
Target stores hit by data breach affecting 40 million cards - oulipian
http://www.cbc.ca/news/world/target-stores-hit-by-data-breach-affecting-40-million-cards-1.2469895
======
jrochkind1
> _We have determined that the information involved in this incident included
> customer name, credit or debit card number, and the card’s expiration date
> and CVV (the three-digit security code)._

[https://corporate.target.com/discover/article/Important-
Noti...](https://corporate.target.com/discover/article/Important-Notice-
Unauthorized-access-to-payment-ca)

CVV/CSC, eh? The whole point of CSC is it should be non-stored and therefore
much harder to steal than the CC#, right? Apparently that didn't work. Has CSC
accomplished anything other than giving users more random-looking numbers they
have to enter in online forms?

~~~
unoti
The article mentions PIN numbers potentially being stolen as well, which is
also supposed to never be stored, and used only during the process of
authorization then discarded.

This leads me to conclude that either Target's software architecture is
completely brain dead and they're storing PINs and CVV2's somewhere, or that
the attack somehow managed to get insinuated into the credit card
authorization process. As someone who has worked with credit cards for many
years, as well as with high level people within both Target and Wal Mart, it's
easier to believe the latter than the former.

~~~
MrFoof
The attack seemed to be malicious software on the POS systems themselves. So
the data was likely stored out-of-band and sent to remote destinations owned
by the attackers.

[http://www.nbcnews.com/technology/massive-target-credit-
card...](http://www.nbcnews.com/technology/massive-target-credit-card-breach-
new-step-security-war-hackers-2D11778083)

If so, that's an incredibly sophisticated attack considering the scope of the
breach.

------
geolisto
When I read about massive data breaches such as these it makes me wonder why
we don't have a system in place to where we as the customer can generate a
unique authorization code for a one-time charge to our cards without having to
actually reveal our credit card information.

It's bad enough that someone can buy a card reader and walk down a sidewalk
and capture credit card data by just being within a few feet of someone.

~~~
ars
You can. It's called a
[https://en.wikipedia.org/wiki/Controlled_payment_number](https://en.wikipedia.org/wiki/Controlled_payment_number)

I use it all the time. I use one with every single online merchant except
Amazon and Newegg. It's also great for places that like to auto-bill. Or if
you are worried they will charge without permission.

If you are going to get a credit card, get it with one of the few banks that
offer these numbers.

It's also great for asking someone to buy something for you: Create a number
with a dollar limit and have them tell the merchant the number. Small
merchants usually have no problem with this.

~~~
randall
Which bank do you have?

~~~
OWaz
I have a credit card with Citibank which allows me to generate virtual card
numbers, with an option to set the expiration and spending limit.

------
maxerickson
Brief earlier discussion:
[https://news.ycombinator.com/item?id=6930258](https://news.ycombinator.com/item?id=6930258)

Target says the data is limited to cards used in the U.S. during the last few
weeks:

[https://corporate.target.com/discover/article/Important-
Noti...](https://corporate.target.com/discover/article/Important-Notice-
Unauthorized-access-to-payment-ca)

------
Lagged2Death
Can't get to the Target Visa site
([http://rcam.target.com](http://rcam.target.com)) even though
downforeveryoneorjustme.com says it's up. Hm.

A few years ago, the Target Visa card had actually pioneered a move toward
chipped credit cards. My Target card was the only chipped credit card I had,
though, and AFAIK even my local Target stores were never equipped with chip-
reading card readers. When my card expired, the replacement didn't have a
chip.

It bothers me very much to realize that even though there was nothing I
reasonably could have done to protect myself (except avoid credit cards
entirely), this will ultimately be my problem to deal with. Not Target's
problem. Not really. Not in the same way that it's mine.

 _I 'm_ expected to "take... steps ... to protect [myself] against potential
misuse of [my] credit and debit information." [1]

I realize that this is just the way the system works, but why does it work
that way? The credit card system, instead of making the investments necessary
to really secure credit card transactions, has externalized much of the tricky
fraud-detection work onto the card users.

[1] [https://corporate.target.com/discover/article/Important-
Noti...](https://corporate.target.com/discover/article/Important-Notice-
Unauthorized-access-to-payment-ca)

~~~
graywh
They gave away chip "readers" for a while. I've still gone one somewhere. I
think the idea was to be able to load digital coupons (similar to other
loyalty cards or Target's own "cartwheel" app now).

------
jusben1369
FWIW here's the best early analysis I've seen in terms from an industry
perspective: [http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-
we...](http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-we-learn-
from-the-target-breach/)

~~~
smtddr
_> >Who’s the real victim here? The top victim in my opinion is Target
itself._

Yeah, those 40 million CCs accessed? Screw those people. The multi-million
corp is the one who will really suffer....

~~~
lutorm
Because, as the article says, the customers will have any resulting fraudulent
charges reversed, and the banks will charge them to Target instead.

~~~
smtddr
No problem if you're not a paycheck-to-paycheck person and the card is truly
your credit-card, not your ATM Debit card that functions like a Visa(as mine
does). This could make some people's checks bounce. Sure after you make some
calls it'll be reversed, but the trouble it may cause in the meanwhile...

------
mml
Reminds me of when Best Buy discovered people wardriving their parking lots
and plucking CC#'s out of the air via their unencrypted, wireless POS network.
Surprised Target got hit, they're pretty rabid about security/loss prevention
(internal and external).

