Massive Target credit card breach new step in security war with hackers

http://www.nbcnews.com/technology/massive-target-credit-card-breach-new-step-security-war-hackers-2D11778083

Keith Wagstaff NBC News
Dec. 20, 2013

It looks like hackers hit the bulls-eye with the recent unprecedented hack of Target credit and debit card information.

Not only was the digital heist huge — up to 40 million consumers might have had their data stolen — but the degree of difficulty indicates another step in the security arms race between criminals and merchants.

The hack affected customers who shopped at U.S. Target retail stores between Black Friday, Nov. 27, and Dec. 15, security researcher Brian Krebs first reported on his blog on Wednesday. That report was confirmed by Target in an official statement on Thursday.

-----
his latest incident, however, likely involved an attack on Target's point-of-sale (POS) system, most security experts agreed, meaning that customer information was probably sent directly from the store's mounted cash registers to the hackers themselves, probably due to malicious software.

"That is what is kind of mystifying at this point," Wester said. "It seems like from a security standpoint, Target was doing all of the right things, and somehow this code was put on the POS system, which isn't a normal access point for hackers."

Why would that be so bad? Because hackers could get their hands on what's called "track data," which is transmitted every time a card's magnetic strip is swiped. That information includes a cardholder's name, a service code used to identify international transactions, and the credit card's number and expiration date.

Merchants like Target, as well as payment processors that store customer data for smaller businesses, aren't legally allowed to store CVV information in their databases.

-----