Target still being hacked

[ancestry]

To be clear though, I don't believe there is an issue of people being able to hack your identity from "pay at the pump", it's more that if you use a debit card the gas station can put a hold on it for a large sum of money that can cause your checks to bounce.

Actually it is quite common for hackers to install software at pumps where they steal people's credit card information when they stick the card into the pump. This is one of the most prominent ways for credit card information to be stolen.

 

[snarlingcoyote]

Your card can be "skimmed" at a pay at the pump gas station any time you use your debit card & punch in your pass code. All the skimmer has to do is be in the vicinity with their machine & have placed a device in the card reader. Happens quite frequently in our area - we're a tourist town. They also have a way of attaching skimming devices to ATMs. A few banks & grocery stores got hit during the spring & summer. The ideal thing is to use your debit card as a credit card everywhere unless you absolutely need cash back. Protects you - just ask your bank.

This is why gas stations and ATMS are supposed to use security tape every time the little door in the machine is opened or closed. To assure patrons that no one has plopped a little skimmer inside the machine.

Unfortunately, employees either don't understand or just don't care and seldom do this.

The ideal thing is to never ever use your debit card. Second best is to only use it at the bank (and even then, I prefer the local branch at our bank. That ATM is properly maintained.) Don't use stand-alone ATMs unless you absolutely have no other option. (Who put this up? Do you really trust unknown X?) If gas station swipes really do bother you or this fraud is bad where you live, pre-pay for your gas in the store.

 

[marynpaul]

I just got a call from the fraud dept of my citi card (that I used at target) a fraudulent charge done yesterday, Christmas Day for some gold cuff link store in china. They confirmed with me that I made no such charge. They are going to close my acct and reissue new cards.

 

[mrsklamc]

Target is 1000% at fault. It is nearly certain it was internal. They missed background checks on the front end, and double,triple , quadruple stoppers/ checkers on the back. They missed software, to detect things like this, and multiple serves/locations at least making the liss smaller if happening. They cheaped out on employees, costs, and servers and now they are paying...

Anyone who has this kind of inside knowledge of the investigation is not going to risk their six figure job posting it on an internet message board....and just so you know, if you're posting it with absolutely nothing but your own speculation, that's libel & defamation, & Target could sue you if they so chose.

 

[NotUrsula]

To be clear though, I don't believe there is an issue of people being able to hack your identity from "pay at the pump", it's more that if you use a debit card the gas station can put a hold on it for a large sum of money that can cause your checks to bounce.

Unfortunately, card info theft is a HUGE problem at gas pumps. There are two parts to the scam: first a pass-through card reader is placed over the original card reader. The pump will still work, but the info on the mag strip will be copied and stored by the device. The second part of the scam involves a small camera stuck high up somewhere, facing down toward the 10-key pad; that is used to capture PINs and associated zip codes for CCs. What tends to happen is that thieves will place these devices on a pump in the wee hours of the night when the station is understaffed, then come back a few days later and take them away.

That said, I still use CC's at gas stations all the time, but NEVER debit cards(Altough I do always eyeball the pump carefully looking for signs that "extras" may have been added). Getting a credit card straightened out after a hack is pretty easy, as long as you report it as soon as you see it, and you won't lose more than $50 if it happens. A hack against a debit account is a MUCH nastier kettle of fish, largely because the overdraft fees will bury you.

 

[IDoDis]

I received this email from Target earlier this evening:

"Dear REDcard holder,
Thank you for your patience with Target as we work through the breach of certain credit and debit card information at U.S. Target stores between Nov. 27 and Dec. 15, 2013. Due to high volumes to our call centers, we want to make sure that you have some key information.
We want you to know a few important things:

You do not need to call us unless you found charges on your account that you didnt make.

You will not be held liable for any fraudulent charges.

We have made changes to our REDcard fraud detection and authorization procedures to further protect you.

We are offering free credit monitoring for one year to every single person who was impacted by this crime. We will give you more information about that soon.
If you have concerns and would like to check your account online, visit Target.com/REDcard.

For additional questions, check Frequently Answered Questions on Targets corporate website.
We hope these resources help with your immediate needs. If you still feel you need to speak with someone by phone, you may call 866-852-8680.
Thank you for your continued support of Target.

Scott Kennedy, President, Financial Retail Services, Target"


Luckily I had not used my debit Redcard during the breech. I have been shopping there, but have been using a $200 gift card that I got when I sent in my iPad 1. What great timing to have a giftcard on-hand. I have about $50 left on the giftcard, so I might take some cash with me next time and see if I can get it added to the giftcard. I rarely carry cash and don't want to compromise my credit/debit cards, so this may be the best way to pay at Target for the next few months.

 

[snarlingcoyote]

Unfortunately, card info theft is a HUGE problem at gas pumps. There are two parts to the scam: first a pass-through card reader is placed over the original card reader. The pump will still work, but the info on the mag strip will be copied and stored by the device. The second part of the scam involves a small camera stuck high up somewhere, facing down toward the 10-key pad; that is used to capture PINs and associated zip codes for CCs. What tends to happen is that thieves will place these devices on a pump in the wee hours of the night when the station is understaffed, then come back a few days later and take them away.

That said, I still use CC's at gas stations all the time, but NEVER debit cards(Altough I do always eyeball the pump carefully looking for signs that "extras" may have been added). Getting a credit card straightened out after a hack is pretty easy, as long as you report it as soon as you see it, and you won't lose more than $50 if it happens. A hack against a debit account is a MUCH nastier kettle of fish, largely because the overdraft fees will bury you.

Actually, your information would have been correct a few years ago, but is a little bit out of date. The skimmers that are used now aren't detectable by the user. They're inside the machine. Open the lock, then insert skimmer, put everything back in place. Wait. Open the lock. (It's almost child's play to open those locks.) Remove skimmer, download data.

There is no way for you to know - that little piece of security tape that gas stations are supposed to use, but don't? That's the only small bit of trust you've got. (And honestly, not so sure I trust the gas station employees to actually know what a skimmer looks like when they change the paper out on the printers. . .)

It can happen to anyone. You either have to go into the store and pre-pay or you take the risk. I know we all like to think we can see things and take measures and be smarter than the average bear, but in this case, the risk is what it is.

 

[elgerber]

There is no way for you to know - that little piece of security tape that gas stations are supposed to use, but don't? That's the only small bit of trust you've got. (And honestly, not so sure I trust the gas station employees to actually know what a skimmer looks like when they change the paper out on the printers. . .)

.

My Costco station actually does use the tape on their pumps.

 

[sweetdana]

1) the person you are quoting is saying there is no way to know whether target had anything to do with OPs fraud, not that they are faultless in the fraud committed in their stores.

2) You seem to have a lot of knowledge about what caused the breaches; can you cite a source for all these things you're saying they dropped the ball on?

http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say

http://www.techhive.com/article/208...ly-involved-inside-knowledge-experts-say.html
here are 2 IT sources.

 

[sweetdana]

What are you referring to? Internal Controls that weren't followed? Improperly configured firewalls that weren't checking for port egress? Security software on the servers used for change management? Something else? "Stoppers/checkers" doesn't tell us anything, I'm afraid.

Any/all of these.

Could be they didn't use background checks to hire their security/IT professionals, could be they did not monitor the activities, could be they did not have software in place to allow 1 person to have access to this without someone watching over and making sure data was not uploaded/downloaded internally.. There are a lot of possibilities; however they are all due to lack of oversite, and allowance of someone to do this without being spotted. This should have been stopped instantly, and it wasn't until the cards were dead and gone.

IMO, they should have software in place to detect info leaving.. and they didn't.

 

[JB2K]

Can you tell us which 'certain pay at the pump gas stations to avoid" and any restaurants you are aware of? All this is so scary!!

Actually, yes...

As for the gas stations, generally, it's the small, independent convenience stores which may or may not sell a major brand of gasoline.

Generally, the better gas pumps to stick your card in will come from larger c-store chains, such as Circle K, QT, or WaWa (or major grocery/warehouse club stores), as they will always have a security sticker on the pump meaning the card reader wasn't removed/tampered with by an outsider.

As for restaurants, dishonest wait staff will work for anyone, so there's no easy answer, there -- I suggest going "cash only" in any situation where your plastic must leave your hands/sight.

