This page has been archived and commenting is disabled.

Target Hack Included PIN Numbers

Tyler Durden's picture


When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape. And indeed, as Reuters reports, the hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs) according to a senior payments executive familiar with the situation. And since from there to emptying bank accounts and saved deposits is only a keystroke away, with no credit card processor intermediate to offload liability to, banks had no choice but to immediately limit debit card access to as much 10% of their clients, in JPM's case, in an unprecedented first, which just may have shown the way of how to limit a cash withdrawal panic if and when the need to do so arises.

From Reuters:

Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.


The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.




Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.


As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.


In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.


The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

And since in black hat hacker circles what is known by one is known by all, it is only a matter of time before America's other largest retailers, are hit by the same PIN scraping technique, which in turn "forces" the banks to once again lower ATM withdrawal limits on a few million other debit card users. Ironically, perhaps instead of focusing on where the poor and middle classes shop, it may be time for the black hat hacker community to take a look at companies like Netjets and Ferrari where the PIN "scraping" wouldn't drain the fund of the median income American but focus on those who have directly benefited from Bernanke's ongoing asset inflation monetary experiment.


- advertisements -

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Wed, 12/25/2013 - 09:56 | 4274896 tallen
tallen's picture

Happy Christmas!

Wed, 12/25/2013 - 10:02 | 4274898 GetZeeGold
GetZeeGold's picture



Merry New Year.


Has anyone seen Beeks?

Wed, 12/25/2013 - 10:06 | 4274909 IridiumRebel
IridiumRebel's picture


Wed, 12/25/2013 - 10:18 | 4274919 Stackers
Stackers's picture

Looking good Billy Ray !!!!

Wed, 12/25/2013 - 10:33 | 4274939 IridiumRebel
Wed, 12/25/2013 - 10:09 | 4274910 MsCreant
MsCreant's picture

Happy Christmas and a Merry New Year, >>Bitchez!<<

Do I have to do everything around here?

Wed, 12/25/2013 - 10:14 | 4274918 TeamDepends
TeamDepends's picture

Looking good MsCreant...

Wed, 12/25/2013 - 11:58 | 4275042 caconhma
caconhma's picture

It looks more and more as a a professionally executed large-scale operation. It is a false-flag operation.

Wed, 12/25/2013 - 17:48 | 4275607 fonestar
fonestar's picture

This is yet another great example of why you should not trust the traditional banking network, it is insecure and treats you like a child. 

Get yourself a Christmas present and take your remaining paper or digital dollars and convert them to BTC now!

Wed, 12/25/2013 - 19:43 | 4275756 Tijuana Donkey Show
Tijuana Donkey Show's picture

Guns and gold? Maybe silver? I need something for when the power is out. 

Wed, 12/25/2013 - 10:14 | 4274916 Ying-Yang
Ying-Yang's picture

Please forgive the thread hijack... A short message to the world from Snowden. 

Hi, and Merry Christmas. I'm honored to have the chance to speak with you and your family this year.

Recently, we learned that our governments, working in concert, have created a system of worldwide mass surveillance, watching everything we do.

Great Britain's George Orwell warned us of the danger of this kind of information. The types of collection in the book -- microphones and video cameras, TVs that watch us -- are nothing compared to what we have available today. We have sensors in our pockets that track us everywhere we go.

Think about what this means for the privacy of the average person. A child born today will grow up with no conception of privacy at all. They'll never know what it means to have a private moment to themselves -- an unrecorded, unanalyzed thought. And that's a problem, because privacy matters. Privacy is what allows us to determine who we are and who we want to be.

The conversation occurring today will determine the amount of trust we can place both in the technology that surrounds us and the government that regulates it. Together, we can find a better balance. End mass surveillance. And remind the government that if it really wants to know how we feel, asking is always cheaper than spying.

For everyone out there listening, thank you, and Merry Christmas.
Wed, 12/25/2013 - 10:19 | 4274920 TeamDepends
TeamDepends's picture

And a very Merry Christmas from PRISM!

Wed, 12/25/2013 - 15:37 | 4275429 disabledvet
disabledvet's picture

Apparently it doesn't work very good. How come We the People aren't all rich as a consequence? Why do we have 10 million more uninsured instead of zero? Why do we have to QE? False flags? More like "diversions" as the looting continues apace. Look! It's Booger Bentley! The camera is on, stop picking your nose! I mean credit cards were targeted too? REALLY? I laugh at the claim "the TJ Max looting went on unnoticed for years by authorities." REALLY? That's because it's an Inside Job you morons. Very interesting to see the Governors "involved" here. South Dakota. Really? That's interesting. Time to share the loot? This one really did get out of hand.

Wed, 12/25/2013 - 11:06 | 4274974 EhKnowKneeMass
EhKnowKneeMass's picture

You from India? You folks use happy for everything - happy weekend; happy day; happy morning; happy afternoon.....

Wed, 12/25/2013 - 13:03 | 4275159 DosZap
DosZap's picture

And THIS is exacty why I would never,ever have a debit card,100% losses, not insured.When the subject comes up all my friends use them, and I said NO way.Now, CHristmas,and maybe the next years Spending money ios gone.

Wed, 12/25/2013 - 15:39 | 4275432 disabledvet
disabledvet's picture

Debit card losses are finite. Credit card losses are not however.

Wed, 12/25/2013 - 20:26 | 4275812 Papasmurf
Papasmurf's picture

Debit card losses are finite. Credit card losses are not however.

The bank's exposure to credit card losses is infinate. Their exposure to debit card loss is limited to account deposits.

