Slash Boxes

SoylentNews is people

posted by Dopefish on Saturday February 15 2014, @07:55AM   Printer-friendly
from the credit-card-theft-is-too-easy dept.

Gaaark writes:

"Unfortunately, this article is paywalled, but, according to the Wall Street Journal, 'Target security staff raised concerns about vulnerabilities in the retailer's payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers,' people familiar with the matter said.

To me, if your security staff are worrying about something THIS important, someone should be listening!"

[Ed. Note] For those looking for an alternate source to this news, which not behind a paywall, see this post by ABC News 10.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Anonymous Coward on Saturday February 15 2014, @12:07PM

    by Anonymous Coward on Saturday February 15 2014, @12:07PM (#151)
    I've been seeing a lot of ads for credit-report-checking Web sites lately. I guess it's cheaper and easier to tell people to constantly check if they're already fucked than to just implement security.
  • (Score: 4, Interesting) by cge on Saturday February 15 2014, @09:18PM

    by cge (67) on Saturday February 15 2014, @09:18PM (#179)

    I'm not sure that these sorts of after-the-fact discoveries of small warnings are particularly constructive. In a large enough organization, there will usually always be someone concerned about anything; here, it appears that it was "at least one analyst," who had non-specific concerns about malware vulnerability and wanted a more thorough review.

    It's easy to go back, after something happens, and say that some small non-specific warning should have prevented it.

  • (Score: 3, Informative) by _NSAKEY on Sunday February 16 2014, @02:28AM

    by _NSAKEY (16) on Sunday February 16 2014, @02:28AM (#190)
    Target Corp.'s TGT -0.66% computer security staff raised concerns about vulnerabilities in the retailer's payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said. Members of Target's computer-security staff raised concerns about vulnerabilities in the retailer's payment-card system before the massive hacking occurred. Danny Yadron has details on the News Hub. At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said. The suggested review also came as Target was updating those payment terminals, a process that can open security risks because analysts would have had less time to find holes in the new system, the employee said. It came at a difficult time—ahead of the carefully planned and highly competitive Black Friday weekend that would kick off the holiday shopping period. It wasn't clear whether Target did the requested review before the attack that ran between Nov. 27 and Dec. 18. The specific nature of the feared security holes wasn't immediately clear, either, or whether they allowed the hackers to penetrate the system. The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said. "It is everyone's worst-case scenario," the former employee said. "As an intelligence analyst, there is only so much you can do." Target declined to confirm or comment on the warning. The breach has caused headaches for Target customers who have dealt with fraudulent charges and have had millions of credit and debit cards replaced by issuers. Investigators and card issuers haven't quantified damages from the attack. The new details, culled from interviews with former Target employees, people with knowledge of the post-breach investigation and others who work with large corporate networks, show that the breach wasn't entirely a bolt from the blue, but instead a sophisticated attack on a known point of vulnerability. Retailers last year had received a number of indications of dangers. In addition to the alerts from the government, Target and other retailers saw a "significant uptick" in malware trying to enter their systems, people familiar with the investigation said. Still, the discovery of the intruder that ravaged Target's systems came as a surprise. Chief Financial Officer John Mulligan told Congress last week that the company wasn't aware the malicious computer code that carried out the attack was in its system until contacted by federal investigators late last year. The U.S. Secret Service declined to comment. It and several private companies are investigating the attack. At last week's congressional hearings, Mr. Mulligan said Target passed an audit in September that certified its compliance with payment industry requirements for protecting card data. More broadly, Target may have not done enough to wall off its payment systems from the rest of its vast network, people who work with large corporate networks said. The company has since moved to isolate its different platforms and networks to make it harder for a hacker to move between them, a Target executive said. The hackers, still unnamed, originally gained access to Target's network by stealing the access credentials of a refrigeration contractor in Pennsylvania. The contractor, Fazio Mechanical Services, has confirmed it was breached and is cooperating with the Secret Service investigation. Fazio said it had a data connection with Target for electronic billing, contract submission and project management, and that Target was its only customer for which it handled those matters on a remote basis. After entering through that connection, the hackers then moved laterally through Target's system, eventually accessing the system that handled payments at the company's cash registers. Target has confirmed the hackers first entered its network through a vendor, though it hasn't said which one. There shouldn't have been a route between a network for an outside contractor and the one for payment data, people familiar with large corporate networks said. In a February memo to retailers that didn't mention Target, the Federal Bureau of Investigation said it may be a "vulnerability" to connect credit and debit card readers to remote management software, which makes it easier to manage and monitor internal networks from afar, when combined with weak password selection. A Target spokeswoman declined to comment on its network design. So-called segmentation issues, where computer systems that shouldn't be connected for security reasons are in fact linked, are a problem at a number of retailers, a person familiar with retail breaches said. The attackers stole not only the card data, but personal information like phone numbers and email addresses for up to 70 million people. The breach hit a retailer that puts a lot of resources into security. In his testimony before Congress, Mr. Mulligan said the retailer has spent hundreds of millions of dollars protecting its data and employs more than 300 people on the issue. The company also has close ties to the Federal Bureau of Investigation. Some of its current and previous corporate security executives are former FBI agents, and its cybersecurity analysts work with the agency at the National Cyber-Forensics and Training Alliance in Pittsburgh. Several members of Target's cybersecurity team left the company in the months before the hack, according to people familiar with the matter and a search of social media profiles. Many left for more prestigious jobs at other firms, the former employee said.
    • (Score: 2, Informative) by AudioGuy on Sunday February 16 2014, @05:12AM

      by AudioGuy (24) on Sunday February 16 2014, @05:12AM (#206) Journal

      This is cool, but - when you do this, put in some line breaks and select plain text.

    • (Score: 1) by stroucki on Monday February 17 2014, @05:59AM

      by stroucki (108) on Monday February 17 2014, @05:59AM (#428)

      Holy Berlin Wall of Text!