~~~
gfense
Do you have a link to this? I'm surprised that a large chain retailer would
have a wireless POS. It's not like they move terminals around, why would you
need wireless anyway?

~~~
pessimizer
Pretty sure mml meant Lowe's:

[http://www.wired.com/science/discoveries/news/2006/07/71358](http://www.wired.com/science/discoveries/news/2006/07/71358)

------
tibbon
How does PCI compliance not cover these things? Is Target liable for losses
here?

It would seem to me that if you can't secure the data, you shouldn't keep it
(which is the reason I use stuff like Stripe . I don't want to see the card
number).

~~~
jcrawfordor
From an outside perspective it very much looks like data was acquired off the
wire as it was sent for authorization. The data captured included a number of
things that the retailer would not be storing at all.

~~~
tibbon
That would indicate that either strong encryption has been cracked, there was
something on the inside of their datacenter for processing, or they weren't
using encryption right?

------
rwhitman
My wife just got the Target Red debit card a few weeks ago, after a number of
protests from me about security loopholes. She seemed to think getting 5% off
of all purchases for bestowing the ability to a 3rd party to deduct money from
your bank account at will is worth the risk of someone maliciously draining
your bank account one day. Going to use this for a bit of "I told you so"
nagging today

~~~
jason_slack
Well, the Target Red is tied to your debit card. You can't use it anywhere
else but Target.

So I wonder if Red Card customers had their debit information stolen too....

------
eugmill
Anybody have any idea if there is a way to tell if your card was part of the
breach? I have a family member who shopped at target during the dates
mentioned.

I'm wondering what percentage of transactions were affected. Is 40 million
90%? 50%? There's no way to tell. It'd be nice if we knew whether or not to
report it to the bank.

~~~
ToastyMallows
So far it doesn't look like Target has released any way of checking, all they
say is to watch your card for suspicious activity. Hopefully they can get
something together in the next couple of days.

------
dude3
The funny thing is the day that this was happening they were trying to sign me
up for their checking account program. Where I give them my checking account
info and I save 5% on every purchase. They gave me the hard sell too and
wouldn't quit. I then conveniently typed in my pin so I'm f'd.

------
ck2
Theft like this can happen on even the most secure designs but why did it take
TWO WEEKS to be discovered?

~~~
freehunter
Security is hard, and good attackers will always have an advantage over the
security team. This breech sounds like it may have been fairly off-line in
nature, so a SIEM or IDS might not have caught it.

On the flip side, there are ways stores can catch this thing offline as well.
Good in-store security and employee training to prevent skimmers or modified
POS systems, etc. Without more details on how this breech happened, it's only
guesses. I can feel their pain, but I don't know exactly how sorry I feel for
them without knowing how preventable this attack could have been.

------
tokenadult
I've never liked Target for its intrusive tracking of customer spending[1]
through their branded credit cards and other loyalty card schemes, because
those never add any value for me. (I grew up shopping at the third Target
store in the whole country, my sister used to work at Target, and we live a
short walk from a Super Target, but the company's emphasis on gathering data
over genuine customer service[2] turns me off.) Because Target is the closest
brick and mortar store to our house for many kinds of items, we still buy
things there. I usually try to pay in cash. I'll have to check our credit-card
records [sigh] and see what's going on in our accounts.

[1] [http://www.forbes.com/sites/kashmirhill/2012/02/16/how-
targe...](http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-
figured-out-a-teen-girl-was-pregnant-before-her-father-did/)

[2] Personal anecdote alert: Target once had an in-house captive brand (not a
Target brand, but a brand available in no other store) of "oven bakeware" that
didn't even meet the Uniform Commercial Code warranty of merchantability, as
it would shatter if you used it in an oven to bake something. We found that
out just before a meal when we were all hungry. The local store gave us all
kinds of run-around about simply refunding our money for the defective
product. That was ill-timed for Target, as one of my wife's students had just
given us a gift certificate for Sam's Club, and we discovered that the much-
maligned Sam's Club is better about returns and about customer service in
general than Target. We have shifted THOUSANDS of dollars a year from Target,
my home-town store I grew up with, to Sam's, the store everyone is inclined to
decry, in the years since then. When a store sells a defective product and
doesn't make that right, I don't give it a lot of second chances. (My sister's
former job at Target was to be a buyer, and she thought that if a Target buyer
screws up and purchases a bad product, Target should make that right, period.)

