What is Digg?79 Comments
- inactive, on 10/12/2007, -0/+26This sh!t always bothers me.
Stores should only need your credit card # for the instant it takes to bill your account when making a purchase. After that, they should forget it. - orientis, on 10/12/2007, -4/+29You know, in twenty years we'll be reading stories of hacks that read like natural disaster pieces.
"In California today thirteen thousand remote heart motivators were hacked into by terrorists. HeartCo has been forced to give out a thousand new hearts so far" - slapded, on 10/12/2007, -0/+20I love how old people are scared to shop on the internet, yet they easily hand their check card over to a punk kid Mcdonalds drive thru employee..
- LavaHot, on 10/12/2007, -5/+20Thousands of artificial penises were hacked today, to perform a whirley-gig motion, causing mass hysteria, infertility, extreme fertility, and countless GooTubeStermazon Videos to be searched for, uploaded, sent to everyone you know, then sold.
- LavaHot, on 10/12/2007, -4/+17So they should have no record of your transaction after that? I wouldn't want to be their accountant.
- inactive, on 10/12/2007, -1/+13@LavaHot: No. They should have record of your transaction, just not your credit card number.
- rotting, on 10/12/2007, -0/+8The best is how they waited a month to announce this. They knew they had a security problem but did not want to interrupt the busiest shopping time of the year. Thanks!
- WarpFox, on 10/12/2007, -1/+9Merchants are required to keep records of their transactions, including the number, for a few years, BY THE CREDIT CARD COMPANIES. You are not supposed to keep any record of them electronically, however.
Your safeguard against fraud: reversals. Everything in the credit card and ACH world is reversable. for MONTHS after it happens. - Zoltair, on 10/12/2007, -0/+5I say if the company is found negligent in their IT security, then the card companies and banks should refuse them access to their credit and banking systems. If more companies felt this kick in the ass when they ignored security issues, they might pay more attention.
- 60days, on 10/12/2007, -0/+5http://en.wikipedia.org/wiki/Data_protection_act (time to start lobbying)
- inactive, on 10/12/2007, -1/+6@ somebitches and wonderkind
All retailers accepting card payments WORLDWIDE fall under the PCI comliance program and have to safeguard information like this or they are liable to lose their rights to accept card payments - you really need to check your facts before posting inaccurate and mis-leading comments.
http://www.answers.com/topic/payment-card-industry - inactive, on 10/12/2007, -1/+6They shouldn't even need your credit card number. It'd be quite easy to setup a system that used a unique number for every purchase.
- inactive, on 10/12/2007, -0/+4@ h00paj..
it doesn't matter - PCI stands for 'payment card industry' it's nothing to do with any government anywhere - if you don't comply then VISA/MC/Amex etc...would take steps to cancel your merchant rights ... the potential to lose business is the reason companies spend millions on encrypting the customers data. - EvilTesdall, on 10/12/2007, -0/+4They called my wife, and told her that her card was going to be deactivated and they where sending her a new one. We had no idea what was going on till i just read that article (im in Virginia)
- rotting, on 10/12/2007, -0/+4@thcobbs
So say they knew this was happening as of December 15 but they still have not figured out how. People shop on December 16. Then the same person steals the CC info again on the 17th.
What if they don't catch him?
Would you still prefer they kept it a secret?
All hypothetical of course. - prockcore, on 10/12/2007, -0/+3I got a call yesterday from my credit union. They told me all about how TJ Maxx was hacked. That's why I like credit unions... they're very up-front about things.
- nickjk, on 10/12/2007, -0/+3I received a letter yesterday from our bank saying they canceled our card and were sending a new one. I didn't know what happened either, until I read this article (North Dakota).
- Wonderkind, on 10/12/2007, -4/+6Here in the U.S., big corporations own the government and make the laws.
If we pass a law that endangers big businesses right to screw customers, the money flow to campaigns will stop.
The newly elected government has promised to fix this. We'll see. - dylanmat, on 10/12/2007, -0/+2prockcore...
I work for one, we try to do what's right. - AkshayGenius, on 10/12/2007, -4/+6So, simplenation, u tryin to follow anicejew's footsteps, seems so, cause ur a troll and ur image is identical to anicejew's
- malkir, on 10/12/2007, -0/+2If they hacked it once and made it in that far you can bet your ass they left some backdoors open afterwards that don't require the original hacking method. So not only do they have to figure out how it was done in the first place, they also have to remove whatever the hacker left behind. So do you think its secure by now? I sure don't.
- Flankk, on 10/12/2007, -1/+3American corporations are absolutely liable. In America you also have full rights to all recorded data a business keeps about you. As a client of a bank or customer of a credit card company, you have no obligation to pay for charges that you did not endorse. Your rights stand exactly the same in Europe and Canada though under different bills and statutes.
- whiledo, on 03/25/2009, -0/+2As I said in reply to the earlier similar comment, where would they keep the key to decrypt it?
- zaren, on 10/12/2007, -0/+2Sweet. I don't shop at any of those stores. I'm safe.
Lemme know when Speedway or Target gets hacked. - imontoya, on 10/12/2007, -0/+2OK, I understand the reason that retailers need to keep this information, for accounting, returns, etc... but why the heck don't they encrypt the information that is stored.
Haven't they learned by now? - whiledo, on 03/25/2009, -0/+1Errr... where would they store the keys to decrypt it?
- nsummy, on 10/12/2007, -1/+2I love it how stories with the first couple of words are in all caps and use buzzwords such as massive or breaking seem to always get dugg up
- stryker2you, on 10/12/2007, -0/+1"L.T Smash...or Lieutenant Smash of the United States Navy..."
"Yvan eht nioj"
It's all subliminal ...
From the Simpson's...however I fail to see how your comment about LT is relevant to this security breach...yeah TJ Max was included but bringing a fictional Simpson's character into this is like blaming Bush for this security breach....well what do you know......I guess maybe we can blame him. - inactive, on 10/12/2007, -0/+1They do it's called PCI compliance
- NJank, on 10/12/2007, -0/+1"why the heck don't they encrypt the information that is stored. "
because that costs money. since it's not demanded, that's an unnecessary cost. hence it's not done and won't be until there is a cost-benefit related reason to do so. - inactive, on 10/12/2007, -0/+1Th real question is why are they storing credit card information on their own network? There should be a law that forbid merchants to store any sensitive information on their own network, only qualified payment processors should be allowed to store that information. I do a lot e-commerce work for small companies, it made me really scared that all these small e-commerce sites store all their customer's credit card information on their own little databases that is so unsecure, basically anyone could just take it with little effort. I mean even a big chain like this can lose information, imagine how many smaller companies has lost your credit card information, probably unknowingly. So think about that the next time you shop at small sites.
- ViceVirtue, on 10/12/2007, -2/+3@cvelusc: No, heart motivators are small devices planted on your your shoulder to whisper cheers into your ear to stop you from dieing.
The problem is that in 2021, we don't need to do anything because we got robot slaves moving our arms.
But heart is love and robots can't understand love... the next best thing is to have a small fella on your shoulder to motivate you into making sure your heart beats.
One cheer which was found, in the earlier motivators, to be ineffective was this one: "You can do it, just 20,342 more beats to go! Then you'll be dead!"
True story. - whiledo, on 03/25/2009, -0/+1In the US, the individual is already not liable for fraudulent charges made using their credit card. The only requirement is that the individual calls in and cancels their card once they realize it is being used for the fraud. Then all charges are reversed unless someone can produce a receipt with the cardholders signature on it.
At that point, the CC company can either eat the charges or try passing them along to whoever was responsible.
In the US at least, CC companies go out of their way to make it ridiulously easy to use your card (no requirement for ID being checked, sometimes you don't even have to sign the receipt, etc.). So to some degree, the CC actually deserves to eat some charges due to fraud because they have worked hard to prevent any actual security at checkout (because any security also means extra time spent processing the transaction). - Maverick83, on 10/12/2007, -0/+1"Oops" seems very appropriate.
- SteelFrog, on 10/12/2007, -0/+1Damnit, I am sick of seeing you spam every damn story. Blocked and most likely banned soon.
- halik, on 10/12/2007, -0/+1God damn it, why do all these idiots keep sensitive info unencrypted?
What really needs to happen is victims of ID theft need to sue the companies that leaked their info which would, in turn, create a liability to any corporation that's cheap on IT security. This give them an economic incentive to focus on security.
In any case, they should encrypt all the sensitive data that needs to be two way readable and multipass hash everything that is one way readable. - whiledo, on 03/25/2009, -0/+1@funk49
Good point and makes sense (3rd-party key storage). Of course, that's assuming this was an archival database and not one being actively used for things like data mining. Then again, WarpFox claimed they CC restrict them from keeping any electronic records of the CC transaction (assumedly, the CC#s) at all. Not sure how accurate that is, though. - zbeast, on 10/12/2007, -0/+1Who cares. The thing is .. it's the store that gets burned.. not the person whos credit cards got boosted.
Screw credit cards and credit card companys. - yfeefy, on 10/12/2007, -0/+1Does anybody have more details on the breach- what OS/firewall/app/database etc... This stuff needs to be exposed.
- whiledo, on 03/25/2009, -0/+1Considering that the cardholder is not liable for fraudulent charges made with their card, what damages would members of the class claim? No just yanking your chain here, I'm serious. Possibly for the time calling their card company and telling them to cancel their card and refund this list of charges? Or if they had some checks bounce because the money was taken out of their bank accounts?
- tgiles, on 10/12/2007, -0/+1Stories like this make my blood run cold.
I happen to work in the industry with PCI-compliant clients and think of all the hours I plow through snort logs, checking security tickets, emailing off advisories and worrying about every firewall rule change and packet dropped. Good lord, I just picked up a copy of the DSS and started flipping through it, wondering which of the 'almighty laws of PCI' were broken.
It's a tough job. Long hours, lots of audits and paperwork that would send mere mortals scampering headlong back into the trees. - rotting, on 10/12/2007, -0/+1Gee, are you willing to bet your credit card information on the assumption that they 100% know all of the possible intrusion methods that could have been used when we now know for a fact that the security has already been compromised?
Intelligence. - whiledo, on 03/25/2009, -0/+1Seriously, though, they are a great place to buy dress socks. They actually sell them for prices only double what "normal" socks would cost.
- BillDoE, on 10/12/2007, -0/+1We need to start holding these company's accountable for storing our personal info, and responsible when it is lost.
- dexman, on 10/12/2007, -0/+1This was posted January 4th at Always On:
Last month UCLA announced that a hacker had twelve month access to a sensitive database containing about 800,000 names and social security numbers. Given the nature and duration of the attack it is likely that the UCLA hack is only be the tip of an iceberg in a sea of ever increasing hazards.
If you are tempted to dismiss UCLA as a mere anomaly consider this: the running total of US data breach victims crossed the 100 million mark on December 13, thanks to tabulations by the Privacy Rights Clearinghouse. While the 100 million includes all kinds of breach incidents, including records pulled the old fashioned way from garbage, the trend toward larger breaches is clearly noted in larger and sophisticated cyber attacks.
The Year of the Hack: http://alwayson.goingon.com/permalink/post/8422 - genen, on 10/12/2007, -0/+1Yup he's right - PCI is exactly how Visa/MC validate the security of clients (via issuing banks) If you have a crappy PCI score you may end up loosing the ability to accept some credit cards. Also banks that issue cards may loose they ability to issue cards if they end up having poor compliance.
- gwinerreniwg, on 10/12/2007, -0/+1Unfortunately, this is harder than it seems, but the industry is making some progress. The Payment Card Industry initiative is a program started by Visa and Mastercard that is requiring all of their vendors (i.e. people who accept credit cards) to comply with new, very robust security standards. In order to continue accepting credit cards, vendors will be independently audited to ensure their systems cannot compromise security. Among the many requirements of the initiative are things like + mandated encryption of customer data and card info + robust audit and access trails to all data + physical and logical isolation of the systems the process said data (and a lot more too). This is being mandated by the payment card industry to be rolled out by the "tier" of merchant (i.e. how much business does the company do with Visa/MC). Any of you that work for a company that deals in this type of business know how difficult it can be to get small-to-medium-sized business to make investments in IT - many are crippled by budgets, many by lack of competent technical folks to implement these directives. Either way, this time Visa/MC are serious, and there are teeth in the directives (fines, cutting off business). More legislation is not needed - just a little patience while we pivot the IT infrastructure of nearly every credit-card accepting merchant in North America. If memory serves me, this is slated to be complete by year end 2007.
- CARPEDATAM, on 10/12/2007, -0/+1Qualys is excellent... with a PatchPoint. www.bluelane.com
- inactive, on 04/23/2009, -0/+0Hear! Hear! Sometimes, sanctions need to be imposed for these companies to follow proper security protocol. Without constraints, they'd never exercise caution to protect their consumers.
http://www.clicksmore.com/ - funk49, on 10/12/2007, -0/+0@illegalcortex
Since you asked the question twice, I will answer. The solution to dealing with a key locally and minimizing your exposure is offline key storage. One company, nCIpher, makes an Oracle encryption storage facility/accelerator that you could keep your safe with even if they gained access to the DB.
Real companies use stuff like this all the time...sounds like some heads need to roll over at TJX.
Edit: @NJank
It's illegal for them to not be encrypting the data, especially if they are collecting personal info and passing it along for payment processing. This is a violation of Visa/Mastercard merchant requirements and they will most likely be in HUGE trouble with them when it comes to chargebacks. -
Show 51 - 74 of 74 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is