Support NeoGAF

[Arsenic]

Of course Macy's could be next, any retailer could be next. I work in IT security, there is always risk. The size of the retailer has nothing to do with it. Your info can be stolen ANY time you use your card.

Bigger size, bigger impact. I doubt the concerns would be as high if the retailer was Uniqlo. Risk is always there, surely, but I like that it was a large retailer that makes this a widely covered concern again.

 

[mollipen]

Securely connect to my bank on my iPhone, generate a QR code that's good for however long I say it should be good for (24 hours max), scan the QR code at stores to pay.

I want something like that. Seems like it would be far more secure, would take up little time in line, and I wouldn't need to carry around plastic cards anymore.

 

[Eaten By A Grue]

Securely connect to my bank on my iPhone, generate a QR code that's good for however long I say it should be good for (24 hours max), scan the QR code at stores to pay.

I want something like that. Seems like it would be far more secure, would take up little time in line, and I wouldn't need to carry around plastic cards anymore.

I have always thought the same thing. It is basically the same principal as the authenticator apps that Google, Blizzard, etc. have created. I rather have something temporary on my phone then carry around a credit card.

 

[Vilix]

Securely connect to my bank on my iPhone, generate a QR code that's good for however long I say it should be good for (24 hours max), scan the QR code at stores to pay.

I want something like that. Seems like it would be far more secure, would take up little time in line, and I wouldn't need to carry around plastic cards anymore.

Hasn't Japan used something like this for decades?

 

[SeanR1221]

Very curios to see what the punishment is whenever they catch the person/group responsible for the breach.

 

[h1nch]

I know it doesn't really apply to this situation, but one thing my friend started doing and that I'm in the process of setting up, is using Citi's virtual credit card feature to generate virtual card #s for each recurring payment service he's using his card for, and any online retailer he shops at regularly.

That way in the event he gets suspicious charges he can potentially tie it back to a retailer with poor security. Not only that, but he can easily terminate services by just canceling the virtual card number. Very handy feature and probably the only thing keeping me from dropping my Citi Dividend card.

He also set up email notifications with his everyday purchase card which forwards to a push notification API app, so he gets notified on every single CC transaction. In the event that card gets compromised due to a card skimmer or whatever he'll see the fraudulent charge the moment it happens, and will be able to react quickly.

We're systems engineers by trade so we tend to apply a lot of the skills learned from our career to our own lifehacking projects.

 

[Oracle Dragon]

What am I missing from the article? It reads like the hackers stole the access PINs to the actual end users cards, but for what possible reason would Target record the user access PINs?

 

[jamesinclair]

Well for people like me who only has one debit card and no credit card, I'll have to withdraw some cash to get me through while I wait the 8-15 business days to get my new card. Thats a major inconvenience. First world problems I know....but still

Write a cheque

 

[n64coder]

He also set up email notifications with his everyday purchase card which forwards to a push notification API app, so he gets notified on every single CC transaction. In the event that card gets compromised due to a card skimmer or whatever he'll see the fraudulent charge the moment it happens, and will be able to react quickly.

What is the push notification API app that he's using? I also have email notification but it just goes to my gmail account which I check regularly. I've found that Chase seems to be the only credit card company that will do email notification for each transaction. Is there any other?

So even if I cancelled the debit card and got a new one with a different number, they will still be able to siphon money out of my account if I didn't change the card's PIN?

No, because you'll have a new card number and the old one is cancelled.

 

[mollipen]

Hasn't Japan used something like this for decades?

I know they have to option to do some things (like vending machines) with cellphone-generated QR codes, but I'm not sure of the exacts. Like, I don't know if it's the same code every time, or if it's dynamically generated.

Also, I've not seen a lot of widespread adoption of that as a proper payment method outside of specific situations (like the aforementioned vending machines). To be fair, though, I wasn't actively looking for that as a payment option, so I could be wrong in my assumption of how much adoption it's seen.

 

[~Kinggi~]

this event really fucked with my holiday shopping. i am out of state and my cc got declined 3 times while holiday shopping with family, which was really embarrasing. Thats even after i told my bank i would be shopping. Their response was because of all the fraud going on from the target thing, they needed to be careful. Needless to say target is fucked. People arent gonna forget the hassle of credit problems at christmas.