By contrast, I recently bought what was labeled as an "Epson ink-jet printer
cartridge" through a third-party seller on Amazon, and when the product
arrived it was labeled "Not an OEM product," and plainly wasn't identical to
an actual Epson printer cartridge. I contacted Amazon about the purchase, and
an Amazon representative said my money would be refunded and I didn't have to
return the product. That is the way to use big data to build a better customer
experience--Amazon could verify how the product was labeled on its site, and
perhaps had another customer complain to verify that I wasn't making this up.
Amazon consistently treats me like my user experience is more important that
Amazon's next-quarter bottom line, and that builds immense customer loyalty
for me.

~~~
joezydeco
_I 've never liked Target for its intrusive tracking of customer spending
through their branded credit cards and other loyalty card schemes, because
those never add any value for me._

They give you 5% off your purchase when you use the card. I consider it a fair
trade in value given how much I spend there.

That "intrusive" tracking...I don't know if I feel the same. You're in _their
store_. If they choose to watch how you shop there, you can stay or you're
free to walk. They can't forcibly drop items into my basket...yet. If I choose
to buy something personal that I feel Target shouldn't remember or relay to
others, I'll pay cash.

~~~
jotaass
This reminds of a story that ran in the news last year.

[http://www.forbes.com/sites/kashmirhill/2012/02/16/how-
targe...](http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-
figured-out-a-teen-girl-was-pregnant-before-her-father-did/)

It is not ok for a retail company to profile your underage daughter, find out
that she is probably pregnant (before you do!) and then do targeted
advertisement. That is wrong and more than a little creepy.

~~~
joezydeco
And this has never happened in small towns where merchants know everyone's
business and gossip. There's always a backchannel of data when you are out in
public.

The pregnant teenager outlier certainly made for an interesting and headline-
worthy story. Hopefully future big data projects like this put a bit more
thought into the human side of the equation, but never count on it I suppose.

------
swalsh
I worked for Stores Development at Target about 6 years ago. honestly, this
really surprises me. After the JCPenny incident, anything security related
practically got rubber stamped.

------
smokinjoe
Any long-term parking vets here?

I didn't take a ticket and instead swiped my CC to get into the lot. They
repeatedly mentioned to _don 't lose your card_ since the day I left is tagged
to it (I assume).

Given the chaos of this, I probably won't even get my new card until I'm back
from vacation.

Does anyone know if all I need is another card with my name on it or if I can
just allow for 30-60 minutes of searching through records to locate my
original swipe in?

------
JimmaDaRustla
Another reason for EMV compliance. The track data is stored on the magnetic
stripe, which shouldn't even be stored on the machine, but it is for some
reason.

Also, PCI Compliance - personal information should not be stored unencrypted
when at rest or when being transferred.

------
traeregan
/me calls credit card company.

~~~
JonSkeptic
Given the repetition of the phrase "you should continue to monitor your
accounts"... I think it would be wise to get a new card if you can.

~~~
freehunter
When Linode was compromised, I replaced my card immediately. Both times.

------
Cort3z
You could say they were a target of the breach.

All joking aside, this isn't good. Does this mean a lot of other stores are in
the danger zone as well? I know a lot of stores use the same software to run
their everything.

~~~
swalsh
" I know a lot of stores use the same software to run their everything."

It's been 6 years since I've worked there, but at the time everything was
pretty much custom. The original system was created in 1993 I believe, since
then there's been so many things built on top of it I can't image how they'd
replace it.

------
zimbatm
If payments could be initiated from a smartphone, the attack surface would be
the phone, the bank. Not every shop or website where you enter your credit
card details.

------
carsonreinke
I still do not understand why they would have to store the credit card instead
of just storing an authorization and transaction number.

~~~
chaz
This article had a little more info:
[http://krebsonsecurity.com/2013/12/sources-target-
investigat...](http://krebsonsecurity.com/2013/12/sources-target-
investigating-data-breach/)

    
    
      The type of data stolen — also known as “track data” —
      allows crooks to create counterfeit cards by encoding the
      information onto any card with a magnetic stripe.
    

So it's not just the credit card numbers, but it's the full magstripe that was
read and transmitted as-is to some central location where it was lifted. Debit
cards and PINs, too, presumably.

~~~
jakewalker
Why do you presume that debit card PIN numbers are stored on the card? (They
aren't, as far as I know - how else could you change your PIN over the phone
or on the card issuer's website?)

~~~
joecurry
He's not presuming the PIN is ON the card, but that the transaction was the
point of compromise (i.e. you punching in your PIN and the software running a
verification of if that PIN is correct).

~~~
jakewalker
Ah - that makes more sense.

------
almost_started
Well, they are sort of asking for it with a name like "Target", and a giant
red bullseye painted on every fricken store!

------
mpg33
Another reason why Bitcoin (or something like it) does have legitimate
benefits...

~~~
maxerickson
Downside of CC breach: get new magic number, distribute to various service
providers.

Downside of single (exploited) mistake in bitcoin wallet management: total
loss of value.

~~~
mpg33
> Downside of single (exploited) mistake in bitcoin wallet management: total
> loss of value.

...is a lot less damage than 40 million exposed credit cards

~~~
maxerickson
I thought it was clear enough that my comment was written from the perspective
of an individual.

Getting my credit card details stolen is going to be less damaging than all
but the smallest wallet thefts.

~~~
mpg33
> perspective of an individual

Ignoring the absurd interest rates, fees, insurance that cc companies
charge...you assume that credit card/debit card theft costs are never passed
on to the consumers

