Home · Security

Email Attack on Vendor Set Up Breach at Target

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. More...

02-15-2014 18:02

With data vulnerable, retailers look for tougher security

(Reuters) - A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.

Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.

But the latest thefts - including attacks on Target Corp and Neiman Marcus - have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.

One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers. More...

01-13-2014 17:37

Target Struck in the Cat-and-Mouse Game of Credit Theft

SAN FRANCISCO — Target may have been an easy bull’s-eye for criminal hackers intent on stealing credit card information, but the theft of records for 40 million store customers was hardly the worst security breach among big retailers in recent years. And the incident revealed on Thursday is unlikely to be the last.

Security experts say the Target hack is a reminder of security problems facing many retailers that won’t easily go away: There are weaknesses in the way payment information travels between retailers and banks. There is plenty of money to be made on the black market selling stolen credit card numbers, which can go for as little as a quarter or as much as $45 each. And American companies have been reluctant to adopt smart-chip cards, a type of credit card widely used in Europe that provides better security.

Target said that from Nov. 27 to Dec. 15 hackers stole customer names, credit or debit card numbers, expiration dates and three-digit security codes for 40 million customers who had shopped in its stores. It is currently working with a forensic team from Verizon to investigate the breach, according to one person involved in the inquiry. But there was no word as to who was behind the attack, how they got in, or what the total cost to Target may be. Thursday, visitors to the retailer’s website found a site festooned in red and green save for a stark black-and-white security notice at the top. Complicating matters, Target was hit during the holiday shopping season, when fraud detection systems have a hard enough time telling legitimate transactions from fake ones.

“This is the perfect storm” for vulnerability to hackers, said Paul Kocher, president of Cryptography Research, a company that develops technologies to prevent fraud. More...

12-20-2013 16:38