Hacker News new | comments | show | ask | jobs | submit login
Hackers steal card data from Neiman Marcus (krebsonsecurity.com)
39 points by panarky 1347 days ago | hide | past | web | 14 comments | favorite

Notice the pattern to all of these - the hacks are only discovered after the cards have already been charged and the card companies piece together where the possible source could have been by looking at common purchases.

That is the state of security at the moment, not only is it easy to hack into sites, but it is easy to cover you tracks and not be discovered.

Vendors have resorted to trawling the carding forums and buying up dumps to figure out who has been hacked.

I can't remember the industry ever being so imbalanced towards the black hats.

That is the state of security at the moment, not only is it easy to hack into sites, but it is easy to cover you tracks and not be discovered.

Well if it’s an SQL injection attack, which is a very common way of hacking web sites, there is no way to even know it happened. Unless you keep a record of everything users input into text boxes you have no way of knowing. The intruder takes the data and he’s off and you have no indication that something went wrong. You’ll have a spike in your database usage if someone requested a SELECT * query but unless something odd happens chances are you won’t go looking for it.

I can't remember the industry ever being so imbalanced towards the black hats.

The industry was always imbalanced. If we go ten years back spam for example was a menace, today not so much. There are always fights won and lost. The problem nowadays is that e-commerce is exploding and a single hack can turn up to be huge. You hack into a site and you end-up with 150mm credit cards (aka the Target case). Ten years ago not even Amazon had such a big customer base.

If you're not actively logging and auditing all SELECT * queries on tables storing credit card numbers... shame on you.

Logging any SQL statements on sensitive info is pretty easy, and honestly I wish it was malpractice not to do so.

Is there any reason why these stores need to store the full magnetic stipe details of the card in the first place?

Merchants are required to scrub the card details as soon as the business need for them has passed. In the case of a retail store, I would think that would be as soon as the accept or decline response from the payment processor is received.

To make a charge, the POS terminal packages the mag stripe data (and the encrypted PIN-block if doing debit) together with the POS terminal's ID, the amount to be charged, and maybe the CVV2 or the billing zip code, etc., into an HTTPS request to the payment processor. A second or two later, the payment processor responds, and the terminal completes the transaction.

If that's how Target's POS terminals work, then the hackers probably managed to push a "software update" out to the terminals causing them to tee the data off to the hackers' server whenever a transaction was made.

The reason the debit PINs were safe is that the PIN pads on which the customers enter their PINs are separate self-contained devices which encrypt the PINs before they leave the pad. Only the payment processor has the key needed to decrypt the PIN blocks, and PIN pads don't accept "software updates". PIN pads have been hacked in the past, but such attacks are far less scalable because they require modifying hardware at each affected POS terminal.

The new news about Target breaching contact info for 70m customers simply confirms that the hackers had free reign on Target's corporate network.

I would expect the credit card companies would require that they not store the entire card swipe data (or the PIN for that matter).

That is what I thought as well, but details on the Target hack suggests they managed to get hold of the cards' entire track data (I'm on my phone so can't link to the article directly, but it's on the same website as OP's link) I'm guessing NM has the same data policy.

I'm not aware of the details, but they might have managed to store the track data because they intercepted it in transit, not because Target was storing it somewhere.

I thought the theory was that the target hack was targeted at POS card-readers, not recovering numbers after the fact from a database.

It was.

But in order to pull it off on the scale they did, the bad guys must have broken into Target's corporate network. Apparently, the level of access they achieved allowed them to raid the marketing database as well as to hack large numbers of POS terminals to leak the card swipe data.

The marketing database, BTW, contained name and contact information, but not credit card details. The bad guys might find it useful for phishing attacks.

Nowadays, no. However legacy systems abound.

All these revelations are timed too perfectly. It is obviously a crypto-currency conspiracy to drive credit card transactions out of the comfort zone of mainstream Americans, and subtly migrate the shell-shocked populace into accepting the underworld's own spawn -- a hoarded and cracked crypto-currency. Well, it would be if I ever finish my sci-fi distopian short story on it.

...this is getting ridiculous.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact