“Our latest family trip to Disney World felt safer and less nerve-wracking because all of the kids in our family had Kid Turn In temporary tattoos,”
Posted on 02/03/2014 1:28:40 PM PST by SkyPilot
The data breach that struck our company spotlighted the sophistication of criminal hacker networks operating across the globe. We know the attack created significant concerns for millions of customers. We will learn from this incident and we will work to make Target, and the wider business community, more secure in the future.
One step American businesses could now take that would dramatically improve the security of all credit and debit cards: adoption of chip-enabled smartcards. The technology is already widely used throughout the world. For many reasons, the United States has been slow to embrace the technology at home. We need to change.
At Target, we've been working for years towards adoption of this technology. Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place. Our goal: implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.
Nothing is more important to Target than our customers. We are who we are because of their trust and loyalty. That is why it is so important to move forward with a more secure technology.
For consumers, this technology differs in important ways from what is widely used in the United States today. The standard credit and debit cards we use now have a magnetic stripe containing the customer's information. When first introduced, that stripe was an innovation. But in today's world, more is needed. The latest "smart cards" have tiny microprocessor chips that encrypt the personal data shared with the sales terminals used by merchants. Why is such a change important? Even if a thief manages to steal a smart card number, it's useless without the chip.
(Excerpt) Read more at thehill.com ...
The fedzilla cannot monitor cash transactions, plus some companies offer a cash discount. And with cash, you don’t go into debt. Whoo Hoo, good stuff.
And here I was thinking it’s time for cash again.
Amen! Last summer I decided, as an experiment, to stop using, as much as possible, my debit card (don't have/don't want a credit card).
I started hitting the ATM for $100 at a time and spending the cash instead of using the card. Results:
· I'm more aware of what I'm spending. With the debit card, sometimes I wouldn't even look at the total.
· I make fewer trips to the store and buy more on each trip. I haven't figured this one out.
· Balancing the checking account is a lot easier as the number of transactions has dropped way down.
The experiment has been a success. I still use the debit card for online shopping, etc., but for everything else I pay cash.
Naturally, YMMV.
I’ll quit credit cards if they try to make chip imbedded ones mandatory.
I won’t have a smart phone either.
“And with cash, you don’t go into debt.”
I’ve never had any debt other than a mortgage on our 1st home and I use credit cards all the time but they are paid in full the day the bill arrives.
I’ve never even bought a car that I didn’rt pay for in full including my 1st one when i was 14.
Some Euro nations have gone to biometrics for passports. We used biometrics extensively in Iraq to track insurgents.
Possibly ---> Thumbprint scans already come with every single new iPhone so that only you can use it. To those who believe in Bible prophecy, hang onto your hats.
This knowledge base must be diminished first...
The chip-and-pin system is, certainly, an advancement over magnetic strip cards (which are easier to "skim") but in the case of Target and Neiman Marcus and other retailers, the breach of security had nothing to do with physical cards' security features.
People who understand little about card-payment technology simply use this incident to again glom onto the usual "Others (Europeans?) do it better" and old and tired "American banks and credit card companies just don't want to spend money on security because it's cheaper for them to absorb the costs of fraud" laments.
Actually, the magnetic strip cards hold minimal amount of information, so while it's easier to manufacture a forged one, it's also easier to cancel and replace without criminals getting too much of your personal info.
The problem with this particular security breach is that it happened on the back-end of payment processing, using an old (at least, since before 2007) vulnerability that likely has not been patched up by certain payment processors, despite warnings from Visa and security experts.
