The attackers behind Target's credit card breach
also went after customers at other retailers around the country,
including high-end retailer Neiman Marcus. Maybe it's time to go back to
just using cash.
Shoppers already jittery after Target reported a credit card breach
over the holiday season are now faced with the prospect that the
attacks were far more widespread than originally thought. It appears
Target wasn't the only retailer affected in this breach, as Neiman
Marcus and at least three other retailers experienced similar incidents
over the same time period,
Reuters reported.
Security experts have long warned that banks, credit card processors,
and retailers are not taking the necessary steps to secure payment card
data and personal information, leaving customers vulnerable to fraud and
identity theft.
"The impact of the Target breach and other retailers in similar
circumstances (and not yet fully disclosed) can have far reaching
effects on consumer confidence and impact on the US economy unless steps
are taken to address this vulnerability immediately," said Anup Ghosh,
founder and CEO of security company Invincea.
More Victims FoundNeiman Marcus discovered its
breach on Jan. 1, after receiving reports from a credit card processor
about possible unauthorized charges on the accounts of people who had
shopped at its stores, reported
security writer Brian Krebs. The attack appears to be on a smaller scale, with fewer than one million cards compromised.
While Krebs was not sure whether this breach was related to the
attack on Target, sources told Reuters the incidents used similar
techniques and could be linked. Like Target, Neiman Marcus said only
shoppers who used their cards in the store were affected, not online
shoppers.
Target initially reported that 40 million shoppers who used their
credit card at one of its retail outlets during the holiday shopping
season were affected in a credit card breach. Last week, the CEO of
Target acknowledged the breach was bigger than originally thought, as
personal information of at least 70 million customers, including names,
mailing addresses, telephone numbers, and email addresses were also
stolen. There may be some overlap in customers between the initial 40
million and the later 70 million, but Target was unable to say how many
were counted twice. Target also admitted that all US shoppers over 2013
were at risk, not just those that visited the store over the holiday
season.
Questions, But No AnswersThe investigation is
still in the early stages, so there are more questions than answers at
this point. This presents a whole new set of challenges, security
experts said.
Right now, the big question is, "Am I affected?" and it's hard to
tell. Reuters said three other retailers were currently investigating,
but had not publicly disclosed the breach at this time. It is also
possible there were other, smaller, breaches earlier in 2013, which
still have not been publicized.
"All retailers should err on the side of disclosing all consumers
that are potentially affected while at the same time disclosing fully
what they know about the breach and how it happened," Ghosh said.
Neiman Marcus said it is notifying customers who had fraudulent
transactions posted to their accounts, but this leaves a lot of
consumers who did shop at the stores wondering and waiting for bad news.
It creates what an expert called "data security limbo,"
as users are aware of a breach but can't take any steps until they
receive confirmation. Target also said it was notifying customers about
personal information being stolen if an email address was on file.
This kind of selective notification opens up a window of opportunity
for attackers to launch secondary attacks, said Angel Grant, director of
anti-fraud solutions at RSA. Attackers can take advantage of the
confusion to send out emails or even make phone calls to scam users into
revealing their personal information and payment card details. Users
need to be vigilant for follow-up phishing attempts in the wake of this breach.
Silence is DangerousWhile it's understandable to
want to keep information close at hand until the investigation is
complete, it doesn't help other retailers. Target is not discussing what
happened, and Neiman Marcus is even more close-mouthed about the
methods the attackers may have used. At the moment, Target has admitted
its point-of-sale software was compromised, and Reuters cites sources
who say the attackers used a RAM scraper, a type of malware
which captures the temporary data in the computer's memory. There have
been a surge in attacks using memory parsing malware recently, and Visa
even issued alerts with technical information on how to thwart these
types of attacks last year.
While it was not clear whether Target or other retailers had
implemented any of the methods to defend against these attacks, sources
told Reuters the attackers were much more sophisticated and would have
been able to bypass those measures. Based on the fact that personal
information was stolen, it was more than likely that Target's breach was
"a more widespread compromise of Target's network than simply PoS
machines," Ghosh said.
Retailers are likely investigating their networks and trying to
figure out whether they have also been affected. This is where
information sharing between retailers would be helpful.
As for you and me, maybe we should stick with cash for the time
being. It is safer, and the only thing you have to worry about is
pickpockets.
Curb your enthusiasm, jailbreak devotees;
downloading Evasi0n, the new iOS 7 jailbreak, could be dangerous.
Developed by Evad3rs, this jailbreak includes hidden code from a
third-party Chinese vendor that resists any analysis and tampering. In a
recent 
