Target Targeted

As we have said several times, application performance and security are two sides of the same coin. The week before Christmas was an interesting one.  Target admitted that hackers had stolen 40 million credit and debit card numbers.  To date, they have not been particularly forthcoming as to how this attack occurred. The notice posted said the issue has been “resolved.”   That might mean they have fixed their security vulnerability, but so far there is no resolution for the 40 million card holders who have to replace their cards, something which costs the banks $5 apiece.

It seems that Target found the problem after bank customers reported unauthorized charges on their cards.  The common element among these cardholders was that they had all shopped at Target (Who has not shopped at Target?).

The stolen cards were used at point-of-sale (POS) terminals (cash registers) as opposed to the online store.  You might conclude that this data was stolen from a database instead of from the terminals, because it would be impossible for thieves to replace the genuine card readers with hacked ones at so many terminals or tap into the near field communications radio signals used by digital wallet apps so many times.

Experts say that security researchers and law enforcement were put on notice when a large batch of new cards showed up on the criminal market.  Stolen cards can be sold for up to 100 USD each.

Debit cards cannot be used without the pin.  Target should have the pin data. Only the cardholder and the card processor (MasterCard, Visa) know the pin. Why don’t credit card companies adopt a pin as well, you may ask?  That would in one fell swoop reduce their value to thieves.

Something to consider in the New Year.