Wed, 12/25/2013 - 14:50 | 4275349 ZH Snob
ZH Snob's picture

this might sound very conspiracy-theorish but might JP Morgan have something to do with this supposed hack?  this would be an excellent cover for the capital controls they desperatly need.  those overnight credit repos that have kept these zombie banks alive might have finally become a bit shaky.

Wed, 12/25/2013 - 15:41 | 4275437 disabledvet
disabledvet's picture

Ya think? Steal six hundred million...deposit 500 million at JPM...see what happens.

Wed, 12/25/2013 - 10:01 | 4274901 GrinandBearit
GrinandBearit's picture

Fear, fear and more fear!

I'm sure CC companies will make a fortune selling security features they should be providing for free.

"LifeLock" memberships will also increase exponentially.

Nice false flag Target.

Wed, 12/25/2013 - 12:01 | 4275047 Seer
Seer's picture

As cynical as I can be I highly doubt that this is any attempt by Target to "increase" business.  They're Brick-n-Mortar when everything is moving to the virtual space.  Further, it's really a big fucking mess to have to deal with things like this.

In this case the trouble isn't within the domain of the credit card companies (I thought that the article was clear on this), but with Target's systems (POE?).

Whether TPTB have planned this or not who can say, but one this IS certain: it was ALWAYS going to happen.  All responses only go to show that this high-tech world will NEVER be able to stave off attacks, attacks that could very well eventually pull the one big plug (if mother nature doesn't get around to doing so first).

Again, let this be a warning to all the Bitcoin-is-impervious-to-human-interventions crowd.  The existing systems were also thought to be secure (or the risks readily managable), at one point or another.

Human hubris...  "It's unsinkable!" (would you stake your life on in?)

Wed, 12/25/2013 - 13:33 | 4275224 Citxmech
Citxmech's picture

I totally agree that Target was not responsible for this in some attempt to boost sales, but:  "When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape."

That was my first thought.  Let  no good crisis go to waste, eh?

Wed, 12/25/2013 - 15:46 | 4275444 disabledvet
disabledvet's picture

I agree. "Inside Job" without a doubt to me. Better start splitting that role of CEO and Chairman JPM.

Thu, 12/26/2013 - 01:17 | 4276205 Ms No
Ms No's picture

Has ANGRY DRAGON written all over it (not the one your thinking)  No money stolen just letting you know that they can.  Probably retaliation.  Either that or bank run prevention priming.  Could be both.  Sure as hell wasn't Target.

Wed, 12/25/2013 - 12:06 | 4275053 zerozulu
zerozulu's picture

Thing are moving in the right direction for  people to have RFID in their neck to avoid identity theft.

Wed, 12/25/2013 - 10:34 | 4274905 Save_America1st
Save_America1st's picture

since I don't trust anything about the banks, government, crony corporations, or media at all anymore, I'm just gonna go on believing there's a conspiracy involving people connected to some or all of them who do shit like this as test runs or false flags against the unwitting, ignorant  sheeple.

The NSA were probably the hackers or they funded the hackers or maybe Target allowed the breach on behalf of a gov/bankster cartel request and maybe this is being done on behalf of the banks and government to push us towards more capital controls and some global currency reset, and the media helps to lie and cover it up either willingly or by their own ignorance. 

Either way, I have been for 5 years and will remain almost exclusuvely cash only outside the banking system and off the grid as much as possible.

There's nothing I trust or believe about these hacking stories, except that they're most likely perpetrated by high up insiders to attack the little people and steal what little they have left.

It's the old Hegelian Dialectic of Problem, Reaction, Solution

Wed, 12/25/2013 - 11:18 | 4274992 Down Vote
Down Vote's picture

is it normal for secret service to be investigating this sort of thing?

Wed, 12/25/2013 - 15:49 | 4275451 disabledvet
disabledvet's picture

Yep. Good question too. The Target obviously was JPM...not Target. The lesson is "don't shop at Target" or you will be one. These things go on all the I said the TJ Max one went on for YEARS. I did see a new ATM going in so obviously cash isn't being banned. At least...not in the USA. This is very light on the look out for some real craziness to continue this week.

Thu, 12/26/2013 - 01:59 | 4276246 DriveByLurker
DriveByLurker's picture

Yes.  Part of the Secret Service's original jurisdiction (circa 1865) was to stamp out counterfeiting of U.S. currency.  Over the years, as our idea of "money" has evolved, legislation has given them primary federal jurisdiction on several classes of things that are similar to money, including credit and debit card fraud.  

(In the real world, they generally  yawn and don't get very interested unless the fraud is at least 7 or 8 figures, unless the fraud involved something they haven't seen before, or unless the victim has some sort of clout.)


Wed, 12/25/2013 - 12:05 | 4275058 Seer
Seer's picture


I don't believe that there's any attempt to fuck with people (other than those who would intentionally look to fuck up the System [I won't spend my energies doing so when I KNOW it's going to do itself in]).  This is all nothing more than human hubris and complex systems, all heaped on a world in decline (running out of readily exploitable resources).

The farther you get from nature the more unstable something is.  It's only common sense to seek to be a bit more grounded (go 180 from the virtual world)...

Wed, 12/25/2013 - 13:36 | 4275226 Citxmech
Citxmech's picture

Well put.

Wed, 12/25/2013 - 10:05 | 4274907 buzzsaw99
buzzsaw99's picture

"money" these days is just bits in a computer somewhere whether you bank online or not. be afraid.

Wed, 12/25/2013 - 11:17 | 4274987 Beam Me Up Scotty
Beam Me Up Scotty's picture

Not the cash in your pocket.  I like to keep mine "close to the vest".

