[cabfpub] Target Credit Card Data Breach

Ben Wilson ben at digicert.com
Thu Jan 16 00:33:45 MST 2014


For those of you not aware of the Target point-of-sale terminal data breach
that occurred here in the United States recently, this information may be of
some interest.  Of relevance to us is the fact that the potential for
malware on browser and CA/RA systems continues to be a threat and that all
authentication and data communication mechanisms for enterprise systems need
to use PKI and be well-engineered with security in mind.

 
--Target Says Malware Found of Point-of-Sale Terminals
(January 12 & 13, 2014)
Target is now acknowledging that there was malware on its point-of-sale
terminals. In addition, the breach, already one of the largest known
breaches of payment card data to date, affected as many as 110 million
Target customers, nearly three times the initial estimate. Target CEO
Gregg Steinhafel says the company is planning "significant changes" in
response to the breach, but did not elaborate.
http://www.scmagazine.com//target-ceo-confirms-malware-on-pos-machines-talks
-chip-cards/article/329166/
<http://www.scmagazine.com/target-ceo-confirms-malware-on-pos-machines-talks
-chip-cards/article/329166/> 
http://news.cnet.com/8301-1009_3-57617106-83/target-confirms-malware-used-on
-point-of-sale-terminals/
http://krebsonsecurity.com/2014/01/target-names-emails-phone-numbers-on-up-t
o-70-million-customers-stolen/
http://www.computerworld.com/s/article/9245330/Update_Breach_exposes_data_on
_110_million_customers_Target_now_says?taxonomyId=17
http://ca.news.yahoo.com/target-planning-quot-significant-changes-quot-data-
breach-043426651--sector.html
[Editor's Note (Murray): This is simply not a coherent report.  "CCVs,"
and "names and addresses" do not appear at the "point-of-sale" while
"PINs" are in the clear at the point-of-sale.  Moreover contaminating
enough point-of-sale devices to compromise more than a 100 million cards
in two weeks would seem a daunting task.  It seems far more likely that
the payment card processing system was compromised but six weeks after
the event, we are left with as many questions as answers. Steinhafel may
be the right executive to assure us of Target's good intentions but not
the one to enlighten us as to what happened.]

 SANS NewsBites Vol. 16 Num. 004



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140116/d65fed52/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140116/d65fed52/attachment.bin 


More information about the Public mailing list