 

[dorkimoe]

I use to work for Target as well, 7 years and the douches canned me because they didn't like me speaking out against *Target policies* and while i feel really bad for all their customers, i cannot be happier this happened to Target, they need a hard reality check that they are not as special as they think they are.

my friend worked in the food area of target, got fired cuz he made himself a sandwhich , they even called the cops haha

 

[h1nch]

What is the push notification API app that he's using? I also have email notification but it just goes to my gmail account which I check regularly. I've found that Chase seems to be the only credit card company that will do email notification for each transaction. Is there any other?

Yeah he's using his chase card due to the email notifications.The way he does push notifications is thru an iOS app called Prowl which has a public API. So he just has a script which parses the email for the info he wants, and then send the payload to the prowl API and his phone gets a push notification. Pretty handy little setup.

 

[styl3s]

Well for people like me who only has one debit card and no credit card, I'll have to withdraw some cash to get me through while I wait the 8-15 business days to get my new card. Thats a major inconvenience. First world problems I know....but still

Does your bank not offer temp cards from local banking places? I got a temp card the day this happened.

Also, to people who are worried, do your banks not offer you any kind of fraud/unauthorized protection? Before i knew my wallet was stolen my bank called me telling me there was suspicious activity, shut it down and sent me a new card. BB&T doesn't hold any of its clients reliable for any kind of fraud/unauthorized shit.

 

[Davis_McGee]

Isn't a card and PIN the system Europeans keep saying the US should make standard even for credit cards?

Is there a big difference between using a mag strip vs. a chip to retrieve information?

Yes.

Magstripes are functionally equivalent to taking a card imprint. They're just a machine-readable version of your card number, expiry date etc. There is no security in place other than having to satisfy the other person involved in the transaction that you are who you claim to be. That is why card-skimming is so effective and why this particular hack has been so massive in scale. All the information that is required (remember checking the signature isn't literally required) to perform any transaction is transmitted in the clear every time any transaction takes place.

Monitor any given transaction and you gain the ability to completely impersonate the authorised card holder. That is, in technical language, Absolutely Fucking Balls.

In contrast, EMV ("Chip-and-pin") operates on a pretty strong public/private-key infrastructure system. Information exchange only takes place between the chip and the terminal into which it is placed, and the exchange follows well established key-exchange protocols to guarantee privacy. Short of modifying the terminal itself to replace the chip-reading technology, you simply cannot monitor the transaction.

Each transaction is atomic and local to itself - the public information alone cannot be used to authorise another transaction.

Since EMV gained wide acceptance, card-skimming in europe has fallen by well over half, and payment card fraud in general has fallen by just under half.

The dominant component of "European" payment card fraud now consists of people skimming the magnetic stripe on the back of our cards and then cloning the card in the united states. America's payment infrastructure, still using magstripes and signatures in almost all transactions, is so insecure it is the #1 destination for all stolen card details.

You can't use those stolen details in most of the world because the "legacy" components that can use those magstripe details have been tightened up. ATMs use only chip-and-pin. Most retailers don't even support the magnetic stripe any more - those that do will usually ask for another form of ID before they allow it (and it gets flagged at your bank in seconds). When using our details online we have the non-electronic CVV and "Secure 3D" authentication - a second secure connection is opened directly to our bank's servers and the transaction is authorised with an independent password.


tl;dr yes, EMV Chip And Pin is massively more secure than magstripes.

 

[jamesinclair]

Yes.

Magstripes are functionally equivalent to taking a card imprint. They're just a machine-readable version of your card number, expiry date etc. There is no security in place other than having to satisfy the other person involved in the transaction that you are who you claim to be. That is why card-skimming is so effective and why this particular hack has been so massive in scale. All the information that is required (remember checking the signature isn't literally required) to perform any transaction is transmitted in the clear every time any transaction takes place.

Monitor any given transaction and you gain the ability to completely impersonate the authorised card holder. That is, in technical language, Absolutely .

What's the point of the signature btw? Is the retailer supposed to compare it to the one on the card? When does it come into play?

You also reminded me that I haven't been to a store that does card imprints in ages.

 

[Diablos]

Heh, I guess my data was part of the breach. I applied for a REDCard years ago in my early 20's, when I had piss poor credit. I was denied. I guess my application data is still there somewhere in the breach, which really speaks to the magnitude of this all.

I'll be getting free credit monitoring for a year for filling out an application when I was like 22, woo woo.

 

[Davis_McGee]

What's the point of the signature btw? Is the retailer supposed to compare it to the one on the card? When does it come into play?

Yes. You're supposed to sign a copy of the receipt and that signature is supposed to be compared to the one on your card.

Expecting minimum wage retail slaves to be experts in handwriting analysis is absurd so this obviously doesnt work.

 

[Gallbaro]

I bet this was done at manufacturer. Correlates to Target replacing their old red readers and lazy ass IT monkeys not pulling samples for testing.

 

[jamesinclair]

Yes. You're supposed to sign a copy of the receipt and that signature is supposed to be compared to the one on your card.

Expecting minimum wage retail slaves to be experts in handwriting analysis is absurd so this obviously doesnt work.

But how about restaurants where they bring your card back, you sign the paper, and leave it on the table? By the time the store sees your signature, you're long gone.

Or electronic signature things where the employee doesn't even see the signature

 

[Particle Physicist]

Yes.

Magstripes are functionally equivalent to taking a card imprint. They're just a machine-readable version of your card number, expiry date etc. There is no security in place other than having to satisfy the other person involved in the transaction that you are who you claim to be. That is why card-skimming is so effective and why this particular hack has been so massive in scale. All the information that is required (remember checking the signature isn't literally required) to perform any transaction is transmitted in the clear every time any transaction takes place.

Monitor any given transaction and you gain the ability to completely impersonate the authorised card holder. That is, in technical language, Absolutely Fucking Balls.

In contrast, EMV ("Chip-and-pin") operates on a pretty strong public/private-key infrastructure system. Information exchange only takes place between the chip and the terminal into which it is placed, and the exchange follows well established key-exchange protocols to guarantee privacy. Short of modifying the terminal itself to replace the chip-reading technology, you simply cannot monitor the transaction.

Each transaction is atomic and local to itself - the public information alone cannot be used to authorise another transaction.

Since EMV gained wide acceptance, card-skimming in europe has fallen by well over half, and payment card fraud in general has fallen by just under half.

The dominant component of "European" payment card fraud now consists of people skimming the magnetic stripe on the back of our cards and then cloning the card in the united states. America's payment infrastructure, still using magstripes and signatures in almost all transactions, is so insecure it is the #1 destination for all stolen card details.

You can't use those stolen details in most of the world because the "legacy" components that can use those magstripe details have been tightened up. ATMs use only chip-and-pin. Most retailers don't even support the magnetic stripe any more - those that do will usually ask for another form of ID before they allow it (and it gets flagged at your bank in seconds). When using our details online we have the non-electronic CVV and "Secure 3D" authentication - a second secure connection is opened directly to our bank's servers and the transaction is authorised with an independent password.


tl;dr yes, EMV Chip And Pin is massively more secure than magstripes.

Speaking of which, why isn't the Chip and Pin system more prevalent in the US? Seems so strange how this country has not been shifting towards that system at all. There are a few cards that have it, but it doesn't seem like the major banks are shifting at all.

 

[Davis_McGee]

Speaking of which, why isn't the Chip and Pin system more prevalent in the US? Seems so strange how this country has not been shifting towards that system at all. There are a few cards that have it, but it doesn't seem like the major banks are shifting at all.

The banks and retailers don't want to shift. It'd cost a pretty substantial amount of money, estimated to be in the $8-9bn range, to replace all PoS terminals and cards. Sounds like a lot, but that's about the same amount as is lost to card fraud every year in the US anyway, so assuming a similar 50% reduction in fraud as was seen in europe, it'd only take two years to pay off. The reluctance to change is mostly because there's no perceived need. $8-9bn split between the banks, the card operators and the retailers, all of whom are insured, is not a massive amount, so why would they bother going to the effort? In Europe our governments legislated the issue and pushed the card operators to take a lead. In the US the card operators have finally started to force the issue, requiring a shift take place before 2015-2017, or face an assumption of the total liability for any losses.

 

[AlexMogil]

I bet this was done at manufacturer. Correlates to Target replacing their old red readers and lazy ass IT monkeys not pulling samples for testing.

Woah, that is a good point.

