Home Depot Investigates a Possible Credit Card Breach

Home Depot said on Tuesday that it was investigating a report that customer credit and debit card data was stolen from its systems and put up for sale online.

The retailer issued a statement after Brian Krebs, an independent security reporter, said that multiple banks had pointed to Home Depot as the potential source of a large data breach. The company said it was working with law enforcement authorities and banks on the matter.
Continue reading the main story

Reuters: Hacked Retailer Customer Data Related to Outdated Magnetic Stripes, Retailers Look to Chip and PIN

(Reuters) – A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.

Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.

But the latest thefts – including attacks on Target Corp and Neiman Marcus – have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.

One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers.

Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.

The breaches are “unfortunate but we’re not entirely surprised,” Duncan said at his organization’s annual convention now being held in New York.

“The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers,” he said.

Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc will not require the higher security until next year at the earliest.

It is not clear the new “Chip-and-PIN” cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.

Investigators believe that hackers used malware that captured data on customers from the magnetic stripes on their payment cards. Since Target’s disclosure the more upscale store chain Neiman Marcus has said it also suffered an attack, and sources have told Reuters that at least three other well-known U.S. retailers have been breached but not come forward.

http://www.reuters.com/article/2014/01/13/us-target-databreach-retailers-security-idUSBREA0C09O20140113

How Did Target Miss Up to 70 Million More Hacking Victims?

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president and chief executive, said in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Friday’s announcement is the result of an ongoing investigation into the security breach, Target said. The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Spokesmen at the Secret Service and the Justice Department declined to comment on the investigation.

Target’s problems reflect a crisis in how customer data is protected, analysts said.

“It’s a little frightening. These bad guys are getting into some of the most secure retailers’ networks, and I’m sure it’s not going to stop at Target,” Litan said. “We need a fundamentally different paradigm here for how we manage security.”

But, with few details emerging about how the crime against Target was committed, it’s hard to say what solutions could have prevented this particular breach.

Shoppers whose personal and financial data was stolen — the exact number is unclear — are at higher risk of falling victim to scams or having their information misused. Target said the two types of data are not linked within its system.

But consumer advocates point to the fact that Target is an industry leader at data mining, the practice of analyzing customers’ information to find out more about their preferences and shopping habits.

“That makes this breach all the more frightening,” said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, an advocacy group. The volume of information Target has on its customers raised the stakes, he said.

Experts said that with names and mailing addresses, thieves can use the credit cards for online purchases that require that information. On top of that, they can try to trick people into providing even more sensitive information, such as Social Security numbers, or hack into their computers.

The company said it doesn’t know how many customers have found fraudulent charges on their credit or debit cards, but individual stories and lawsuits are beginning to crop up across the country.

A California shopper filed a lawsuit against Target last month and hopes to include other shoppers in a class-action case. Last week, a credit union in Alabama also took action against Target, seeking compensation for costs that would arise from issuing customers new cards, as well as any fraudulent charges

http://www.washingtonpost.com/business/economy/target-says-70-million-customers-were-hit-by-dec-data-breach-more-than-first-reported/2014/01/10/0ada1026-79fe-11e3-8963-b4b654bcc9b2_story.html

Neiman Marcus Not Very Forthcoming Regarding Hacked Customer Financial Data

Neiman Marcus confirmed Saturday that its customers are at risk after hackers breached the Dallas company’s servers and accessed the payment information of those who visited its stores.

The firm has offered few concrete details about the scope of the attack, such as what data were taken or how many customers may be at risk. Nor did it say whether data from any of the other retailers it operates — including Bergdorf Goodman, Horchow, Cusp and Last Call — were affected. In a statement, Neiman Marcus said it was informed of the breach in mid-December by its credit card processor and subsequently informed law enforcement officials, including the Secret Service. The company is taking steps to contain the breach and has “taken significant steps to further enhance information security,” the statement said.

Neiman Marcus spokeswoman Ginger Reeder declined to provide further information on the attack. A spokesman for the Secret Service also declined to comment.

