Hacker News new | comments | show | ask | jobs | submit login
Target's data breach bigger than first thought – more than 100M records (sophos.com)
44 points by kn9 1375 days ago | hide | past | web | 43 comments | favorite

This is Bad News, seeing as Target is also tracking every thing you've ever purchased[0] and using it for marketing purposes. I wonder if they also got ahold of not just credit cards and PII, but also purchase history.

I wonder why they're not using this information to contact their "guests" directly? Why should I need to read about this revelation on HN, when they know everything about me.

[0] http://motherboard.vice.com/blog/target-knows-you-re-pregnan...

Because if they did, the fall-out would be massive. Frankly, it’s not been all that bad, relatively speaking. A few news releases, leave it to the financial institutions to do the damage control, and the principle of diffusion does a whole lot to shield your reputation.

In comparison, a letter to you from Target directly detailing their failure - not so good. no doubt they’re avoiding this unless utterly forced to.

I'm intrigued that reports on the event still fail to mention any technical details, where and how it happened. I remember reading speculation that the breach was actually in a third-party transaction processor within the financial system, which would be even worse...

> In other words, you may be at risk from this exposure even if you've never bought anything from Target.

This is why we must push back against companies who not only want to "track everything" about their customers, but about their non-customers, too!

but about their non-customers, too!

You would have had to have "interacted with Target", meaning that you gave them the information in the first place.

Yes. In order for Target to have the information mentioned, you would have needed to have bought something online from them or you would need to have a REDcard† or have filled in a survey or mailed in a refund request or phoned customer service. Merely having bought something in a store, even using a credit or debit card, would not result in that information being captured.

Of course, Target will try to track you even if you don't provide them with contact information. E.g., if you use the same credit card across multiple visits, they won't have your contact information or even your full credit card number (which they aren't allowed to store). But they will be able to analyze what you bought over time, and that's valuable.


> [Target] won't have […] even your full credit card number (which they aren't allowed to store)

They won't have my credit card number? Wasn't how got to this very discussion because they have my credit card number?

> So far, Target says, it's determined that the breached data includes customer names, credit or debit card numbers, card expiration dates, and CVVs (cards' three-digit security codes).

They're only permitted to keep the full credit card number for as long a business need exists. For a hotel or a car rental agency, that might be days.

But for a retail transaction, it is a couple of seconds: submit the charge, mag stripes (and maybe PIN-block) and all. Then receive back the accept or decline. Just a simple HTTPS request. They are only allowed to keep part of the PAN beyond that time frame (the BIN and the last four if memory serves). No expiration date. And no CVV (the one that authenticates the mag stripe data, not the three or four digit code you enter for online transactions).

What the hackers must have done is to install malware on Target's POS terminals that was intercepting the full mag stripe data and making it available to the hackers. They must have gained free reign on Target's corporate network, allowing them to access the POS terminals remotely. The marketing database breach was just frosting on the cake.

The interval Target held the cards was probably longer than a few seconds. Depending on how they do settlement they may need to keep the PAN around longer until they settle the transactions. Some retailers do it real time (right after auth) but many do it in batches at the end of the day, overnight. That first message only authorizes a transaction. The money isn't drawn from the account until a settlement message comes through.

Target also does not have a loyalty card program. This means that the only way they can track individual purchases would be via a credit card. Target has very sophisticated marketing systems. They may have convinced their auditors that they need to keep the cards around longer because that is a legit business use. I would hope the cards are tokenized in those systems but you never know.

Also, the hack was most likely not on the POS system but on their payment switch (software for payments routing not to be confused with a network switch). There would be one central point where all their transactions are funneled to their various payment networks. This would be the place to intercept 40-110m transactions. At the individual store level it would be much more difficult to compromise that many systems across thousands of locations versus one central point and get the data out. Smaller retailers will connect their POS systems directly to the banks but large retailers usually have private dedicated circuits to their payment providers that flow through a payment switch. The POS systems connect to that central switch not the payment network.

For those predicting the imminent demise of Target, go back and look at a historical chart of how TJX's stock has performed since their breach in 2007 (mid teens to over $60/share now).

> Also, the hack was most likely not on the POS system but on their payment switch (software for payments routing not to be confused with a network switch). There would be one central point where all their transactions are funneled to their various payment networks.

Interesting. That strikes me as a rather dumb way to architect a system. Much better is a simple HTTPS request direct from the POS terminal to the payment processor. That way the bad guys have to hack the individual terminals. Of course, given a little automation, once they've figured out how to compromise one POS terminal, the rest are just a bunch of parallel loops away.