 

[gcubed]

The banks and retailers don't want to shift. It'd cost a pretty substantial amount of money, estimated to be in the $8-9bn range, to replace all PoS terminals and cards. Sounds like a lot, but that's about the same amount as is lost to card fraud every year in the US anyway, so assuming a similar 50% reduction in fraud as was seen in europe, it'd only take two years to pay off. The reluctance to change is mostly because there's no perceived need. $8-9bn split between the banks, the card operators and the retailers, all of whom are insured, is not a massive amount, so why would they bother going to the effort? In Europe our governments legislated the issue and pushed the card operators to take a lead. In the US the card operators have finally started to force the issue, requiring a shift take place before 2015-2017, or face an assumption of the total liability for any losses.

Yes this was the huge development last year (or early this, forget which), and one that will bring a sane amount of security to transactions

 

[perfectchaos007]

i haven't had time to run by my bank, but they just called me at work telling me my card number was on the list of those compromised, and they would be sending me a new one next week. glad they're handling it for me.

 

[quickwhips]

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."

Shouldn't they know if it was encrypted or not...

 

[Karakand]

So more important information about this situation was leaked to the victims via the press almost a month later instead of being presented in a high visibility press release from Target in the early aftermath?

Incomprehensibly scuzzy behavior from Target throughout this entire debacle.

e: On an ironic note, my now compromised PIN was one of the many cashier login numbers I was assigned when I worked at Target.

 

[NYCmetsfan]

I never keep more than $200 in the account connected to my debit card at any one time. I have the money in a separate account that I never, ever use the debit card for, and move money into my daily use account as needed.

I know everybody might not be in a situation to do something similar, but I think it's one good step to take in case things like this happen. Even if your bank ends up covering for any money stolen from your account, that money could be tied up for a while until things get sorted out.

Also, seriously, we need a form of payment in 2013 that actually seems like it should exist in 2013. There's just so many ways to compromise debit/credit cards.

With the advent of mobile banking this is really easy to do now. You can just load up an app to transfer what you need.

 

[GK86]

Link.

Target has confirmed that encrypted debit card PIN data was stolen as part of the massive hack carried out against the retailer between late November and early December. The company previously admitted that card numbers and expiration dates were compromised in the attack that affected 40 million customers. That data has already started appearing on the black market, which in turn has put financial institutions across the US on high alert as banks look to protect customers from fraudulent activity.

Target says it remains confident that identification numbers are "safe and secure" thanks to the Triple DES encryption it uses to protect sensitive data. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement. When you make a debit purchase at one of Target's stores, your card information is "encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the retailer says. "What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident." To underline that point, Target closes its latest update on the incident by saying, "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

The retailer has confirmed that it is working alongside the Justice Department and United States Secret Service to find those responsible for the breach, which was timed to coincide with the incredibly popular holiday shopping season. Class action lawsuits accusing Target of not doing enough to protect consumer data are already starting to pile up.

 

[GluedOnBeard]

My account got hacked. I was sure I hadn't used my card at Target between those dates but I missed one payment and somebody went on a 1400 dollar shopping spree.

M&T said it should be fine and if not Target are liable anyway so I am not worried but have to call back on New Year's Day before they can file a request which isn't great.

So might be worth you all checking again just in case as all of the purchases were made today.

 

[DigitalDevil]

How do I know if I was affected by this? Besides the obvious, suspicious transactions, because I've had none of those.

 

[jamesinclair]

1. Drive one hundred miles
2. Buy $500 in goods and services
3. Blame target
4. Profit

 

[GluedOnBeard]

How do I know if I was affected by this? Besides the obvious, suspicious transactions, because I've had none of those.

If you used your card between Nov 27th and 15 Dec at Target I would assume you have been affected and cancel the card you used to make the purchases. I am going to do the same with my other cards in case now just to be sure.

 

[ab.aeterno]

And this continues to make me feel better about having replaced my card right after it happened. What a fucking disaster. The way Target's been handling this is an unmitigated clusterfuck.

 

[gcubed]

If you used your card between Nov 27th and 15 Dec at Target I would assume you have been affected and cancel the card you used to make the purchases. I am going to do the same with my other cards in case now just to be sure.

This. I'd insist on a new card if you used one there during that time frame, don't wait for something to happen