The company apologized to its customers for the breach through messages on its Twitter feed and said that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores.

http://www.washingtonpost.com/business/technology/neiman-marcus-confirms-data-breach-offers-few-details/2014/01/11/56c6dc7e-7ae1-11e3-af7f-13bf0e9965f6_story.html?tid=hpModule_88854bf0-8691-11e2-9d71-f0feafdd1394

Alert from Hacker News: Some Outdated WordPress Blogs Used in DDOS Attacks

In the past we have reported about many such cyber attacks, where attackers hacked into the WordPress blogs using password brute-force attack or they used the PINGBACK vulnerability in older versions of WordPress without compromising the server.

WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site and it can be used for a single machine to originate millions of requests from multiple locations.

We have seen more than 100,000 IP addresses involved in the recent DDOS attack and the victim’s Forum website received more than 40,000 requests in 7 minutes from different WordPress blogs and IP addresses.

http://thehackernews.com/2013/12/ddos-attacks-originated-from-thousands.html

Christmas Came Early For Hackers: 2 Million Social Media Accounts Hacked, Big U.S. Bank Data Stolen

Hackers Stole 2M Facebook, Google Passwords: How to Protect Your Accounts

Dec. 5, 2013

Any time you logged into Facebook, Google, Twitter, or a host of other popular web services the past month, there may have been a hacker peering over your digital shoulder, sneaking a peek at your password.

The information security company Trustwave has revealed that the passwords to 2 million different accounts have been compromised. The malware program Pony forwarded the vast majority of the passwords to a central server in the Netherlands.

John Miller, security research manager at Trustwave, said that the hack wasn’t due to a flaw in any of those company’s servers. “It was the individual users’ computers that had the malware installed on their machine,” he told ABC News. He adds that the unnamed hackers were most likely motivated by profit. “These passwords were never publicly posted. We can’t say for sure, but [the hackers] were probably going to sell them.”

http://abcnews.go.com/Technology/hacker-group-stole-million-stolen-facebook-google-passwords/story?id=21109910

 

JP Morgan Chase Hacked: 465,000 Card  Users’ Data Gone

JPMorgan Chase, one of the world’s biggest Banks has recently announced that it was the victim of a cyber attack and warned round 465,000 of its holders of prepaid cash cards on the possible exposure of their personal information.

In the Security Breach that took place on the bank’s website www.ucard.chase.com in July, around 465,000 accounts are compromised i.e. 2% of the overall 25 million UCard users. JPMorgan confirmed that there is no risk for holders of debit cards, credit cards or prepaid Liquid cards.
 
They informed the law enforcement in September, and till now no information on how attackers have conducted the attack has been disclosed.

http://thehackernews.com/2013/12/JPMorgan-Chase-bank-card-hacked_5.html 

FBI Threatened Lavabi to Turn Over SSL Keys to ALL User Email Accounts

Lavabit owner Ladar Levison told RT that he had no choice but to close his email service because the FBI, in pursuit of NSA whistleblower Edward Snowden, forced him into an ethical dilemma by demanding he hand over customers’ personal data.

RT: The FBI demanded you hand over encryption  codes to collect data from a specific account that is not named  in the documents. What was your initial response

Ladar Levison: That’s actually not correct. What they  demanded were the SSL keys that were protecting all the data  coming in and out of my network for all of my users, and that’s  what I had an issue with. I’ve said before that I took the stance  that I did not to try and protect a single person but because I  was concerned about the invasion and the sacrificing of  everyone’s privacy rights that were accessing my system. 

RT: We were led to believe that you had been  threatened to be charged with criminal content if you did not  comply. Do you feel those threats would have eventually become  reality if you didn’t follow suit? 

LL: Oh, I know they would. In fact they went on to  charge me $5,000 a day for every day that I didn’t turn over  those keys, which is why I was eventually forced to hand them  over. Given the difficult choice of remaining silent about what I  thought was a grave injustice or taking, like you said, the  lesser of two evils and shutting down the service. I just wasn’t  comfortable knowing that they were examining all the data that  was coming in and out of my network without any kind of  transparency or auditing by myself to ensure that they were only  collecting the information they were legally authorized to and  continuing to run the service with that knowledge. So I made the  only decision I felt was appropriate. In terms of being arrested,  I think the only reason they didn’t is because if they had the  system would have had nobody to maintain it. That’s one of the  advantages of being a small business owner, you wear many  hats. 

 

http://rt.com/usa/govt-implications-internet-control-lavabit-752/