Wed, 12/25/2013 - 10:08 | 4274908 IridiumRebel
IridiumRebel's picture

Merry Christmas to all. Keep spreading the information for it is more valuable than anything. I got love for all of you folks and thanks for awakening me. Heck, I may even buy a BTC one day. Peace on Earth.

Wed, 12/25/2013 - 10:12 | 4274914 I am Jobe
I am Jobe's picture

Peace on Earth- Waiting for US Troops to land in Sudan. Lockheed martin is having Orgy with the Govt 

Wed, 12/25/2013 - 10:33 | 4274933 IridiumRebel
IridiumRebel's picture

It's a Zerohedge Christmas!


"ZeroHedge Christmas"

I'm dreaming of a ZeroHedge Christmas
Because Fukushima is about to blow
Where Thyroid cancer glistens
And children blister
To hear that TEPCO lied you know

I'm dreaming of a ZeroHedge Christmas
With every snide comment I write
May your days be snarky as we fight!
May all your hedges hockey stick to the right

I'm dreaming of a ZeroHedge Christmas
May Jamie Dimon lose his ass
Where the SEC views porn
And the currency is devalued by the morn
And another liberal judge has been sworn

I'm dreaming of a ZeroHedge Christmas
Obamacare expanding .gov
Executive orders handed from above
You all are merely subjects Yes you all are merely subjects
Until we all finally cry out "ENOUGH!"

I'm dreaming of a ZeroHedge
Christmas with you all!!!!!

Wed, 12/25/2013 - 10:09 | 4274913 I am Jobe
I am Jobe's picture

Season of Peace Bitchezzz

Jesus loves you if and only if you shop till you drop. 

Now do your patriotic duty and shop more at TGT and start a brawl at WMT. 

Wed, 12/25/2013 - 12:25 | 4275087 KickIce
KickIce's picture

Only to be interupted by Congress sending other people's children to war.

Wed, 12/25/2013 - 10:13 | 4274917 geewhiz
geewhiz's picture

Theory; NSA did it as a prelude to the bail in and choking off a run on banks when the fun starts.

Wed, 12/25/2013 - 10:18 | 4274921 TuesdayBen
TuesdayBen's picture

Pop Quiz:
When a stolen/hacked credit or debit/ATM card is used to steal, who has been stolen from and is on the hook for the money - the individual/account holder or the financial institution/fiduciary? In other words, whose money is it that has been stolen?

Wed, 12/25/2013 - 11:35 | 4275008 smacker
smacker's picture

It usually comes down to whether the issuer can claim that you failed to take reasonable care.

Wed, 12/25/2013 - 12:30 | 4275092 dick cheneys ghost
dick cheneys ghost's picture

just remember, banks are 'borrowers' not money was lent........the money was created by and when the person signed the credit card

Wed, 12/25/2013 - 20:56 | 4275858 TuesdayBen
TuesdayBen's picture

The card issuer/bank would have the cardholder/depositor believe it is he who has been robbed, but in fact it is nearly always the issuer who is the victim, whose money has been stolen, who is obligated to replenish stolen funds...

Wed, 12/25/2013 - 10:24 | 4274927 razorthin
razorthin's picture

Coulda bought that whozeewhatsit with a silver eagle.

Wed, 12/25/2013 - 12:10 | 4275064 Seer
Seer's picture

Just had a thought!

Maybe we should invest in Nikes rather than Bitcoins and PMs?  Which one of these, if tossed at an approaching mob, would be the best defense mechanism? (no, guns are excluded from this scenario)

Wed, 12/25/2013 - 15:54 | 4275461 disabledvet
disabledvet's picture

Good question. If retailers are forced to start giving away merchandise to attract customers that is not good for the retailer. Having said that this could be VERY good for Nike because they sell direct to the customer. Watch closely the "delay story" in delivery. You could get "hi tech hijacking" and none of us would ever know until the earnings report came out "and there were losses instead."

Wed, 12/25/2013 - 10:31 | 4274937 GrinandBearit
GrinandBearit's picture

Just another beta test for the coming bank bail-ins and/or social collapse.

Gauge/evaluate the sheeple reactions... just like the EBT card shutdown a while back.

Wed, 12/25/2013 - 10:34 | 4274943 wagthetails
wagthetails's picture

Now I know ZH has made me paranoid...what a perfectly manufactured event just to test the big banks' cash control measures.

Wed, 12/25/2013 - 10:39 | 4274950 el Gallinazo
el Gallinazo's picture

Just because you're paranoid doesn't mean they ain't out to get you :-)

Wed, 12/25/2013 - 12:15 | 4275071 Seer
Seer's picture

No, I don't think that the retailers are going to sign up for this, not given that this is their biggest sales period for the year.

That the opportunity to "test" things may be happening it doesn't mean that the entire scenario was initiated for it.

Wed, 12/25/2013 - 15:57 | 4275468 disabledvet
disabledvet's picture

This will cost Target hundreds of millions of dollars so yep, you are exactly right. This is what ending QE looks like sheeple! That money "papered over" a lot of problems. The paper is gone now.

Wed, 12/25/2013 - 10:37 | 4274944 el Gallinazo
el Gallinazo's picture

I do all my retail shopping with fiat toilet paper, so maybe someone can give me the answer to this.  WTF is Target or any other retailer doing with PIN numbers.  Back in the days when I was dumb enough to shop with credit and debit cards, I never, never gave a retailer my PIN.  I just don't get it.

Wed, 12/25/2013 - 11:00 | 4274965 johngaltfla
johngaltfla's picture

Gallinazo, you would be shocked at the number of people who use their debit cards like that and enter the PIN on a daily basis. Cash is a foreign concept to them.

