A few security lessons from the Target breach

Topic

New Reply

	TOP STORY A few security lessons from the Target breach
	By Susan Bradley The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves. Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

---

The full text of this column is posted at http://windowssecrets.com/top-story/a-few-security-lessons-from-the-target-breach/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I think you’ll find that a large proportion of POS systems (I’m not up on ATM software) actually use a POS specific version of the relevant Embedded OS. We use POSReady 2009 which actually is supported to 2019 – and is based on XP Embedded. The moot point however is that I reckon AV vendors will stop pattern file distribution well before then.

Reply | Quote

Perhaps the best way to prevent POS issues is to use cash if at all possible. Inconvenient, and you sometimes get odd looks, but I got through years of international travel, and a purchase at Target during the period in question, with no problems. By contrast, I have a credit card used only for on line purchases. It has been compromised, and reissued twice in the past 5 years.

Reply | Quote

I have read a lot about the Target scam, and understand that they were not using the most effective preventive software. That is probably understandable, if not acceptable, for a big merchandiser. I have, however, read very little about the other really big theft from Adobe. At least 20 million card numbers stolen (including mine). One might imagine that a big software tech company — pdf, Acrobat, Photoshop, etc. — might at least be up to date on its security software!!! Target has taken its lumps; Adobe has been largely ignored. Why?

Reply | Quote

In addition to monitoring your credit card statements, many credit card companies will allow you to set up alerts when charges over a certain amount is charged. Set this limit low and you will be notified almost immediately when any charge is made. A lot of times I get an email before I even leave the store telling me about a charge I just made. This acts like a proactive approach to monitoring your credit cards and allows for very fast fraud detection.

Reply | Quote

In addition to monitoring your credit card statements, many credit card companies will allow you to set up alerts when charges over a certain amount is charged. Set this limit low and you will be notified almost immediately when any charge is made. A lot of times I get an email before I even leave the store telling me about a charge I just made. This acts like a proactive approach to monitoring your credit cards and allows for very fast fraud detection.

Alerts are nice, but they only offer after the fact notifications when something untoward has already happened. I prefer methods which close the barn door before the horses get out, so to speak.

-- rc primak

Reply | Quote

At Target, my policy has always been to pay cash for small purchases, and reserve the credit card for amounts which would not be convenient or safe to carry around as cash.

But it wasn’t at Target that I got burned on a credit transaction. At another retailer not noted for good POS security, I used my card and it appears some info was skimmed during the transaction. The card never left my sight, so the method must have been pretty clever. Shortly after the card transaction, I noticed that there was an Apple iTunes Account opened of which I was entirely unaware, and it was billing my bank account. The timing and other details were too close to be coincidence.

Apple was partly to blame, as they never match personal info with bank account info submitted when opening iTunes accounts linked to bank accounts. And the banks also don’t cross-reference when approving automatic withdrawals. The same sort of breach happened to me when I was banking with another bank, and I eventually closed all my accounts with them because the bank was so uncooperative with the fraud investigation.

Both breaches happened at well-known national chain retailers not mentioned in the Target news reports. Sleight of hand seems to be part of the basic skill set at some retailers and some grocers.

So it doesn’t take malware to cause a breach. All it takes is one dishonest cashier with a little tech knowledge or a corrupt insider contact, and a vulnerable system can be thrown wide open. People with our social behaviors are still the weakest security link.

In all fairness, very small numbers of retail cashiers are dishonest in my experience. Most are hard working and have few benefits. I have no intention of smearing all with the same brush.

-- rc primak

Reply | Quote

The article missed my favorite safeguard: freeze your credit. (Google “security freeze”, and follow the links to the official sites of Experian, Equifax and TransUnion.)

Reply | Quote

Excellent info, thanks. It mentioned checking your credit report from Experian, etc. but you’re limited to 3 free reports per year. Better yet is to sign up for a credit monitoring service that sends you an email for every event in your credit. I’ve been using http://www.creditsesame.com which is free and recommended by AARP and also includes free credit scores.

Reply | Quote

Excellent info, thanks. It mentioned checking your credit report from Experian, etc. but you’re limited to 3 free reports per year. Better yet is to sign up for a credit monitoring service that sends you an email for every event in your credit. I’ve been using http://www.creditsesame.com which is free and recommended by AARP and also includes free credit scores.

fine print alert — this service only monitors one of thr three credit reporting companies. If you want all three, it’s not free. I am also an AARP member, and I’ve checked into this and other offers. They’re good, but there’s always some catch which ends up costing more money than not using the “discounted services” offered through AARP. My membership is for political influence, not for any of their discounts.

-- rc primak

Reply | Quote

Interesting article for a Canadian. I hadn’t realized the chip cards had not been rolled out in the US. They were gradually replaced on expiry a few years ago here. A lot of places don’t take cheques anymore either.

