Target stores hit by data breach affecting 40 million cards

&gt; <i>We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).</i><p><a href="https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca" rel="nofollow">https:&#x2F;&#x2F;corporate.target.com&#x2F;discover&#x2F;article&#x2F;Important-Noti...</a><p>CVV&#x2F;CSC, eh? The whole point of CSC is it should be non-stored and therefore much harder to steal than the CC#, right? Apparently that didn&#x27;t work. Has CSC accomplished anything other than giving users more random-looking numbers they have to enter in online forms?

When I read about massive data breaches such as these it makes me wonder why we don&#x27;t have a system in place to where we as the customer can generate a unique authorization code for a one-time charge to our cards without having to actually reveal our credit card information.<p>It&#x27;s bad enough that someone can buy a card reader and walk down a sidewalk and capture credit card data by just being within a few feet of someone.

Brief earlier discussion: <a href="https://news.ycombinator.com/item?id=6930258" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6930258</a><p>Target says the data is limited to cards used in the U.S. during the last few weeks:<p><a href="https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca" rel="nofollow">https:&#x2F;&#x2F;corporate.target.com&#x2F;discover&#x2F;article&#x2F;Important-Noti...</a>

Can&#x27;t get to the Target Visa site (<a href="http://rcam.target.com" rel="nofollow">http:&#x2F;&#x2F;rcam.target.com</a>) even though downforeveryoneorjustme.com says it&#x27;s up. Hm.<p>A few years ago, the Target Visa card had actually pioneered a move toward chipped credit cards. My Target card was the only chipped credit card I had, though, and AFAIK even my local Target stores were never equipped with chip-reading card readers. When my card expired, the replacement didn&#x27;t have a chip.<p>It bothers me very much to realize that even though there was nothing I reasonably could have done to protect myself (except avoid credit cards entirely), this will ultimately be my problem to deal with. Not Target&#x27;s problem. Not really. Not in the same way that it&#x27;s mine.<p><i>I&#x27;m</i> expected to &quot;take... steps ... to protect [myself] against potential misuse of [my] credit and debit information.&quot; [1]<p>I realize that this is just the way the system works, but why does it work that way? The credit card system, instead of making the investments necessary to really secure credit card transactions, has externalized much of the tricky fraud-detection work onto the card users.<p>[1] <a href="https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca" rel="nofollow">https:&#x2F;&#x2F;corporate.target.com&#x2F;discover&#x2F;article&#x2F;Important-Noti...</a>

FWIW here&#x27;s the best early analysis I&#x27;ve seen in terms from an industry perspective: <a href="http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-we-learn-from-the-target-breach/" rel="nofollow">http:&#x2F;&#x2F;blogs.gartner.com&#x2F;avivah-litan&#x2F;2013&#x2F;12&#x2F;19&#x2F;what-can-we...</a>

Reminds me of when Best Buy discovered people wardriving their parking lots and plucking CC#&#x27;s out of the air via their unencrypted, wireless POS network. Surprised Target got hit, they&#x27;re pretty rabid about security&#x2F;loss prevention (internal and external).

How does PCI compliance not cover these things? Is Target liable for losses here?<p>It would seem to me that if you can&#x27;t secure the data, you shouldn&#x27;t keep it (which is the reason I use stuff like Stripe . I don&#x27;t want to see the card number).

My wife just got the Target Red debit card a few weeks ago, after a number of protests from me about security loopholes. She seemed to think getting 5% off of all purchases for bestowing the ability to a 3rd party to deduct money from your bank account at will is worth the risk of someone maliciously draining your bank account one day. Going to use this for a bit of &quot;I told you so&quot; nagging today

Anybody have any idea if there is a way to tell if your card was part of the breach? I have a family member who shopped at target during the dates mentioned.<p>I&#x27;m wondering what percentage of transactions were affected. Is 40 million 90%? 50%? There&#x27;s no way to tell. It&#x27;d be nice if we knew whether or not to report it to the bank.

The funny thing is the day that this was happening they were trying to sign me up for their checking account program. Where I give them my checking account info and I save 5% on every purchase. They gave me the hard sell too and wouldn&#x27;t quit. I then conveniently typed in my pin so I&#x27;m f&#x27;d.