Wed, 12/25/2013 - 11:14 | 4274982 el Gallinazo
el Gallinazo's picture

But do these people actually give their PIN's to retailers?  And if yes, why?  Back in the days that I used plastic for brick and mortar retail, I never had a retailer ask me for my PIN.  The point is, WTF was Target doing with all these PIN's on their hard drives and how did they get them?  I just can't figure it.  And with all these potential false flag psy-ops, one uncovers the truth by scrutinizing the details (usually supplied via blogs and youtube - rarely the MSM) and subjecting them to the critical thought process.  

Some suggested that this is a psy-ops for the coming bail-in.  That is probably true, but I also see it as a psy-ops for mandatory biometrics for using plastic.  The Mark of the Beast, or maybe a subcutaneous RF chip..

Wed, 12/25/2013 - 11:59 | 4275037 razorthin
razorthin's picture

If you want to perform a debit purchase, you must enter your PIN on the keypad at the store.  You may also use the debit card as a credit transaction - no PIN, just signature.  It is doubtful that Target itself was storing PINs, but rather the hacker installed a trojan horse-like key punch scraper.

Wed, 12/25/2013 - 12:25 | 4275085 Seer
Seer's picture


This was all nothing more than a highly sophisticated theft (Russians?).  It was a PoS (Point of Sale [ - funny that Wikipedia's picture shows a checkout at a Target store!]) attack.

The liability lies with Target, with security to it's card readers.  I'm sure that we'l find out more as to how this happened.  Anyway, this has nothing to do with credit card companies (clearing houses) or banks, and EVERYTHING to do with the retailer (Target).  I highly doubt that any big retailer is going to sacrifice its reputation for some bank control tests.

Yes, the folks that are responsible for our "security" WILL seek to lock things down tighter: this is SOP, and is likely more of a conditioned reflex than some diabolical scheme.

Wed, 12/25/2013 - 16:14 | 4275493 I Write Code
I Write Code's picture

The claim is the PINs never are on disk and had to be "RAM-scraped".

In which case it was not just your average trojan but something customized likely to Target's own devices.

Wed, 12/25/2013 - 16:36 | 4275531 Seer
Seer's picture

I agree.  With the "RAM-scaped" part for sure. (having been in the business I know that for liability reasons you DON'T want to capture shit like PINS)

Target may have failed failed with some more generalized network security point and that an attacker found it more out of a random probe than an intentional attack on Target from the get-go.

Again, folks need to keep in mind that the "hired help" can get distracted during these crazy holiday days.  Security lapses DO occur: either to maintain security levels or to detect new threats.

Wed, 12/25/2013 - 11:06 | 4274970 Save_America1st
Save_America1st's picture

it's my guess that every card swipe machine in the world now tracks each PIN with your card after you swipe it.  Simple enough to do and to store in their vast databases now days.  Yes, you will change your PIN at some point, but the first time you use it it will be updated in their database with your card.

Plus, aren't most PINs only 4 digits?  I'm sure it's a piece of cake to crack any card PIN code in a matter of seconds these days as well....but why go through that little bit of trouble when you can just use the swipe computers to record the PIN and store it for you?

This "hacking" bullshit is just bullshit.  Maybe WalMart is in deeper with the government than Target, so maybe it's also some kind of coporate war game to take Target out and give the monopoly all to WalMart?

Who knows...but it's not like some "terrorist" cave men in Afghanistan are doing these types of things to us.  

It's our own enemies from within who are doing it, plain and simple.

Wed, 12/25/2013 - 11:17 | 4274991 css1971
css1971's picture

This doesn't explain why they need it.

Wed, 12/25/2013 - 12:30 | 4275094 Seer
Seer's picture

No.  Folks here are letting their imaginations run wild/out of control.

PINs are only needed for a brief period of time to perform the transaction.  I never wrote code for one so I can't really say for sure how the code works (anyone here comment?), but LOGIC would seem to suggest that PINs would be held for backend retries.

Really, its to no retailers advantage to have some sort of control over folks bank accounts.  And, really, this is a brick-n-morter company, these kinds are dying breeds, that LAST thing they need is bad publicity.

Either Russians or competitors, that's my guess.  Well, OK, the NSA...

Wed, 12/25/2013 - 12:39 | 4275114 indio007
indio007's picture

This tells me the malware where was at the point of sale. The PIN was stolen in real-time when entered. As far as I know, PIN #'s are not stored.

Wed, 12/25/2013 - 20:41 | 4275834 Andre
Andre's picture

You enter the PIN for every purchase. In a sense you didn't give it to them, but it must be encrypted and sent to the financial institution for verification. It is NEVER supposed to be retained by the vendor.

Interesting, because this means the encryption was either cracked or bypassed (trojan, keylogger), and very possibly at the register of even PIN pad level, which also implies this was a very well-resourced effort.

Wed, 12/25/2013 - 11:00 | 4274964 johngaltfla
johngaltfla's picture

Notice the time release of this news story. They've known this for weeks and just now decide to release this tidbit.

Wed, 12/25/2013 - 12:45 | 4275131 Seer
Seer's picture

Ever work at a BIG corporation?

And this being the holidays, reduced staffing and all...

They didn't know enough details to just toss something out there.  Further, they were most likely in heavy consultation with banks and credit card companies for trying to figure out what the heck happened.  AND, at the same time they needed to figure out some sort of "solution," something to plug the hole (once they actually found it).

Not endorsing or promoting Target, but at least they're attempting to offer goodwill.  I recall not too long ago getting a call from my bank about some security breach with my card (first time in 30 years that this had ever occurred)- they couldn't tell me what company it was that was attacked (I wouldn't want to get a new card and then get fucked up again!), but soon enough it all came out in the news.  The company in question never offered any real apology, no offering for any discount or other.  I have not, and will not do business again with that company.  The moral of the story here is that mistakes will always be made and that what matters most is how they are resolved and how those adversely affected are made whole.

I don't think running around carrying a bunch of cash is any kind of "solution" to this problem.  If the bad guys get a whiff of cash on you (not everywhere can you conceal-carry) it could be your physical life that gets "stolen."  And as messy as dealing with a trail of stolen CC cards might be, in the end most will be rectified.  If you fear ATMs and want cash then plan instead to go directly to your bank for cash! (and if it's an ATM of the bank's then there's ZERO way they can duck responsibility for any security breach in THEIR systems).

Wed, 12/25/2013 - 15:59 | 4275469 Seer
Seer's picture

WTF, people!  It is NOT possible that this is no conspiracy on the part of Target?

The stock shows no tipoff.  How is Target to gain here?  Folks point out how the "banks" or the NSA/CIA can gain, and I do not dispute this, but this in no way drags Target into this as being some willing accomplice.  And if they botched the public realations part of this then that is incompetance, not planned/strategic action.

I own no stock (any, let along Target's).  And, I really don't shop at Target: total expenditures on Xmas shopping might have been for decorations, $100 (and hundreds sent to the Philippines for Xmas party for poor kids).  And, I'm no apologist for BIG (which Target represents).

People need to get a grip on logic and stop assuming that everything is done in the name of "evil."  (don't confuse as some "evil conspiracy" what can be better explained as occuring as the result of human hubis [but if one suffers from human hubris then one isn't likely able to appreciate how to spot it])

Wed, 12/25/2013 - 20:49 | 4275844 Andre
Andre's picture

I pretty much agree on this one. If it is not a technology company, the company does not understand technology - or its limitations.

Target probably thought it was well-protected - up until a security audit started going "Uhhhh, wait a minute..."

Wed, 12/25/2013 - 11:07 | 4274977 indio007
indio007's picture

Bitcoin doesn't have this problem.... Unless of course you work for Bloomberg and flash your private key on international TV.



Seriously though, where are all the prognostications about the death of CC's because they are insecure?

Wed, 12/25/2013 - 12:58 | 4275152 Seer
Seer's picture

"where are all the prognostications about the death of CC's because they are insecure?"

In time...

It still comes down to the facts.  It's all built on a house of cards.  Thinking that the house will never come down (whether what's in or on that house is impervious to even time itself) is POOR thinking.

As for the Bloomberg "incident," the private key was GIVEN away, it wasn't stolen.

Can anyone state whether Bitcoin transactions couldn't also be hijacked via some point of entry trojan?

Also with Bitcoin, if someone's private key was stolen is there any forensics mechanism to unwind or restore one's account/wallet?

Wed, 12/25/2013 - 15:59 | 4275470 Seer
Seer's picture

Down-voted becaue it's NOT a house of cards?

Or, the Bloomberg incident WAS a theft?

Or was it that it's bad to ask questions?


Wed, 12/25/2013 - 11:10 | 4274978 markar
markar's picture

the mattress is looking better all the time.

2014 should be one for history books.

Be safe and happy(if possible) all.

Wed, 12/25/2013 - 13:06 | 4275167 Quaderratic Probing
Quaderratic Probing's picture

But you will miss out on bank interest....oh ya nevermind!

Wed, 12/25/2013 - 13:44 | 4275248 Seer
Seer's picture

Now you've done it!  I'm feeling sleepy!

Wed, 12/25/2013 - 11:52 | 4275029 Eagle Keeper
Eagle Keeper's picture

I just pay with cash. No problem. All is well.....


Screw the banks....

Wed, 12/25/2013 - 13:43 | 4275246 Seer
Seer's picture

"Screw the banks...."

"I just pay with cash."

That "cash" belongs to the Fed, says so right on it.  The greatest "harm" that one could do to "the banks" is to NOT use "cash," which is exactly why Bitcoin presents such a big threat (and while it'll never be accepted w/o the banks having control [I learned this YEARS ago- been there done that!]).

Wed, 12/25/2013 - 16:39 | 4275533 Seer
Seer's picture

Interesting pattern I'm seeing, me being junked whenever I respond to "Eagle Keeper" or "Save_America1st" (or whatever it's name is).

Come on junkers, come out of the closet.

Wed, 12/25/2013 - 12:26 | 4275090 mendolover
mendolover's picture

Thanks for coming in today ZH!

Wed, 12/25/2013 - 12:37 | 4275107 supersajin
supersajin's picture

Can't have it both ways Tyler!!  Either we continue as-is with this backdoor credit system or Bitcoin. You bitch about both yet offer no alternative ACTIONABLE solution.  I suggest you accept Bitcoin and build upon the platform.

This is only the beginning. People will be clammering for Bitcoin within 12-18 months!!

Wed, 12/25/2013 - 13:13 | 4275186 Seer
Seer's picture

What's to stop the "bad guys" from capturing private keys?  And if one gets hijacked how does one recover?

Bitcoin proponents will say that these kinds of things will be "solved/addressed" by the market.  Fine, but the failure in recognition here is that this will be at a COST.  The benefits of Bitcoin are that: 1) It's more secure; 2) It's a cheaper transaction mechanism.  #2 is a poor claim as there has been insufficient cost analysis performed (seems pretty common that true costs are underestimated).  So, that leaves us with #1 as the sole point in favor of Bitcoin; however, not so fast... currently the existing systems provide end-user security via backstoppping of security breaches; I agree that this is NO "security" mechanism, it at least, however, (generally) manages to "correct" wrongs.  Since everything eventually fails, how is Bitcoin going to provide for correcting any wrongs?  I see this as being possible only via some layering, and with any layering (security requirements; added fees etc.), which makes things more complex and likely less secure (as it will undoubtedly involve disparate entities).

"People will be clammering for Bitcoin within 12-18 months!!"

Yeah, I can see all those 750 folks in India who live on $0.50/day flocking to their computers and tossing all behind Bitcoin! (along with the majority of the world's population that lives on $3/day or less)

Hubris and elitism.

The real question is whether the clamouring will be incited via propaganda...

Wed, 12/25/2013 - 12:48 | 4275136 withglee
withglee's picture

This problem is easily fixed. Don't use pins, but let the banks think you are using pins. The same solution can be applied to passwords on the internet.

It goes like this:

  • The user uses the same password (pin) for everything, and memorizes it (making it as complicated as he chooses)
  • This password is combined cryptographically with the ID of the credit extender to create the password for "that" extender
  • It is virtually impossible given the resulting password and the extender ID to produce the original password
  • The result is that each extender sees a password that is different than what every other extender sees
  • The combining algorithm can be in the public domain and implemented in all ATMs and POS terminals

This eliminates the two easiest methods of compromising passwords (multiple use of the same password and recording it in plain view). Users tend to use the same pin and password for everything. They have little choice (the other choice being to write them all down and carry the list with them). So anyone knowing the pin for one credit extender knows it for all of them.

This method allows them to use the same password for everything, but they memorize it and tell no one. The employees of the extenders see different passwords. And nothing is written down to be stolen and used.

It's not perfect, but it is orders of magnitude better than what we have now. And as usual, it is very simple to implement.

Wed, 12/25/2013 - 13:23 | 4275203 Seer
Seer's picture

"This method allows them to use the same password for everything, but they memorize it and tell no one."

If people were smart enough to follow this then they're probably smart enough to pick reasonable passwords etc...

One would be surprised (or maybe not- esp if you're in tech-land) how willing people are to offer up passwords and such to someone who may be a person in the position of "authority" (in dealing with a matter).

And, there's that trojan horse issue... typing IS "telling."

Given that most folks are broke the importance is seeming to be in decline. (which then leaves it to the people that "have," and, well, shore up those castle walls!)

Wed, 12/25/2013 - 14:08 | 4275291 withglee
withglee's picture

You miss the point. It's not about being smart enough to pick good passwords; it's about being smart enough to remember a different password for each server. And right now we have "typing" vulnerable to stealing. But that's not where most of the stealing is done. And passwords are not typically stolen by giving them up to people with authority. They're stolen because the current method in use requires more diligence by the user than is necessary or practical and so the users aren't diligent.

As anyone in tech land knows, passwords that are visible in text form are vulnerable. It's because most systems allow this that they are able to run analysis of commonly used passwords and discover common use of "password", "123456", "qwerty", etc. No such analysis could be made with this simple change to the method. All passwords would be cryptic and likely unique (especially if the account number was included in the algorithm in addition to the provider-id and "rememberable" but "hard to guessable" user password.

Requirements like at least one capital, one special, one numeric, etc. do very little to bring more security to the party. In fact, they bring less, because they force the users to write down their passwords (or have them automatically stored as in Firefox). And what do they do when this more stringent requirement is demanded? They exchange 1 for i or l and 0 for o and capitalize the first character and end with a period.

Back in the olden days, the backspace was even a valid character. But it became quickly obvious that making one typo meant starting over. That great security enhancement had to be abandoned.

Wed, 12/25/2013 - 16:08 | 4275485 Seer
Seer's picture

glee, I'm plenty aware of the tech-space...

"it's about being smart enough to remember a different password for each server."

Obviously you're not yet old enough to understand the concept of "forgetting" :-)  But, seriously, yes, some people just cannot remember stuff very well.  There's a LOT going on in life, a LOT to recall at a moment's notice.  Loading up with more and more stuff just makes it tougher to do proper recalls.  And, if you have more stuff to remember then there's a good chance that your frequency for being able to solidify something to/in memory is lessened: training/learning through repetition and all.

"Requirements like at least one capital, one special, one numeric, etc. do very little to bring more security to the party. In fact, they bring less, because they force the users to write down their passwords (or have them automatically stored as in Firefox). And what do they do when this more stringent requirement is demanded? They exchange 1 for i or l and 0 for o and capitalize the first character and end with a period."

Yes, you understand.

Further, there's the threat of momentarily forgetting that might result in a lock-out.  I once brain-farted  when traveling in Europe.  I'd memorized my PIN as a pattern rather than set of numbers.  The encounter with a different keypad layout convinced me that there's problems with this: the good is that after a couple of beers I was able to just walking up and type the PIN correctly (my brain deciphered it when it wasn't under pressure to do so).

Again, I think we're on the same page.  It's pretty hard to do "simple" AND be "secure." (though, I'm sure, Bitcoiners will argue otherwise- I tend to think that they are over-simplifying the BIG PICTURE)

Wed, 12/25/2013 - 13:01 | 4275162 STG5IVE
STG5IVE's picture

And yet, within the three weeks since this has happened, not one person has publicly reported any funds missing from their account.  With this type of info, one would assume hackers would scalp millions from accounts as quickly as possible

Wed, 12/25/2013 - 13:11 | 4275179 DIgnified
DIgnified's picture

This is to build "credibility."  That way when they pull the plug, they have a graceperiod to disappear. "Shutting the finance servers down for the weekend because Malware X did Y and Z.  Back on Monday..."

Wed, 12/25/2013 - 13:27 | 4275213 Seer
Seer's picture

So, ALL other such events were or weren't part of this "plan?"

Again, WTF would Target sacrifice itself?  Seems all big events show some activity/mark via stock charts:;range=2y;c...

The charts over the past several months looks just lke it did for 2012 (though it's higher ["QE adjusted"]).  Nothing here that jumps out.

Are TGT board members connected with the NSA or the Fed? (the only two entities with more power than a big corporation like TGT)

Wed, 12/25/2013 - 13:59 | 4275279 indio007
indio007's picture

Answer=double indemnity insurance.

Wed, 12/25/2013 - 16:17 | 4275495 Seer
Seer's picture

I suppose, but... all in all it just doesn't look like this is any formula that's likely to produce a growth-positive outcome for Target.  Could it be board members getting bribes/visits from the Fed/NSA?  I suppose... but in the end, this does nothing to promote Target's future.

I'm just not seeing this as an internal Target job.  Maybe Target was targeted for high-level reasons such as might be sought by the Fed and or the NSA, but... wouldn't Wal-Mart be a better partner?

Wed, 12/25/2013 - 13:03 | 4275164 DosZap
DosZap's picture

Can anyone state whether Bitcoin transactions couldn't also be hijacked via some point of entry trojan?.


Not yet, but the FBI managed to cob 50,000 of them.IF they can do it, anyone can.

Wed, 12/25/2013 - 13:29 | 4275217 Seer
Seer's picture

"Not yet, but the FBI managed to cob 50,000 of them.IF they can do it, anyone can."

Could you please elaborate?

Is this that pirate (whatever) site takedown?

Wed, 12/25/2013 - 13:07 | 4275171 DIgnified
DIgnified's picture

Trial run frog boil.  

Wed, 12/25/2013 - 13:11 | 4275174 Ranger4564
Ranger4564's picture

Looks more to me like this is the false flag to "justify" curtailing withdrawals a la Cyprus, while legitimizing it in everyones minds that this was a prudent step. Please fix the system and process, not just limit access to my funds. It sucks that all forms of personal verification are exposed and required by every jerk with a store. There should be a private id key that we hold dear except for extreme circumstances. SS# should have been that, but now every asshole knows it. License # could have worked, but it's all over the net. We need a second id or we need to stop using thesr methods. Don't even say rfid.

Wed, 12/25/2013 - 13:41 | 4275239 Seer
Seer's picture

The systems are likely becoming more impervious to staving off attacks.  Same as antibiotics are becoming less effective to new strains of viri/bacteria.

It's nothing but the natural progression of entropy on systems.

More complexity only means more points for failure (even though security is best done with layers).  And while something like Bitcoin itself may not fail, that which it relies on is outside the scope of its control: you can run on Khyber Pass with secure lock boxes, but that doesn't assure that both YOU and your lockbox are going to come out the other side (the content of the lockbox may be safe, but what good if you're dead?).  If you're viewed as a high value target then you will be highly valued as a target... (and just like all the talk of hanging the bankers, hanging them in no way makes all the "wealth" come back- it then serves as a warning to not hide stuff)

Wed, 12/25/2013 - 13:18 | 4275175 Ranger4564
Ranger4564's picture

Double Trouble.

Wed, 12/25/2013 - 14:43 | 4275339 QQQBall
QQQBall's picture

Did Duck Dynasty get hacked too?

Wed, 12/25/2013 - 15:06 | 4275380 MSO
MSO's picture

There are twenty or more POS stations in every major retail store with a card reader and human interface device (HID). These POS stations and their HIDS are pretty dumb devices; they know how to scan bar codes, card stripes and PIN numbers, but they don't know when card stripes and PIN numbers need to be read.

The POS stations scan an item purchased and this info is sent to in-store server for the most accurate in-store prices (local sales, etc.) and then returned to the POS for totaling the sales. After all items are scanned, the POS will expect payment, either cash, credit or debit. Neither the POS, the card reader or the HID is capable of authenticating the the transaction, so the information has to be sent to another in-store authentication server for validation.

Most stores, such as Target, that maintain gift registry kiosks, have to maintain a live connection to a nationwide databse server that updates purchases made for gift registries so the bride doesn't receive 55 fishing rods for wedding presents when one or two was all she asked for. These live facilities gives these stores further opportunities to concentrate its data and other live communications.

So how far upstream are the credit/debit card authentications processed? My best guess would be an in-store authentication server. though it might be tempting to pass authentication work back to the mainframe. if available  It's guaranteed that any credit/debit trans action will see at least three locations and possibly four before it is verified.

There is no way that a hacker makes it as far as every POS station let alone their attached card reader/HID devices. So it is the authentication server, whether in-store or nationwide, that is the most vulnerable point of attack.  The in-store server would require that every store (1000s) be hacked; not too difficult if it is in in-house hack, but not likely if an external hack.

For most retailers, credit operations are their lifeblood. They will need to remain in the good graces of all the major credit card companies/banks so when something like this occurs, the pressure will be placed squarely upon the retailer to make good on all losses.  If the retailer fails to do so, the credit companies will pull their cards and the retailer will have to resort to all cash business.

Wed, 12/25/2013 - 16:11 | 4275488 I Write Code
I Write Code's picture

If they automagically download updates as a matter of course, as most distributed systems do these days, then hitting 1,000 devices is not that implausible.

Apparently most of these exploits go away when the cards are smarter, as I think the CNBC article was describing, as they are already in most of the world.

Who makes the big money off credit cards?  The issuers, not the retailers.  In the end, the banks will suck it up as needed ... or get the fed to pick it up hey why not.

Wed, 12/25/2013 - 16:27 | 4275514 Seer
Seer's picture

Both of you are right as to how things work.

We may or may never know what the REAL breach was until quite a ways down the road (in order to keep copycat folks at bay).

Credit card companies are the ones making money off of the transactions.  If this breach occured within Target's systems then it's Target's liability: and in these days of tight money I figure that there'll be a lot more scrutiny on all of this.  But, this also comes down to banks' needing to protect their customers, and, as seen in this case, they could only resort to some pretty low-level, barbaric responses in their attempt to do so: yeah, sure, this can become a useful example for future events, should they be controlled false-flag kinds or not, but I think that this is just another big poke in Goliath's eye and the giant is reacting in clumsy ways.  They are all joined at the hip so I'm sure they'll all come to a "resolution."

Always winners and losers.  To be sure, the System is showing signs of losing...

Wed, 12/25/2013 - 15:16 | 4275393 akak
akak's picture

Just another reason to use cash, and ONLY cash.

Wed, 12/25/2013 - 16:27 | 4275518 Seer
Seer's picture

I don't know akak, if you want the existing system to collapse then there's no better way of doing it than to pile on and make it break by sheer weight/volume!

Just be sure you wash your hands after handling that cash: it's got "Federal Reserve Note" written on it...

Wed, 12/25/2013 - 18:52 | 4275687 Parrotile
Parrotile's picture

Best to avoid the Romanian Leu then! (Best survival rate for a variety of human pathogens post contamination) -

Wed, 12/25/2013 - 19:19 | 4275722 Miffed Microbio...
Miffed Microbiologist's picture

Well, that can work at the present akak but I hardly think it will for long. Cash is being incrementally phased out for a long time. Paychecks and bill paying is predominantly electronic now. It seems like only yesterday everyone had a paper pay check. When electronic checks were initially implemented they were looked upon skeptically. Now it's fully accepted. If they were to fully eliminate cash now I, sadly, don't feel many ( al least in my sphere) would protest. Once this happens, full control will be complete and lessons will be learned the hard way. I, for one, am planning for a bartering scenario were this to happen, being too old to grasp the concept of Bitcoin. ;-)


Thu, 12/26/2013 - 00:25 | 4276117 akak
akak's picture

I fear you may be correct, Miffed, but I will fight to the bitter end to use cash in any and every transaction I can.

A world in which cash no longer exists would not be a world in which I would care to exist.

Thu, 12/26/2013 - 13:49 | 4277030 Miffed Microbio...
Miffed Microbiologist's picture

Dear akak,

The way I look at it is you and I (and many like us)are living in the new Dark Ages. Unfortunately, just the luck of the draw I'm afraid. Our strengths are wisdom, experience, tenacity and a healthful dose of belligerence. I honestly believe if cash were to be outlawed, we would survive or,at least, die trying. I hope you really wouldn't consider offing yourself! There may come a time when the world needs us and I am sad to think there would be no akak. Hope you are having a happy Holiday.


Thu, 12/26/2013 - 15:40 | 4277336 akak
akak's picture

Sorry, Miffed, for my poor choice of words having given my previous post a darker tone than I intended.  I really did not intend to imply that I would chose suicide if I could no longer use cash. 

Actually, I had a rather nice (if relatively quiet) Christmas, and I hope you did as well!

Thu, 12/26/2013 - 16:59 | 4277589 Miffed Microbio...
Miffed Microbiologist's picture

Thank you! I believed as much but a few errant thoughts in my fertile mind kept bobbling up so to speak and decided to assuage my silly fears.

Christmas was relatively quiet for me as well. Just our family and my MIL. Only stresses seem to be generational and that certainly has no solution. My MIL returns to Spokane Jan 6 after arriving here Dec 13. My liver will certainly thank me that day. I prefers the quiet solitude that awaits me even though I enjoy my daughter's visit. I guess I don't have the energy to be around an exuberant 23 year old who's passionate about her life and job. Perhaps ZH has jaded me too much.

Wishing you a happy New Year.


Wed, 12/25/2013 - 15:53 | 4275456 yogibear
yogibear's picture

There's a huge collection of US personal data (Pins, passwords, etc)  sitting in overseas call/customer support centers, out of the jurisdiction of US law.


Wed, 12/25/2013 - 16:28 | 4275522 Seer
Seer's picture

Really?  PINS?  And those overseas folks just like collecting them in some fashion as collectors of baseball cards (w/o swapping)?

Um... evil tends to lurk closer to home than most would like to acknowledge.

Wed, 12/25/2013 - 17:35 | 4275590 Pee Wee
Pee Wee's picture

Clearly the NSA is all over this.

Whats that, they aren't?

Wed, 12/25/2013 - 20:47 | 4275843 Papasmurf
Papasmurf's picture

It's remarkable that the rolling code in a garage door opener is more secure than a credit card.    A credit card should have a rolling code in it, but that would add 20 cents to the manufacturing cost of the card because then it would need an integrated circuit and contacts. 

Wed, 12/25/2013 - 21:24 | 4275892 Atomizer
Atomizer's picture

Nous devons cibler vos informations bancaires. Venez faire du shopping avec nous.

Thu, 12/26/2013 - 01:08 | 4276197 Ms No
Ms No's picture

Hello.... Walmart and or the Chinese!  Although the theories on how Target screwed itself without any logical motive are entertaining.  The Powers that be will of course benefit off anything, anyway they can.  Probably Chinese shot off the bow to warn us Yanks of what's to come if we continue to push in their direction,  more likely, a retalliation for something we peasants don't even know about.  No money to follow if none has been stolen.... hello, not motive.

Thu, 12/26/2013 - 04:26 | 4276347 cornflakesdisease
cornflakesdisease's picture

Target may be liable for $3.6 billion . . .


Do NOT follow this link or you will be banned from the site!