Ten or 12 years ago, I implemented POS interfaces to Fifth Third and Concord EFS. The POS in question was designed for use in individual retail stores, where there might be half a dozen registers.

Both Fifth Third's and Concord's interface took the form of a single HTTPS request to a designated URL. As I recall, Concord's was by far the simpler interface, requiring only the obvious data. Fifth Third's had a lot of legacy nonsense, requiring you to figure out what you really needed to provide. Both had a POS interface certification process, wherein you needed to hook up to a test system and correctly process a bunch of test transactions.

Fifth Third did have a batching function, but it did not require the establishment to store transactions client-side. Rather, the batch was accumulated on the payment processor's server. The POS system could request that a batch be closed (at the end of the business day, for instance). There was also a web login that the store manager could use to check on the status of the day's charges and some number of closed batches.

Presumably, from Target’s use of the words “guest information,” this additional data wasn’t related only to customers who actually purchased something from one of the company’s stores during the November-December 2013 timeframe, but also potentially to anyone who has ever interacted with Target in any way.

... well no. 'Guest' is just how Target refers to customers, its just corporate speak.

If you don't want Target to have your data don't give it to them. That's it. Do you need the government to prevent you from giving your data to Target?

but but but growth hacking

Why isn't chip and pin mandatory in America?

I heard a rumor that it's because Visa/MasterCard don't want to update every point-of-sale terminal in the country.

Visa and MasterCard are actually pushing for chipped cards. In 2015, all major card issuers are shifting fraud liability to merchants if they don't update their POS systems to handle chip & pin or chip & signature: http://en.wikipedia.org/wiki/EMV#United_States

Merchants already have complete fraud liability today, as they always have. If stores don't upgrade their hardware, their liability will be the same in 2015 as it is today.

In 2015, if you implement EMV, and take a chip-and-pin transaction at the point of sale, and the card itself is counterfeit, then you won't be liable. If you don't support EMV, the liability will be the same as it is today. If you do support EMV, and the fraud is something other than a counterfeit card, the liability will be the same as it is today.

It's almost as if they designed the incentive to create a talking point when selling the EMV hardware to retailers, without actually shifting any meaningful liability away from them, so the card brands and banks can continue suffering none of the losses due to fraud outside their merchants' reasonable ability to stop.

I was under the impression that fraud liability for card-present transactions today lies with the bank or card issuer, not the merchant.

Most point-of-sale terminals in Australia have been upgraded recently to facilitate RFID enabled cards. But I guess that will only happen in the US once banks start issuing RFID/chip and pin cards by default. I hope for the sake of those 110 million people that the banks sent out modern debit/credit cards to those who cancelled their cards.

Visa and MasterCard don't own the terminal... The merchant banks or businesses do.

I hate chip and pin.

Having to deal with a stupid little machine terminal every time I'm in a restaurant is just obnoxious.

Every target pharmacy purchase.... Think about it...

Could someone please explain why Target were storing PIN numbers?

They weren't.

They were uploading encrypted PIN blocks to their payment processor, and the bad guys captured those along with the mag stripe data. But encrypted PIN blocks are useless to a hacker. Target can't decrypt the PIN-blocks. Only the payment processor has the key. Unfortunately, this point seems to have escaped some of the media morons, who would rather write scare headlines than get it right.

PINs are entered on separate keyboard devices, known as PIN-pads. A PIN-pad is a tamper-resistant subsystem that can be programmed to prompt the customer to enter the PIN on its separate little keyboard. The PIN-pad then encrypts the PIN, using keys which are preloaded by the payment processor, and provides the encrypted result to the POS terminal.

PIN pads have been hacked† in the past, but the methods employed require physical access to the POS terminal and are thus no where near scalable to the level of the Target hack.


> But encrypted PIN blocks are useless to a hacker.

You write them to a card and then you have a dupe that can be used in card-present credit card transactions. These dumps are all over the underground forums, they are easy to buy - that is, afterall, how Target found out about the hack.

What? The encrypted PIN block isn't on the card; it's generated when you type your PIN in on a PIN pad and is unique by merchant & payment processor.

Nope. The PIN-block encryption scheme† is specifically designed to be secure against replay attacks. The same PIN will encrypt to a different PIN-block each time it's entered whether at the same POS terminal or a different one.


Why would there be ~40M credit/debit card records for a single day's transactions? Sounds more like they were hanging onto this information long-term for some reason?

