A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com
The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.
Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.
I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.
These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards.
This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systems, When fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks.
Must read article.
There is also another excellent article from Wired.com that is also a must read:
A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.
Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.
That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.
The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?
Oh, and just in case you have forgotten them all, here is a list of all the others:
Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard.
BOLD emphasis mine.
Again, much more in the must read article including sections; What the Target Thieves Got. Inherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.
And as if that wasn’t bad enough, just yesterday on January 25th, Michael‘s too:
Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com
Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.
…
Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”
I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article was spot on:
“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”
Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.
I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.
If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.
And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they will go the way of the dodo.
Fix the problem, not the blame.*
* Thanks to the movie, Rising Sun for the quote.
BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!
EDIT 1-26-2014 8:508PM: @SecurityGarden posted the following and linked to this article; Exclusive: FBI warns retailers to expect more credit card breaches – Reuters:
@SecurityGarden Status regarding expanding on this posting on the security breaches
Fran's Computer Services' Blog 
Nice article, thanks Fran!!
Thanks Josh! Just added something from Corrine’s @SecurityGarden twitter posting to it too. Interesting article for sure and a great addition to the overall theme of the posting.
I also shared it on G+
Thanks!