From What the Heck Is a RAM Scraper? - Re/code, by Arik Hesseldahl, 2014 January 13
So what the heck is a RAM scraper and how does it work? First, remember that payment systems — the cash registers and credit card terminals you see in stores and restaurants every day — have a lot of strong requirements for encrypting data, pretty much end-to-end during the transaction process, as well as any records that are stored afterward. But there's one particular moment when that data is vulnerable, and it occurs during the milliseconds that it is stored in the system memory — a.k.a. random access memory, or RAM — of the back-end server that processes the transaction. Think of it as a package being delivered to you with a lock on it. Even though you have the key, you still have to open it to see what's inside. The same thing happens when your credit card number gets decrypted. And when that happens, your credit card number is briefly stored in the system memory of the server processing the payment. When that happens, that data is "in the clear," as in unencrypted. Typically this step in the process should only take milliseconds. Once the payment is verified, the next transaction in line comes through and the process repeats itself, and numbers are overwritten each time as new ones come in. But it's at this vulnerable moment that RAM scraper malware is designed to strike. RAM scraping is an old attack technique that has in recent years been given new life for the purpose of compromising payment systems. Security researchers at Verizon first noted it in a report in 2009. ..... < snip > ..... Visa issued security alerts on an uptick in RAM scraper activity in April and August of last year. Among the suggestions it made at the time: Tighten firewalls to allow systems to communicate only with known systems. It also advised companies to separate payment systems from non-payment systems. ..... < snip > ..... Over the summer, the security firm Sophos took a look at RAM scraper attack trends and found that the most common one is Alina, one of a family with many variants that has come to be called Trackr. Retail stores and hotels were most likely to be targeted by attacks using Trackr variants during the first six month of 2013, Sophos found, accounting for a combined 26 percent of attacks. Educational institutions, restaurants and health care businesses were also targeted. And most of the attacks during the same time period — 56 percent — were in the U.S., which — combined with Germany, Canada, and the U.K. — accounted for 89 percent of these attacks. ..... < snip > As the mystery around the credit card hacking at retail giants Target and Nieman Marcus continues to unfold, you're going to start hearing a lot about something called a "RAM scraper." ..... < snip >
As can be seen, the US companies are not alone in being attacked by this method, because vulnerability has nothing to do with magnetic strips or other physical cards' properties.
Chip-and-pin wouldn't protect from this attack, it could only help making it more difficult to counterfeit the physical card, which is mostly a waste of time, anyway - much less important than the identity info on the payment processors' servers.
I'll even bet that most of these so called HACKING incidences are merely INSIDE jobs.
Not very many men (or women) have the virtue to resist the highest bidder.
Cool. I bought my first car at 15. $700 for a 1970 VW beetle. Ran it until it started spitting the spark plugs out.
Awe, Man! I paid $1400.00 for a baby-blue Beetle, also my first car.
Great information. Thanks.
In a properly-designed smartcard-based system, the merchant's computer should request from the card issuer a random security token, and should never--even for a microsecond--hold enough information to perform a transaction not associated with that token. The card issuer would know that the token was issued to the merchant, and could require that any money taken from the card using it must go to an account associated with the merchant.
Ideally, credit-card-entry terminals would be constructed in such a way that a plugged-in smart card would get first "dibs" at keyboard data, nothing else could see it unless the smart card passed it along, and no change to such behavior would be possible without physically compromising the card entry terminal. In such a design, no remotely-programmable machine would ever see a customer's PIN, and thus even attack code with full access to ram-scrape all reprogrammable devices would not gain access to it.
Given the extent to which financial institutions have failed to achieve the level of security which would be possible even with simple magnetic stripe cards, and checks, I wouldn't expect them to implement the best possible smart-card system; nonetheless, a well-designed smart-card system could be made much more secure than would be possible without smart cards.
I think you are confusing the POS terminal software with the [back-end] payment processing server software where the malware actually resided (it would be near impossible to infect enough terminals to affect the records of 70 million people over a period of a few months).
Whether smartcard or magnetic-strip card is used at the POS (Point Of Sale) terminal is irrelevant - the encrypted data/tokens are passed to the payment processing server of one of the PPS companies, such as BluePay, Chase Paymentech, Global Payments, Heartland Payment Systems, International Payment Processing Company, National Processing Company, Pathfinder Processing Solutions, Payment Systems Corp., PayPros etc. etc. (2013 Top 50 Payment Processing Companies)
If Target and Neiman Marcus had the same (or similarly infected) payment processor, it easily explains how otherwise unrelated millions of people in different corners of the US and other countries had their data compromised simply by swiping their cards — the POS terminals and the cards were not the weak point, the servers infected with the RAM Scraper were.
That's why in my post I put the emphasis on and specifically underlined the back-end / processing server software as the infected culprit.
I'll even bet that most of these so called HACKING incidences are merely INSIDE jobs.
Quite possible. Security industry stats show and it is generally agreed that at least 90% of the enterprise data theft is done not through outside infections or break-ins, glorified in many "hacker" movies, but rather using either in-house accomplice or the kind of "social engineering" popularized by Kevin Mitnick.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
