Friday, December 20, 2013

Target security lapse already affecting some consumers who had used debit cards with pins

There are already some reports of consumers finding bank account withdrawals when they had used debit cards at a Target store since Nov. 27.  So it appears that the heist might have compromised pin codes.  There was a report of a woman in Washington DC with checks bouncing already.

I used my Target Visa once early this month and did not see any irregularities on my Target or any other credit card or bank statements. 

However, if consumers are already reporting pilferage, the possibilities for massive withdrawals or invalid charges seems enormous.

All indications suggest that the Target incident occur inside its data center. 
There are various IT procedures which are supposed to guarantee integrity of elevation procedures within an IT shop.  I’ve discussed them on my IT Jobs blog and will go into more detail soon on some particular issues I am aware of in mainframe environments.  It’s possible that this heist is based on a very old vulnerability.  

Update:  later

Target says that it has no evidence that debit card pins were compromised.

Update: Dec. 21

The Washington Post reports that its former security columnist Brian Krebs actually broke the Target story on his security blog, and his latest report is here.  Target is offering discounts and some free credit monitoring and still denies that debit card pins were compromised.

Debit cards can often be used as credit cards without pins, and the charges are easier to reverse when fraudiulent.  This happened to me once in March 2013.

Update: Dec. 28

Target is admitting that debit card pins were taken, but not the encryption keys with them, that are outside the company.  However consumers with easily guessed pins (like "1234") could certainly be at risk. 

No comments: