Target still being hacked

[xie]

heard something this morning on my local news that this could be bigger than just Target; Russian Malware that covers its tracks.

http://www.usatoday.com/story/tech/2014/01/16/target-hacking-russian/4527119/

Correct. I didn't read this USAToday story, but my understanding is that now it's been verified that half a dozen "department stores" were affected by very similar hacks as Target, but the stores have made no public announcements even though the banks and processors have been notified. It WILL leak eventually, and they'll be forced to publicly acknowledge.

Honestly I think from a consumer protection standpoint, businesses should be legally required to make public that they have been compromised within 3 business days of closing off the attack.

I have no idea what six stores were affected, or whether I shopped at any of them, but I would like to know because I'd like to simply go to my bank and have them replace my debit or credit card, if I was a customer at any of those stores. Better to do that than have to contest a bunch of charges later.

 

[BWV Dreamin]

Was it ever mentioned what other stores were involved besides Niemen Marcus?

 

[xie]

Was it ever mentioned what other stores were involved besides Niemen Marcus?

The retailers have not come forward yet. Like Target, they will probably wait until their names are leaked. The only reason Target confessed when they did was that one or more of the banks with affected customers told a security researcher, who went public with it. Once the security researcher let the cat out of the bag on December 18, Target was forced to publicly acknowledge it with a statement the next day, December 19.

If you are really interested in the details of what went down at Target, Brian Krebs is one of the security researchers involved and he has a series of blog posts over the last few weeks that explain quite a bit. He is the one who make Target's hack public, IIRC. His blog is at www.krebsonsecurity.com and his original Target post is at:

http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

He has a number of other posts since then that detail additional information about who was selling the cards and how the hack was pulled off. If you read the first one I recommend reading them all, because the more recent postings have much more accurate data about the scale and scope of the theft, which that early post naturally did not because so little was known the first few days about how long the hack lasted and how many customers were affected.

 

[pwdebbie]

Did you folks read the small print when you signed up for Target's monitoring offer? You gave up all further recourse against Target. And in a year you have to start paying the annual fee yourself. This issue will be a problem for years. You have excluded yourself from future class action suits. A financial website I trust isn't favoring Target's offer.

 

[IDoDis]

Did you folks read the small print when you signed up for Target's monitoring offer? You gave up all further recourse against Target. And in a year you have to start paying the annual fee yourself. This issue will be a problem for years. You have excluded yourself from future class action suits. A financial website I trust isn't favoring Target's offer.

I'd rather have the free identity theft insurance policy for a year vs holding out for a class action lawsuit. With the magnitude of this breach, a class action lawsuit might net you $1.00 when all is said and done. When the free year is up, people can pay yearly if they want to keep the service. No one will be automatically charged. It would be silly not to take the offer.

 

[luvmikids]

Okay, presuming people are wise enough not to use something like a birthdate as a password, what is your rationale for thinking that someone should change his/her password to accounts when he/she has been hit by a possible pretexting attack? ETA: That came out snarky. I didn't mean for it sound that way. I'm just. . .I can usually figure out people's chains of logic on things, but that one escapes me.

Has nothing to do with using birthdates for passwords. Phishing scam try and get as much info from you to use. I unfortunately was a victim of a phishing scam through my work email. I thought because it was work that I was safe. What I didn't realize if I would of poked at the URL that was attached when I opened it, it didn't come from my work. If my husband would of texted me 10 seconds earlier then I would of saved my self trouble. I contacted the IT dept of my employer who strongly suggested to change the passwords to all my accounts.

Hope this clears up the confusion going on in your head that somehow escapes you.

With all the identity theft out there, I don't think it's too ridiculous to be cautious. My friend was a victim of true identity theft and after 8 years still has issues with credit.

 

[ruadisneyfan2]

The email that I received yesterday is signed by the CEO and has the return address you listed but it also had links and phone numbers. This is a copy/paste of the email.


<TargetNews@target.bfi0.com

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
Delete texts immediately from numbers or names you don’t recognize.
Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel

Chairman, President and CEO

I got this too but it simply lists what website you should go to. It's not a link meaning you can't just click on it to go to another page.

I rarely ever shop in store, I don't have a Target card but they have my email so I must have shopped there via Amazon. It's been years if I did and chances are I don't even still have the card I used. (I used to have many cc's but closed them 3 yrs ago and just have 2 now.)
I checked my credit reports and they're all accurate. I must say I'm leery to sign up for their identity theft protection. I'm assuming you must enter a ss# to sign up?

 

[cseca]

I got this too but it simply lists what website you should go to. It's not a link meaning you can't just click on it to go to another page.

I rarely ever shop in store, I don't have a Target card but they have my email so I must have shopped there via Amazon. It's been years if I did and chances are I don't even still have the card I used. (I used to have many cc's but closed them 3 yrs ago and just have 2 now.)
I checked my credit reports and they're all accurate. I must say I'm leery to sign up for their identity theft protection. I'm assuming you must enter a ss# to sign up?

Yes on the SS#.

If you are still concerned about your credit you should check out either freezing or putting a fraud alert on your credit.
Freezing costs $, but alert is free.

Good luck.

 

[snarlingcoyote]

Has nothing to do with using birthdates for passwords. Phishing scam try and get as much info from you to use. I unfortunately was a victim of a phishing scam through my work email. I thought because it was work that I was safe. What I didn't realize if I would of poked at the URL that was attached when I opened it, it didn't come from my work. If my husband would of texted me 10 seconds earlier then I would of saved my self trouble. I contacted the IT dept of my employer who strongly suggested to change the passwords to all my accounts.

Hope this clears up the confusion going on in your head that somehow escapes you.

With all the identity theft out there, I don't think it's too ridiculous to be cautious. My friend was a victim of true identity theft and after 8 years still has issues with credit.

Right, but that still has nothing to do with passwords. . .and what the poster described was NOT a phishing scam. A phishing scam is one in which someone is tricked into responding to a fake e-mail. This may/may not have been a pretext attack that got one piece of information.

At any rate, the changing of a password, in this case, won't help or do anything.

If this was a pretexting attack, there are other steps that would be appropriate; chief among them is watching one's credit accounts for suspicious activity and monitoring one's credit rating for activity that isn't one's own.

Changing passwords. . . not so much.

ETA: In a real phishing attack, changing one's password IS a good idea, if the phishing attack was aimed at making one think that he/she had entered his/her password and user name into a website. In a pretexting attack, unless you give your password, there are other steps that are far more important.

 

[snarlingcoyote]

I got this too but it simply lists what website you should go to. It's not a link meaning you can't just click on it to go to another page.

I rarely ever shop in store, I don't have a Target card but they have my email so I must have shopped there via Amazon. It's been years if I did and chances are I don't even still have the card I used. (I used to have many cc's but closed them 3 yrs ago and just have 2 now.)
I checked my credit reports and they're all accurate. I must say I'm leery to sign up for their identity theft protection. I'm assuming you must enter a ss# to sign up?

If you checked your credit reports, you either went through Experian or one of its competitors and gave them your SS#. The credit protection that is being offered is thru Experian; not Target.

If you put a credit alert on your credit record on your own, you'll probably go through Experian or one of their competitors and have to give them the same information. However, it is totally up to you. Do what makes you feel safest.

 

[luvmikids]

Right, but that still has nothing to do with passwords. . .and what the poster described was NOT a phishing scam. A phishing scam is one in which someone is tricked into responding to a fake e-mail. This may/may not have been a pretext attack that got one piece of information. At any rate, the changing of a password, in this case, won't help or do anything. If this was a pretexting attack, there are other steps that would be appropriate; chief among them is watching one's credit accounts for suspicious activity and monitoring one's credit rating for activity that isn't one's own. Changing passwords. . . not so much. ETA: In a real phishing attack, changing one's password IS a good idea, if the phishing attack was aimed at making one think that he/she had entered his/her password and user name into a website. In a pretexting attack, unless you give your password, there are other steps that are far more important.

Toe-ma-to, ta-ma-to, Po-ta-toe, Pa-ta-to.
Can we just agree to be careful and be cautious, if it makes you uncomfortable do what you can to protect yourself.

 

[snarlingcoyote]

Toe-ma-to, ta-ma-to, Po-ta-toe, Pa-ta-to.
Can we just agree to be careful and be cautious, if it makes you uncomfortable do what you can to protect yourself.

As good consumers, we need to all understand the different kinds of social engineering attacks and what to do if we are attacked and what won't help us be safer and what will help us be safer; a false sense of security, in this case, can be dangerous.

 

[luvmikids]

As good consumers, we need to all understand the different kinds of social engineering attacks and what to do if we are attacked and what won't help us be safer and what will help us be safer; a false sense of security, in this case, can be dangerous.

"A false sense of security, in this case, can be dangerous"

 

[ruadisneyfan2]

Yes on the SS#.

If you are still concerned about your credit you should check out either freezing or putting a fraud alert on your credit.
Freezing costs $, but alert is free.

Good luck.

Thanks. I'll look into the freeze. I dug back through all of my Amazon order history dating back to 2001. I did buy some spoons from Target back in 2008 to replace some eaten by the garbage disposal. Sigh...
I no longer have the cc i had back then and probably had a different email address but the creeps still could have my name & address. I feel better though. One needs a lot more than name & address to open a cc or get a loan.

 

[daughtersrus]

I got this too but it simply lists what website you should go to. It's not a link meaning you can't just click on it to go to another page.

In the email, creditmonitoring.target.com is highlighted. When you click on that, it opens up the target page. I would call that a link.

 

[ruadisneyfan2]

In the email, creditmonitoring.target.com is highlighted. When you click on that, it opens up the target page. I would call that a link.

Mine was not highlighted at all. To get to that site I had to copy & paste.
That's not a link

 

[mrsklamc]

Mine was not highlighted at all. To get to that site I had to copy & paste.
That's not a link

It's a link in the email I got.

 

[ruadisneyfan2]

If you checked your credit reports, you either went through Experian or one of its competitors and gave them your SS#. The credit protection that is being offered is thru Experian; not Target.

If you put a credit alert on your credit record on your own, you'll probably go through Experian or one of their competitors and have to give them the same information. However, it is totally up to you. Do what makes you feel safest.

What I don't trust is that the website they say to go to ends in Target.com.

Maybe I have misdirected issues with trust but I really don't trust anything to do with Target these days. I doubt they have a handle on things and truly know the extent of what happened. It seems to keep changing.

Why do some people have a link in their email and some don't? How do I really know this email is truly from Target? Just as this post contains no links, neither does the email to me. I actually would prefer to go directly to Experian, Equifax, etc. There's always some idiot willing to take advantage of stressed out people. It happened after 9/11, Sandy, etc.

This is what I got from them. My one and only email:

Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experians® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
"Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
"Delete texts immediately from numbers or names you dont recognize.
"Be wary of emails that ask for money or send you to suspicious websites. Dont click links within emails you dont recognize.

Targets email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel

 

[ruadisneyfan2]

I'm not against entering my ss# online. I've applied for cc's online and entered to get my credit report. I'm against entering at a website that I don't feel comfortable is safe & secure.
Feel free to call me crazy.