
Target's data breach bigger than first thought – more than 100M records - kn9
http://nakedsecurity.sophos.com/2014/01/11/target-data-breach-much-bigger-than-first-thought-now-more-than-100m-records/
======
fsckin
This is Bad News, seeing as Target is also tracking every thing you've ever
purchased[0] and using it for marketing purposes. I wonder if they also got
ahold of not just credit cards and PII, but also purchase history.

I wonder why they're not using this information to contact their "guests"
directly? Why should I need to read about this revelation on HN, when they
know everything about me.

[0] [http://motherboard.vice.com/blog/target-knows-you-re-
pregnan...](http://motherboard.vice.com/blog/target-knows-you-re-pregnant)

~~~
FireBeyond
Because if they did, the fall-out would be massive. Frankly, it’s not been all
that bad, relatively speaking. A few news releases, leave it to the financial
institutions to do the damage control, and the principle of diffusion does a
whole lot to shield your reputation.

In comparison, a letter to you from Target directly detailing their failure -
not so good. no doubt they’re avoiding this unless utterly forced to.

------
ricardobeat
I'm intrigued that reports on the event still fail to mention any technical
details, where and how it happened. I remember reading speculation that the
breach was actually in a third-party transaction processor within the
financial system, which would be even worse...

------
higherpurpose
> In other words, you may be at risk from this exposure even if you've never
> bought anything from Target.

This is why we must push back against companies who not only want to "track
everything" about their customers, but about their non-customers, too!

~~~
cfinke
_but about their non-customers, too!_

You would have had to have "interacted with Target", meaning that you gave
them the information in the first place.

~~~
cynwoody
Yes. In order for Target to have the information mentioned, you would have
needed to have bought something online from them or you would need to have a
REDcard† or have filled in a survey or mailed in a refund request or phoned
customer service. Merely having bought something in a store, even using a
credit or debit card, would not result in that information being captured.

Of course, Target will try to track you even if you don't provide them with
contact information. E.g., if you use the same credit card across multiple
visits, they won't have your contact information or even your full credit card
number (which they aren't allowed to store). But they will be able to analyze
what you bought over time, and that's valuable.

†[http://www.target.com/redcard/main](http://www.target.com/redcard/main)

~~~
deathanatos
> [Target] won't have […] even your full credit card number (which they aren't
> allowed to store)

They won't have my credit card number? Wasn't how got to this very discussion
because they have my credit card number?

> So far, Target says, it's determined that the breached data includes
> customer names, credit or debit card numbers, card expiration dates, and
> CVVs (cards' three-digit security codes).

~~~
cynwoody
They're only permitted to keep the full credit card number for as long a
business need exists. For a hotel or a car rental agency, that might be days.

But for a retail transaction, it is a couple of seconds: submit the charge,
mag stripes (and maybe PIN-block) and all. Then receive back the accept or
decline. Just a simple HTTPS request. They are only allowed to keep part of
the PAN beyond that time frame (the BIN and the last four if memory serves).
No expiration date. And no CVV (the one that authenticates the mag stripe
data, _not_ the three or four digit code you enter for online transactions).

What the hackers must have done is to install malware on Target's POS
terminals that was intercepting the full mag stripe data and making it
available to the hackers. They must have gained free reign on Target's
corporate network, allowing them to access the POS terminals remotely. The
marketing database breach was just frosting on the cake.

~~~
coleca
The interval Target held the cards was probably longer than a few seconds.
Depending on how they do settlement they may need to keep the PAN around
longer until they settle the transactions. Some retailers do it real time
(right after auth) but many do it in batches at the end of the day, overnight.
That first message only authorizes a transaction. The money isn't drawn from
the account until a settlement message comes through.

Target also does not have a loyalty card program. This means that the only way
they can track individual purchases would be via a credit card. Target has
very sophisticated marketing systems. They may have convinced their auditors
that they need to keep the cards around longer because that is a legit
business use. I would hope the cards are tokenized in those systems but you
never know.

Also, the hack was most likely not on the POS system but on their payment
switch (software for payments routing not to be confused with a network
switch). There would be one central point where all their transactions are
funneled to their various payment networks. This would be the place to
intercept 40-110m transactions. At the individual store level it would be much
more difficult to compromise that many systems across thousands of locations
versus one central point and get the data out. Smaller retailers will connect
their POS systems directly to the banks but large retailers usually have
private dedicated circuits to their payment providers that flow through a
payment switch. The POS systems connect to that central switch not the payment
network.

For those predicting the imminent demise of Target, go back and look at a
historical chart of how TJX's stock has performed since their breach in 2007
(mid teens to over $60/share now).

~~~
cynwoody
> _Also, the hack was most likely not on the POS system but on their payment
> switch (software for payments routing not to be confused with a network
> switch). There would be one central point where all their transactions are
> funneled to their various payment networks._

Interesting. That strikes me as a rather dumb way to architect a system. Much
better is a simple HTTPS request direct from the POS terminal to the payment
processor. That way the bad guys have to hack the individual terminals. Of
course, given a little automation, once they've figured out how to compromise
one POS terminal, the rest are just a bunch of parallel loops away.

Ten or 12 years ago, I implemented POS interfaces to Fifth Third and Concord
EFS. The POS in question was designed for use in individual retail stores,
where there might be half a dozen registers.

Both Fifth Third's and Concord's interface took the form of a single HTTPS
request to a designated URL. As I recall, Concord's was by far the simpler
interface, requiring only the obvious data. Fifth Third's had a lot of legacy
nonsense, requiring you to figure out what you really needed to provide. Both
had a POS interface certification process, wherein you needed to hook up to a
test system and correctly process a bunch of test transactions.

Fifth Third did have a batching function, but it did not require the
establishment to store transactions client-side. Rather, the batch was
accumulated on the payment processor's server. The POS system could request
that a batch be closed (at the end of the business day, for instance). There
was also a web login that the store manager could use to check on the status
of the day's charges and some number of closed batches.

------
robbiewright
Why isn't chip and pin mandatory in America?