Fully agree on the travel credit card. In fact I’ve shifted to using one almost entirely for credit transactions. Especially for travel and online. It became clear using a credit card was essentially taking a debt against future earnings and was limiting my choices. You have to research them a bit though as there can be weird fees or deletion of funds after X months. But mine is a single small annual fee. Period. No interest or other borrowing costs as it’s not a credit card. But it behaves just like one at terminals.

As a related point, I mostly use Interac or cash locally. It’s a small fee to the retailer, unlike the fee + % credit cards take. For some shops, the credit card takes more profit than they do. The credit card companies have been pushing to get into the Interac market. I do not support that – again because of the excess hit to the retailer. When you add up the real costs of using credit, you’ll probably find it’s a much higher expense than you realized. Whose convenience is it really?

Reply | Quote

Years ago I read a Security article, that Highly Recommended putting a Pic Freeze on All-3 credit information and information management services! I did as they recommended, for a small fee (they mail you a Secure un-lock PW).

What a Pic Freeze does is Lock Any changes to your Credit info (by 3d parties, other than Banks/CC…), unless you temp un-lock it for a limited time to only a user you allow (a small fee).

If you are applying for a loan/CC/…, you only have to temp unlock 1 agency, and then notify them to check your info….- Then I log on/call & Lock it again!

It surprises me that you Never hear about this Effective Security Service anymore (Google- Pic Freeze !)!?

Reply | Quote

Years ago I read a Security article, that Highly Recommended putting a Pic Freeze on All-3 credit information and information management services! I did as they recommended, for a small fee (they mail you a Secure un-lock PW).

What a Pic Freeze does is Lock Any changes to your Credit info (by 3d parties, other than Banks/CC…), unless you temp un-lock it for a limited time to only a user you allow (a small fee).

If you are applying for a loan/CC/…, you only have to temp unlock 1 agency, and then notify them to check your info….- Then I log on/call & Lock it again!

It surprises me that you Never hear about this Effective Security Service anymore (Google- Pic Freeze !)!?

I’m not sure that PIC Freeze is the right terminology; unless you’re talking about telephone companies and long distance service charges, since PIC is a telephone term:

What is a PIC (Primary InterExchange Carrier) Freeze?

How to Prevent Long Distance Slamming with a PIC Freeze

Bruce

Reply | Quote

I, too, am a Canadian who is used to the Chip cards. I feel so much safer using them than the old technology of swipe the card and sign the receipt. HOWEVER, in May and June 2012, my wife and I visited 15 States (all the way to Nevada) and, although I used my credit cards at least once every day, was quite taken aback to discover that the very technologically advanced USA had not heard of Chip technology! I was taking a risk using my credit card, but, fortunately, nothing untoward happened. Maybe you Americans had better start badgering your credit card companies to get into the 21st Century!

Reply | Quote

A coworker of mine has a great plan. He uses a debit card tied to an account which generally maintains only the minimum balance to keep it open. (He’s got a second credit union which allows him to keep the account open with only a penny or two in it.) Then when he makes a purchase, he transfers sufficient funds to the account for the debit card.

I think that’s a pretty clever means of limiting damage. If the card is compromised, the thief only gets a few cents at most.

Reply | Quote

Interesting article.
Just as a matter of curiosity, why doesn’t the US have chip cards? Europe has had them for around 25 years…

Reply | Quote

Interesting article.
Just as a matter of curiosity, why doesn’t the US have chip cards? Europe has had them for around 25 years…

Just a guess – because of the expense in replacing or upgrading every credit card scanner in the country.

Joe

--Joe

Reply | Quote

When fishing, go for the biggest catch.

That is healthcare.gov. You take your life in your hands if you put your information on healthcare.gov. No security … at all.

Reply | Quote

When fishing, go for the biggest catch.

That is healthcare.gov. You take your life in your hands if you put your information on healthcare.gov. No security … at all.

It uses HTTPS, like any secure web site. That’s a lot more than “no security at all”.

Bruce

Reply | Quote

I am disappointed that one of the primary tools for shopping online is hardly ever mentioned. That is the use of ‘virtual cards’. Bank of America; Citibank and others allow a one time use dollar limited virtual card to be generated. If it is later hacked, it is useless. It is billed on the regular statement and makes online or telephonic shopping very safe.
It’s use should be promoted, and encouraged. More card issuers should allow it also, otherwise change your credit card to a bank that allows it. Don’t be taken in by affinity cards and logos.

Reply | Quote

I posted elsewhere but not here. I rarely use my ATM (mainly for gas) but went shopping with Dad (he just passed away recently; sorry for sharing baggage, but the Day after Thanksgiving was one of the last times Dad and I went out to do something together) and didn’t have enough cash on hand to buy my 3 great nieces (my niece is having nieces now; lol) and my two nephews Christmas presents and saw one of those hard to get toys at Target, so, like a dumb dumb, used my ATM card. Well, last week, I received my new ATM card (completely different number and of course PIN; haven’t changed it yet; will probably just keep the new PIN since it’s easy for me to remember) last week and what a pain to update all my auto-pay sites and such. I should charge Target for my time. Oh well; just my spiel. 🙂

Reply | Quote