 

[JB2K]

Could be they didn't use background checks to hire their security/IT professionals, could be they did not monitor the activities, could be they did not have software in place to allow 1 person to have access to this without someone watching over and making sure data was not uploaded/downloaded internally.

Target "pink-slipped" all their U.S. IT staff (Minneapolis), a few years ago and sent all those jobs to India.

Not saying an Indian national is less honest than an American worker, but it makes me wonder if India has the ability to detect such a sophisticated "riff-raff" in the U.S. stores?

Just sayin'...

 

[JB2K]

This has been an interesting thread, and I have taken-away from most of the comments that those of you who don't think "Pay at the Pump" is a problem with card fraud, are the same people who won't take a extra minute or so of your time and take care of the transaction insde the store/at the hut. Unfortunately, the (shady) people with the skimmers are counting on those who will still pay at the pump, no matter what...

A good "end-all" would be if U.S. credit/debit cards (and retailers) adopted the "EMV" technology (it's a gold chip on the front of the card which contains all kinds of encrypted card info and is far safer than a 1980's-era magnetic strip).

But to make that happen, both the big and small banks, large retailers, and mom-and-pop shops would have to completely scap the current system and invest in all-new technology. It's already happened in Europe, and is coming to Canada -- I would hope in the wake of this Target fiasco, we may see a move to finally adopt to this technology in the U.S.

 

[mrsklamc]

http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say

http://www.techhive.com/article/208...ly-involved-inside-knowledge-experts-say.html
here are 2 IT sources.

These say nothing remotely close to the claims you made. You made specific accusations about multiple things you claim they failed to do. These are just articles that claim it was 'likely' an inside job.

 

[Sadie22]

This is why gas stations and ATMS are supposed to use security tape every time the little door in the machine is opened or closed. To assure patrons that no one has plopped a little skimmer inside the machine.

Unfortunately, employees either don't understand or just don't care and seldom do this.

The ideal thing is to never ever use your debit card. Second best is to only use it at the bank (and even then, I prefer the local branch at our bank. That ATM is properly maintained.) Don't use stand-alone ATMs unless you absolutely have no other option. (Who put this up? Do you really trust unknown X?) If gas station swipes really do bother you or this fraud is bad where you live, pre-pay for your gas in the store.

Thieves have managed to attach skimmers at more than one ATM at local branches of a well-known national bank over the past few years. We can't assume that ATMs are safe even if they are right at the bank branch in a busy area.

 

[wekhogan]

These say nothing remotely close to the claims you made. You made specific accusations about multiple things you claim they failed to do. These are just articles that claim it was 'likely' an inside job.

100% Agree. It's one thing to have an opinion, but quite another to just throw slanderous claims out there willy nilly. Target has said they'll cover any false charges on their cards, and are going to provide credit protection.

Similar thing happened a few years ago with Playstation - in that one, over 70 million accounts were hacked and personal details stolen, and Sony provided credit protection for a year.

 

[snarlingcoyote]

My Costco station actually does use the tape on their pumps.

Then definitely buy your gas at the Costco. Around here, all the pumps have tape, but it's never, ever current. How much work is it to take the security tape with you and stick a new piece on when you replace paper in the printer? I mean, really.

<sigh>.

 

[snarlingcoyote]

http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say

http://www.techhive.com/article/208...ly-involved-inside-knowledge-experts-say.html
here are 2 IT sources.

Those are some guys who got paid some money to blow smoke up people's bottoms.

Everyone I know in IT Security has a guess as to how it took place. How did it actually happen? That will have to wait.

As for it being an inside job? Seriously. No. It might have been, but it just as easily might not have been. My own thoughts tend. . .well. Not to an inside job, to be honest. And I don't even see a lot of evidence it was a failure of Target's controls.

I mean, look at poor Minyard!

 

[luvmikids]

Right now I don't believe anything target is saying. If you used any card debit or credit save yourself the worry and get a new card. Who is to say when you will be a victim. Why go through the trouble of waiting them having to clean up a mess after.

 

[trip]

I did use a credit card during the period of the stolen data. Haven't noticed any fraudulent charges. Not too worried, the card company will cover.

I wonder if they will be able to tell the locations of the stores that were affected. As many as 40,000 cards over 19 days with Target having 1797 stores. Wonder what are the odds are of having your information stolen??? Who discovered the problem - the card companies or Target?