Theft like this can happen on even the most secure designs but why did it take TWO WEEKS to be discovered?

I&#x27;ve never liked Target for its intrusive tracking of customer spending[1] through their branded credit cards and other loyalty card schemes, because those never add any value for me. (I grew up shopping at the third Target store in the whole country, my sister used to work at Target, and we live a short walk from a Super Target, but the company&#x27;s emphasis on gathering data over genuine customer service[2] turns me off.) Because Target is the closest brick and mortar store to our house for many kinds of items, we still buy things there. I usually try to pay in cash. I&#x27;ll have to check our credit-card records [sigh] and see what&#x27;s going on in our accounts.<p>[1] <a href="http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/" rel="nofollow">http:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;kashmirhill&#x2F;2012&#x2F;02&#x2F;16&#x2F;how-targe...</a><p>[2] Personal anecdote alert: Target once had an in-house captive brand (not a Target brand, but a brand available in no other store) of &quot;oven bakeware&quot; that didn&#x27;t even meet the Uniform Commercial Code warranty of merchantability, as it would shatter if you used it in an oven to bake something. We found that out just before a meal when we were all hungry. The local store gave us all kinds of run-around about simply refunding our money for the defective product. That was ill-timed for Target, as one of my wife&#x27;s students had just given us a gift certificate for Sam&#x27;s Club, and we discovered that the much-maligned Sam&#x27;s Club is better about returns and about customer service in general than Target. We have shifted THOUSANDS of dollars a year from Target, my home-town store I grew up with, to Sam&#x27;s, the store everyone is inclined to decry, in the years since then. When a store sells a defective product and doesn&#x27;t make that right, I don&#x27;t give it a lot of second chances. (My sister&#x27;s former job at Target was to be a buyer, and she thought that if a Target buyer screws up and purchases a bad product, Target should make that right, period.)<p>By contrast, I recently bought what was labeled as an &quot;Epson ink-jet printer cartridge&quot; through a third-party seller on Amazon, and when the product arrived it was labeled &quot;Not an OEM product,&quot; and plainly wasn&#x27;t identical to an actual Epson printer cartridge. I contacted Amazon about the purchase, and an Amazon representative said my money would be refunded and I didn&#x27;t have to return the product. That is the way to use big data to build a better customer experience--Amazon could verify how the product was labeled on its site, and perhaps had another customer complain to verify that I wasn&#x27;t making this up. Amazon consistently treats me like my user experience is more important that Amazon&#x27;s next-quarter bottom line, and that builds immense customer loyalty for me.

I worked for Stores Development at Target about 6 years ago. honestly, this really surprises me. After the JCPenny incident, anything security related practically got rubber stamped.

Any long-term parking vets here?<p>I didn&#x27;t take a ticket and instead swiped my CC to get into the lot. They repeatedly mentioned to <i>don&#x27;t lose your card</i> since the day I left is tagged to it (I assume).<p>Given the chaos of this, I probably won&#x27;t even get my new card until I&#x27;m back from vacation.<p>Does anyone know if all I need is another card with my name on it or if I can just allow for 30-60 minutes of searching through records to locate my original swipe in?

Another reason for EMV compliance. The track data is stored on the magnetic stripe, which shouldn&#x27;t even be stored on the machine, but it is for some reason.<p>Also, PCI Compliance - personal information should not be stored unencrypted when at rest or when being transferred.

&#x2F;me calls credit card company.

You could say they were a target of the breach.<p>All joking aside, this isn&#x27;t good. Does this mean a lot of other stores are in the danger zone as well? I know a lot of stores use the same software to run their everything.

If payments could be initiated from a smartphone, the attack surface would be the phone, the bank. Not every shop or website where you enter your credit card details.

I still do not understand why they would have to store the credit card instead of just storing an authorization and transaction number.

Well, they are sort of asking for it with a name like &quot;Target&quot;, and a giant red bullseye painted on every fricken store!

Another reason why Bitcoin (or something like it) does have legitimate benefits...