Security

Target data breach: What you should tell non-IT folks right now

Help your friends, family, and coworkers understand the Target security breach, protect their accounts, and stay calm.

 

Target Logo
 The Target logo courtesy of Target Corporation
 Target Corporation’s data breach touched millions. What does that mean to those affected, and what recourse do we have.

To say Target Corporation has been in the news is a world-class understatement, and especially disconcerting for those of us who live in Minnesota. Odds are pretty good that everyone living here has a family member, relative, or knows someone who works for Target. When Target has issues, the people of Minnesota have issues.

As an IT professional who writes about information security, and lives in the heart of Target-land; I have a particularly "up close and personal" connection. Many times, when I contracted as a network engineer, I remember getting lost in Target's cavernous multi-floor data centers. I also remember having to go through a serious shakedown to get into each of the data centers. There was one data center in particular, where a certain security guard took great pleasure pointing out that the guy pictured in my driver's license had hair.

What happened to Target looks bad. I first learned about the data breach from my friend Brian Krebs, he broke the story on his security blog site Krebs on Security the 18th of December. His follow-up on December 20th provides a lot more detail. The bottom line is 40 million people who used their credit or debit card to make purchases at a Target store between November 27th and December 15th had their card information stolen.

CBS News: Target said to be hit with first lawsuits over security breach

There’s a great deal of speculation as to how the data breach occurred, but that’s all it is at this point—speculation. And to be honest, that’s not my concern. What does concern me are the people potentially affected by the data breach. What are they thinking? It didn’t take long for me to find out.

Friends and people who know I write about information security started to call, asking what I was going to do.

When I told all who contacted me, I wasn’t that concerned. But, I was checking my accounts every morning online. They couldn’t believe that was it. They kept asking what about identity theft. They know our names; can’t they change passwords, and so on. Being immersed in information security, I had a good idea as to what happened, and how to protect my assets. But, it was a bad assumption on my part to assume others did as well. I’d like to fix that.

What did the thieves get?

First, let’s take a look at what the thieves got their hands on. It appears the only information stolen was data stored on the magnetic strip—not the account PIN, and not the three-digit security code on the back of the card. Here’s what the crooks did get from the magnetic strip:

  • Card-holder’s name (There appears to be some confusion as to whether the card-holder’s name is on the magnetic strip or not. I called a few banks and received differing opinions.)
  • Credit or debit account number
  • Expiration date
  • Card-present CVV (Another security code located on the magnetic strip.)

What kind of cards?

People are concerned as to what types of cards the thieves stole information from. The following are involved:

  • All forms of credit card
  • All forms of debit card
  • Target’s Redcard

If people are unable to monitor their accounts online, a banker mentioned they should call the customer service number on the back of the card, and share their concerns. This can become important as most issuing banks have a time limit on reporting discrepancies, and the next statement date may be outside that time window.

Another option is “account change alerts.” Banks offer a service that sends automated calls, texts, or email alerts if more than a designated amount is charged or withdrawn from an account. If the person notified didn’t conclude any transactions; they know to call customer service as soon as possible.

Debit cards being directly associated to a person’s accounts are more of a concern when digital crooks steal the information from them. What happens when the crooks try to use the debit card information is very dependent on the bank. So, call the issuing bank’s customer service to be safe and learn what they recommend.

Could my identity be stolen?

Yes, it could. I hate saying that, but there is a slight, very slight chance in a “perfect storm” sort of way that it could. To steal a person’s identity requires more information than what is provided on the credit or debit card. Why experts must say yes is to cover the possibility bad guys may have the required additional information, and are able to make the association (perfect storm). Not likely, but possible.

For the super-concerned

If you prefer not to worry about this at all, or you are planning on a trip in near future; it might be best to have the issuing bank cancel the existing account and open a new one. Worries gone. I included travelers because banks are watching customer accounts like never before. If anything looks out of place, they will lock the account in no time flat. And, I assure you traveling is not the time to have that happen.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

14 comments
Jay_H
Jay_H

"There’s a great deal of speculation as to how the data breach occurred, but that’s all it is at this point—speculation. And to be honest, that’s not my concern"

Well that IS my concern, and I worry that like so many other breaches, the details will be hidden behind PR handwaving. But anyone in the IT business NEEDS to know what happened here, or it will occur again and again.

sbarman
sbarman

What I tell my non-IT folks is the same thing I tell my IT folks: Use cash. Cash is king. Cash is accepted everywhere and cash cannot be traced or tracked. If it's stolen, all you lose is your cash on hand. There is no chance of an identity theft  with cash nor will you spend months trying to clean up a credit score. You also avoid a lot of debt when using cash since you're not paying 18-30 percent interest on your cash. In fact, even if your cash is making 1/2 percent in the bank, you're doing far better than using a credit card.


Otherwise, forget it. You will not see any improvements in the security behind credit cards as long as the Payment Card Industry (PCI) makes the Data Security Standard (DSS) weaker than a wet paper towel (yes, even worse than a wet Bounty) and that what they have is certified via a paperwork shuffle (check the box so you can feel better) rather than require a real security test and evaluation (ST&E). And as we know, or should now, an ST&E is more than penetration testing. But if we can get these companies to do pen testing, that might be a step in the right direction.