~~~
jsaxton86
I heard a rumor that it's because Visa/MasterCard don't want to update every
point-of-sale terminal in the country.

~~~
tadfisher
Visa and MasterCard are actually pushing for chipped cards. In 2015, all major
card issuers are shifting fraud liability to merchants if they don't update
their POS systems to handle chip & pin or chip & signature:
[http://en.wikipedia.org/wiki/EMV#United_States](http://en.wikipedia.org/wiki/EMV#United_States)

~~~
dangrossman
Merchants _already_ have complete fraud liability today, as they always have.
If stores don't upgrade their hardware, their liability will be the same in
2015 as it is today.

In 2015, if you implement EMV, and take a chip-and-pin transaction at the
point of sale, and the card itself is counterfeit, then you won't be liable.
If you don't support EMV, the liability will be the same as it is today. If
you do support EMV, and the fraud is something other than a counterfeit card,
the liability will be the same as it is today.

It's almost as if they designed the incentive to create a talking point when
selling the EMV hardware to retailers, without actually shifting any
meaningful liability away from them, so the card brands and banks can continue
suffering none of the losses due to fraud outside their merchants' reasonable
ability to stop.

~~~
tadfisher
I was under the impression that fraud liability for card-present transactions
today lies with the bank or card issuer, not the merchant.

------
fishstix55
Every target pharmacy purchase.... Think about it...

------
alexbilbie
Could someone please explain why Target were storing PIN numbers?

~~~
cynwoody
They weren't.

They were uploading encrypted PIN blocks to their payment processor, and the
bad guys captured those along with the mag stripe data. But encrypted PIN
blocks are useless to a hacker. Target can't decrypt the PIN-blocks. Only the
payment processor has the key. Unfortunately, this point seems to have escaped
some of the media morons, who would rather write scare headlines than get it
right.

PINs are entered on separate keyboard devices, known as PIN-pads. A PIN-pad is
a tamper-resistant subsystem that can be programmed to prompt the customer to
enter the PIN on its separate little keyboard. The PIN-pad then encrypts the
PIN, using keys which are preloaded by the payment processor, and provides the
encrypted result to the POS terminal.

PIN pads _have_ been hacked† in the past, but the methods employed require
physical access to the POS terminal and are thus no where near scalable to the
level of the Target hack.

†[http://fraudwar.blogspot.com/2007/02/could-arrest-in-stop-
an...](http://fraudwar.blogspot.com/2007/02/could-arrest-in-stop-and-shop-
data.html)

~~~
nikcub
> But encrypted PIN blocks are useless to a hacker.

You write them to a card and then you have a dupe that can be used in card-
present credit card transactions. These dumps are all over the underground
forums, they are easy to buy - that is, afterall, how Target found out about
the hack.

~~~
gergles
What? The encrypted PIN block isn't on the card; it's generated when you type
your PIN in on a PIN pad and is unique by merchant & payment processor.

------
low_key
In the past I purchased a bottle of Nyquil at Target. They wouldn't complete
the purchase without scanning my drivers license. I was not feeling well at
the time, so I complied.

I'm curious if they stored the information from the magnetic strip on the
license and, if so, was that information stolen as well? Also, if they did, is
it legal for them to do so.

I haven't even heard anyone from the news even bring this up, but I think it
would be much more serious than the cc data.

------
coldcode
I keep wondering if they captured unencrypted backup tapes.

------
alexeisadeski3
If this had happened to an internet retailer, the event would be touted as the
turning point against online commerce.

------
rasengan
Obligatory Bitcoin comment. ;)

~~~
dubfan
Because Bitcoin-related businesses have such a stellar security record...

~~~
rasengan
I never mentioned Businesses. I said Bitcoin as in the protocol/blockchain.

edit: To further clarify, if you use your CC, you have to give the merchant or
processor all the data required to make a purchase. The protocol/idea itself
is broken, just like automated ACH by an external third party.

edit 2: To go further, think about when the social network sites used to ask
for thr username and password you used in order to login to third part
services to 'invite your friends'. That was clearly a security mistake at the
idea level. Now most services hardened up a little and offer revokable API
access so that your account credentials are not required by a third party and
usually even access limits can be set on a per API key level basis.

~~~
FireBeyond
So you accept Bitcoin. Now you have to stand at the counter until the network
gets enough confirmations… which can be upwards of 20 minutes. Doesn’t sound
at all problematic...

~~~
olefoo
That's an implementation detail; particularly if there is some legal backing
(government regulation of the good kind) for the transfer mechanism. Think
something using the Ripple protocol backed by a bank fund that holds 1 dollar
for every "coin" represented in the system.

If transaction confirmations took less than 500 milliseconds and had at least
two confirmations from a network that had some form of insurance against
double spend (rare and very noticeable) and identity theft (more common, but
also noticeable) and auth token theft (relatively common). You could have
something that looked like a general purpose internet mediated payment
mechanism of sufficient (but not perfect) security; that would be relatively
backwards compatible with existing infrastructure and resistant to attacks
that merely depend on access to stored data rather than controlling a
distributed ledger.

