 Free Scan: Update Your PC's Outdated Drivers to Optimize Performance 
March 29th, 2008, 03:48 PM
|
#1 (permalink)
| | Sea-Ninja wannabe
Join Date: Apr 2002 Location: Albany, Ga.
Posts: 8,240
| Another massive data breach, affecting 4.2 Million
No matter how much you protect your info, anyone you deal with has to protect it also. In this case a supermarket chain allowed malware to get onto almost all of its servers. The breach compromised 4.2 million accounts. Quote:
Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday.
The Scarborough, Maine-based grocer confirmed a report in The Boston Globe that it told Massachusetts regulators this week about the link between the breach and the illicit programs, known as "malware."
The company doesn't know how the malware - short for malicious software - got onto nearly all its 271 stores' servers, Hannaford spokeswoman Carol Eleazer said.
At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.
The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit.
The usual mode of attack targets data sitting in databases, as in the record-setting theft of information from Massachusetts-based TJX Cos. involving least 45 million cards.
"Virtually everything is possible," Eleazer said. "There are still many, many aspects that we don't totally understand."
The company has said that the breach, which occurred between Dec. 7 and March 10, allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.
|
__________________
They say technology slows down for no one. I know it outruns my wallet. I figure its because my wallet isn't light enough yet.
| 
|  | |
March 30th, 2008, 07:51 PM
|
#2 (permalink)
| | Banned
Join Date: Jan 2005 Location: Loveland, CO
Posts: 5,493
|
There are many methods to acquire credit card numbers...
The POS (Point of Service) could be hijacked. With the right hardware, an employee and one or more accomplices, every card swiped can be captured. However, there may be a more sophistication here.
I Personally think it's the shty software.
It's like advanced phishing...
| |
| | |
April 7th, 2008, 12:58 AM
|
#3 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Toronto Canada
Posts: 4,619
|
To get a large group of numbers, that's the easiest way. Break into the database.
Now-a-days, you get chips put into POS terminals to skim Track 2 (the data on the magnetic stripe of your card) with only the swipe in the terminal and record the PIN number entered.
So it can be done right in front of the customer and they'd never know.
But pulling it in transit shouldn't be possible since all they should get would be encrypted data strings. In Canada, the minimum encryption is using a 16 or 32 character key called a DES key. Since DES has been cracked, there's a forced move to 3DES (Triple DES) which means there are 3 separate 16 or 32 character keys used to encrypt. The data is encrypted by the first key, then that result is encrypted by the second, then that result is encrypted by the third.
With current computer technology, it would take several thousand years to crack 3DES.
So either their terminals were using DES or it was stolen by an organization that has the tech to crack DES.
__________________
AMD Phenom Q9500 Quad-Core 2.2ghz / Asus M3A78-EMH HDMI / 4GB PC667 RAM / 320GB SATA II
Debian Lenny AMD64 version
| |
| | |
April 7th, 2008, 02:06 AM
|
#4 (permalink)
| | Banned
Join Date: Jan 2005 Location: Loveland, CO
Posts: 5,493
|
It was at the software level....
It's their "shty software" which allowed the breach.
Were the numbers in plain text when acquired? That is the question...
Last edited by Keymaker : April 7th, 2008 at 02:09 AM.
| |
| | |
April 7th, 2008, 02:45 PM
|
#5 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Toronto Canada
Posts: 4,619
|
Oh okay. Then it's the FI's fault. The store data should be encrypted, even on their servers. The only place it gets unencrypted temporarily is at the FI (bank) data centre.
If, somehow, the store's servers had unencrypted data, then it's their fault and they should be sued and put out of business. In Canada anyway, a store cannot store unencrypted financial data on any server they have. Banks can but they have massive data security, physical security, network security and auditing measures they have to follow to be able to do business in Canada at all.
Last edited by SeanC : April 7th, 2008 at 02:49 PM.
| |
| | |
April 7th, 2008, 03:15 PM
|
#6 (permalink)
| | SoMuchAnime-SoLittleTime
Join Date: Aug 2003 Location: Plymouth, WI
Posts: 13,697
|
Security is such a problem these days...
Which is why I plan to create a company focused on security in a few years after I get some schooling.
Companies really need to start giving a damned about their customers data, and need to be held accountable in the case of their security being breached.
I've just been having some trouble with my stupid bank's online stuff. Apparently they only allow passwords to be up to 8 characters long, and who knows if the passwords are even hashed or the data is encrypted.
__________________
The mark of the immature man is that he wants to die nobly for a cause, while the mark of a mature man is that he wants to live humbly for one.
| 
| | |
April 7th, 2008, 03:17 PM
|
#7 (permalink)
| | Let's go, Hokies!
Join Date: Oct 2001 Location: South Jersey
Posts: 7,570
|
Ayup, been to Hannafud many'a time.
Possibly for the last time. | |
| | |
April 7th, 2008, 03:23 PM
|
#8 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Toronto Canada
Posts: 4,619
| Quote:
Originally Posted by EXreaction  I've just been having some trouble with my stupid bank's online stuff. Apparently they only allow passwords to be up to 8 characters long, and who knows if the passwords are even hashed or the data is encrypted. |
The data had better be encrypted. The banks make little processors like my company follow every little rule to the letter so they had better not be hypocrites about it.
At a minimum, you card number should be masked (ie: only last 4 numbers are clear, the rest is just asterisks like this "************1234" or something similar. Your PIN is only supposed to be stored as an encrypted hash. | |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | 
Posting Rules
| You may post new threads You may post replies You may not post attachments You may not edit your posts
HTML code is Off | | | |   Most Active Discussions  | | | | | Recent Discussions  | | | | | 
|
hardware
prices 