But this would never happen. PCI is too weak-kneed to do anything like this and congress is too stupid to know what laws to pass to ensure this type of safety--sort of like they did for the auto industry after the Ralph Nader's "Unsafe at Any Speed." We need one of those for the computing industry!!

johnlindemann
johnlindemann

Mr. Kassner- What I tell my non-IT friends/folks is that payment card fraud could be

all but eliminated, if the issuing banks were to embrace technology that's existed for

several (7+?) years.  Just ONE of the technologies that could be used are 'dynamically'

created or changing card numbers that are only valid for one time and by one merchant.

One perceived roadblock to a wider acceptance of  "one time use" credit card technology

is that merchant Point-of-Sale (POS) systems would need to change. This is simply NOT TRUE.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can

encode the one-time-use card number onto the magnetic stripe(s) on the back of the card.

This enables standard, existing POS card readers to work seamlessly with the newer technology.

A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

See Dynamics Inc.'s webpage (/Corporate/Products) + their "Dynamics Inc. - Enabling Payments 2.0®"

Dynamic Credit Card via web.archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]

(last archived Oct. 1st, 2013).

The single most frightening thing anyone could say that _should_ be the catalyst for the

card industry to move toward changing the 1950's card technology that we currently endure

is "I'm just going to pay cash and stop using credit cards".  Of course that'll never happen

and as long as everyone continues to believe the myth that "all we can do" is to

cancel compromised cards and pay extra for "account monitoring", recover from identity

theft best we can, yada, yada, yada.

What consumers should be hearing is the truth, that card skimming fraud could have been

eliminated years ago.  I believe Target, or any merchant that gets compromised, is simply

a victim themselves -a victim of our current card technology that hasn't changed significantly

since it was first introduced.


P.S. You can buy an inexpensive USB mag-stripe card reader via Amazon and see what data

is encoded on your cards.  On all of my credit cards, my name (as it appears on the front of the card)

IS encoded on the mag-stripe.

TanteWaileka
TanteWaileka

You are giving BAD ADVICE!!!

BTW, the CVV number IS the number on the magnetic strip.  The CVV number is the same as CSC (card security code) number. The 3-digit number on the back of the card is a CVV2 number, which is created using a "second generation" process that is harder for thieves to figure out, but NOT IMPOSSIBLE.

The very FIRST thing I did, btw BEFORE Target's hack got 'outed' was contact my bank the MOMENT I saw an 8 dollar charge on my bank's online site from some organization in SINGAPORE. It took me a minute longer than usual because I am Global Head of a 100,000 person corporation and often travel to Asia/Pac Rim so for 55 seconds I thought 'hmm maybe that is a legitimate charge'. Luckily, my bank is BB&T and they are very careful to monitor accounts even for people like ME who DO travel to those areas where the account thievery was going on, and that was the only fraudulent amount to get through.

But right then and there I closed my checking account with BB&T and transferred my money to one of my other banks. I also closed my Target Debit Card immediately. The only reason to have a debit card with Target was to get that 5% discount.

You see I am a security expert in the financial world and if you are not concerned, you SHOULD be. You gave BAD advice to your friends, tsk tsk!


rontomlin
rontomlin

"That's in part because..." magnetic stripe that some are suggesting, is an issue but doesn't account for the "breach that exposed the credit card and debit card information of as many as 40 million Target customers". That's about 25% of American households.

In my humble opinion the technology on the individual card, mag stripe or chip, doesn't account for 40 million exposures. The Cloud is the most obvious place to look for the weak link. - http://bit.ly/1gUnfpo    

RobertMoore12
RobertMoore12

The really strange part about all of this is the fact that they are concerned about identity theft from this isolated incident. Yet they will leave their transaction slips in an ATM and think nothing about it. ID thieves can get just as much from the transaction slips. I know of people that would use this information to send them a dozen roses charged to their account with a note as a warning not to leave this info lying around.

pmayer01
pmayer01

Not being an expert in the area of database security, would it not be possible to store credit information in such a way as to be unintelligible to anyone but the company programmers?  Maybe store each 4 digit subset of the credit card number in a different table, use encryption, etc. 

Alberto Brunoni
Alberto Brunoni

This has to be the biggest tech fail of 2013, even bigger than Obamacare website launch.

StarCream
StarCream

@sbarman  Sorry, but your advice is naïve. Cash is NOT accepted everywhere. For instance, cash is useless if you need to purchase items online or pay monthly cell phone bill. In fact, I'm a MetroPCS subscriber and they don't even accept cash at all.


Michael Kassner
Michael Kassner

@TanteWaileka 


I suspect some confusion as the two security numbers go by several different acronyms. That is why I specified "card-present" CVV. without any numbers and mentioned that it is on the magnetic strip. Card present means that the person does not have to tell the cashier the security code, like they do when the purchase is accomplished online or over the phone using the "Card not-present" CVV.


Michael Kassner
Michael Kassner

@RobertMoore12 ? 


Interesting, I checked my ATM slip and did not see enough information. What am I missing?

Michael Kassner
Michael Kassner

It might be, but I'm going to reserve judgment until I know how the breach occurred. 

Editor's Picks