The reports I've seen say 40m sets of card details for the full duration of the hack, which was about two and half weeks, not a single day.

And I doubt Target was storing the data, as they don't have a legitimate business need. Businesses that do have such a need, such as hotels and car rental companies, are allowed to keep the data, but only subject to stringent security.

It seems likely that the hackers broke into Target's network and found a way to install malware on the POS terminals, designed to tee the credit card info off to the hackers in real time (or perhaps log it to disk, where the hackers would come by and fetch it).

They almost certainly store the card number with reversible encryption, because you can make a return just with the card you bought the item with (they lookup the receipt from the card number + item SKU). With a receipt and WITHOUT the card, they can also refund directly back to the card it was bought with.

Both features are possible without actually storing the card number; one-way hashes to do the receipt lookup, and tokens to do the refund, but how likely is that?

I think in Target's case it will turn out the hacker was sniffing network traffic on the internal network, and just pulling every transaction right off the wire.

That might depend on a payment processor service. E.g., when a charge is made, the payment processor returns a unique ID for the transaction. Then, if the merchant decides to give a refund, they put through a transaction that references the sale by its ID, and the payment processor then credits the appropriate piece of plastic with the desired amount. Nothing for a hacker to steal, unless they compromise the payment processor.

>Both features are possible without actually storing the card number; one-way hashes to do the receipt lookup, and tokens to do the refund, but how likely is that?

There is a company, Shift4† ($-sign on a US keyboard, get it?), who provide credit card processing service to smaller merchants. Shift4 itself is not a payment processor. Rather, it provides an intermediate layer standing between the merchant and the payment processor(s). A prominent feature of its service offering is tokenization: the ability to refer indirectly and opaquely to specific transactions and card accounts. It removes the need for the merchant to store card details. Shift4's tokens give the merchant a way to refer to past transactions and card accounts without having to store card details.


>I doubt Target was storing the data

This is a company that loves to try and predict customer behaviours by using massive data-mining techniques. I would be surprised if they didn't store any and all data they get their hands on, especially if it could be used as an additional table key. For background, I recommend this article, which is one of the most interesting works I've seen in the last ~decade:


Storing customer purchase history via loyalty card etc (ala like what WalMart does and talked about in the doc about it that aired on CNBC a while back) to improved directed marketing is a much different than storing credit card data.

It wasn't a single day. It started on Black Friday (November 29th), and didn't stop until December 15th. It's more than 2 weeks' worth of credit card data from 1700+ stores.

They weren't, whoever broke in was sniffing/intercepting the authorization and dump data - and they were there for a while.

In the past I purchased a bottle of Nyquil at Target. They wouldn't complete the purchase without scanning my drivers license. I was not feeling well at the time, so I complied.

I'm curious if they stored the information from the magnetic strip on the license and, if so, was that information stolen as well? Also, if they did, is it legal for them to do so.

I haven't even heard anyone from the news even bring this up, but I think it would be much more serious than the cc data.

I keep wondering if they captured unencrypted backup tapes.

If this had happened to an internet retailer, the event would be touted as the turning point against online commerce.

Obligatory Bitcoin comment. ;)

Because Bitcoin-related businesses have such a stellar security record...

I never mentioned Businesses. I said Bitcoin as in the protocol/blockchain.

edit: To further clarify, if you use your CC, you have to give the merchant or processor all the data required to make a purchase. The protocol/idea itself is broken, just like automated ACH by an external third party.

edit 2: To go further, think about when the social network sites used to ask for thr username and password you used in order to login to third part services to 'invite your friends'. That was clearly a security mistake at the idea level. Now most services hardened up a little and offer revokable API access so that your account credentials are not required by a third party and usually even access limits can be set on a per API key level basis.

So you accept Bitcoin. Now you have to stand at the counter until the network gets enough confirmations… which can be upwards of 20 minutes. Doesn’t sound at all problematic...

That's an implementation detail; particularly if there is some legal backing (government regulation of the good kind) for the transfer mechanism. Think something using the Ripple protocol backed by a bank fund that holds 1 dollar for every "coin" represented in the system.

If transaction confirmations took less than 500 milliseconds and had at least two confirmations from a network that had some form of insurance against double spend (rare and very noticeable) and identity theft (more common, but also noticeable) and auth token theft (relatively common). You could have something that looked like a general purpose internet mediated payment mechanism of sufficient (but not perfect) security; that would be relatively backwards compatible with existing infrastructure and resistant to attacks that merely depend on access to stored data rather than controlling a distributed ledger.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact