Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Why are they storing this data anyway? (Score 4, Insightful) 213

I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.

As for Target, here's my take: This is the only information in the press release:

The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.

That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.

I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.

As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.

To my knowledge. I'd be happy/interested if someone could prove me wrong here.

Comment Re:I do this (Score 2, Informative) 365

set it to a collision that's double the actual speed they were driving while caught texting. (In other words, head-on collision with another vehicle doing the same speed

Actually, that is false. A head on collision with a vehicle of the same mass would be no different than the indestructible brick wall. Yes, when you add a second vehicle to the mix, you are doubling the amount of moving mass, but the absolute speed remains constant. In the end, the delta V is the same in both scenarios: X to 0. Now that we know that the delta V is the same, we just have to account for the deceleration rate, which is basically the same as the duration of the impact (crumple zones and all that). Since we have identical cars, they will deform at the same rate, acting as each others' brick wall. Once they collide, they would be exerting identical force on each other, so the front bumpers would remain in the same location, just like the brick wall. Since the front of your car can no longer move forward, the collision happens, and the body of your car absorbs the energy required to decelerate to 0. The energy released when two cars collide is doubled, but it is also spread over twice the area (ie, now you have 2 wrecked cars).

Submission + - How Broken Is The Internet?

rueger writes: The NSA ( or your local variant) can capture or watch everything that you do on-line. Hacker/hacktivist/script kiddie groups shut down or deface large websites on a regular basis. Large companies attain market dominance then arbitrarily change terms and conditions, eliminate features and tools that millions of people use, and then sell your private information to the highest bidder. Companies as big as Adobe and as small as the town that I live next to get hacked, with customer data disappearing into places unknown. And we, the end users, are forced into computational gymnastics trying to satisfy password, user ID, captcha, and multi level authentication requirements that offer more of an obstacle than a protection.

There are now web sites that I don't use because of pop-ups; because I can never manage to actually remember the obscure password that I had to create, because they're paywalled, or because they've totally ruined their interface in the name of progress. Or that haven't bothered to update their code so that it functions on a mobile device. Or that bury real content under a deluge of advertising.

And of course there's The Cloud, a non-existent place where data floats around under the control of some other corporation, and where there's always a more than minimal chance that one morning the company, or just your data, will disappear. As in, what happens when the imps that hacked Adobe, or a government web site, manage to get into Amazon or Microsoft's cloud operations?

So, I ask. just how broken is the Internet today? And what can be done to fix it?

Slashdot Top Deals

If you had better tools, you could more effectively demonstrate your total incompetence.