribune.com)

[https://news.ycombinator.com/item?id=6932782](https://news.ycombinator.com/item?id=6932782)
(usatoday.com)

[https://news.ycombinator.com/item?id=6932186](https://news.ycombinator.com/item?id=6932186)
(arstechnica.com)

[https://news.ycombinator.com/item?id=6932141](https://news.ycombinator.com/item?id=6932141)
(theverge.com)

------
sigsergv
How they obtain security code (cvv, am I right) from swiping card data? It's
not stored on magnetic tape.

~~~
yeukhon
Most of them require you to enter the CVV code. A lot of online stores will
ask you to provide that code as well.

~~~
sigsergv
Do “swipe” terminals require CVV? Also there mentioned: “The data breach did
not affect online purchases, the company said.”

~~~
yeukhon
Oh I took that part for granted. Sorry. I don't know how it is implemented,
and this source is not a scholar paper, but worth looking.

[http://randomoracle.wordpress.com/2012/08/25/cvv1-cvv2-cvv3-...](http://randomoracle.wordpress.com/2012/08/25/cvv1-cvv2-cvv3-demystifying-
credit-card-data-12/)

> Swipe transaction are perhaps easiest to describe. The data encoded on the
> magnetic stripe is static, formatted according to ISO7813 in three tracks,
> with the third one typically unused. One of the fields in this track layout
> is the Card Validation Code (CVC) or CVC1. which serves as a cryptographic
> integrity check on the track contents.

I think that makes sense from someone who doesn't understand how the security
of credit card works. But if online purchase requires one to give up the cvv
code, then verifying a physical card would also require one to be able to read
that code.

~~~
sigsergv
Back side of the card contains CVV2 code, I'm pretty sure that it's not
recorded on magnetic tape. Probably, in the original article should be
mentioned that difference.

~~~
jon-wood
The CVV2 is intentionally not stored on the card to make shopping online or
over the phone with a skimmed card more difficult.

If Target has the CVV2 included in this data dump they're in for a whole world
of hurt from the credit card companies since storing that number for any
longer than it takes to verify a transaction is utterly forbidden.

~~~
unclebucknasty
I was thinking the same: why would they store the CVV2 data?

Makes me wonder if they were keying it for verification and the fraudsters
were somehow intercepting the traffic in real-time.

------
coin
Another reason not to use debit cards. With credit cards it's the bank's
money, not yours that is gone.

------
coin
-1 for Yahoo disabling pinchzoom on mobile devices. Why do they do this?

------
AmVess
From the article:

"Q: How did the breach occur?

A: Target isn't saying how it happened. Industry experts note that companies
such as Target spend millions of dollars each year on credit card security,
making a theft of this magnitude particularly alarming."

The article starts out by stating, "The stolen data includes customer names,
credit and debit card numbers, card expiration dates and the three-digit
security codes located on the backs of cards."

I guess, then, that the 'millions' spent budget didn't include basic
compliance measures. Next time, Target might as well take out an ad in the NYT
with all this info, though....It'd be less effective than what's already
happened to them.

Idgits.

~~~
tehwebguy
From Target's notification email:

> Is the CVV code the same as the three digit code on the back of my card? >
> No, the CVV code is not the same as the security code on the back of your
> card. As of now we have no indication that the three digit code on the back
> of the card has been impacted.

I am under the impression that:

1\. CVV is exactly the same as the security code

2\. Merchants are _never_ allowed to store this code

~~~
phantom784
There are two CVV codes, CVV1 and CVV2. CVV1 is on the magstripe but not
printed on the card. CVV2 is printed on the card but not on the magstripe
(it's the three digit code printed on the back).

It sounds like Target was storing the CVV1 code (which they shouldn't have
been), but there's no way they could have the CVV2 code, since the POS
computer never sees it.

This means that the stolen data could be used to make a cloned card for
physical purchases, but couldn't be used for an online purchase (unless the
online store doesn't ask for the CVV2).

See
[http://en.wikipedia.org/wiki/Card_Verification_Value](http://en.wikipedia.org/wiki/Card_Verification_Value)

~~~
gergles
At target, you insert your card into a device that fully captures it. It's
quite possible they could photograph both sides/OCR to find your CVV2.

(AFAIK they _don 't_, but there certainly isn't "no way" they could have it.)

~~~
igreulich
Not at all Targets.

I worked at several stores (up through 2008), and still shop there.

I have never seen a credit card machine at the stores I have been in contacted
that fully captures a credit/debit card.

------
unclebucknasty
It bugs me when these guys just offer the advice to go back and check your
statement for suspicious activity. When 40 million cards are stolen, it's not
as if the thief/thieves are going on a personal buying spree. They obviously
intend to sell the cards on the black market.

So, their advice to not replace cards is irresponsible and literally helps the
thieves to comfirm to potential buyers that the cards are likely still good.

And, of course, once your card is exposed you're always at risk of future
fraud. Are we all just supposed to be paranoid now (moreso than usual, that
is)?

------
yeukhon
Probably another SQLInjection which installs malware on the network; most of
them just happened that way.

