back to article 1.1 MILLION customers' credit card data was swiped in Neiman Marcus breach

US luxury retailer Neiman Marcus has confirmed that details from 1.1 million customers' cards were stolen in a recently detected high-profile breach. Card details were lifted after hackers successfully planted malware on payment systems over a period that ran between 18 July and 30 October last year, far earlier than …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    It looks like Easy Solutions don't really understand that much about what chip and pin is and what it isn't.

    They seem to go with the "the magstripe can still be cloned even with a chip and pin card" shocker as well as misunderstanding the role of the PED and POS device and where data is and isn't encrypted.

  2. Mage Silver badge
    Black Helicopters

    Chip & PIN

    Simply hides fraud and allows the bank to claim the user was at fault.

    Also the STUPID bank POS doesn't ask Bank if PIN is correct, but asks card! You can make a fake card that simply replies "yes" for ANY PIN.

    Also in Chip & PIN countries the criminals are installing fake readers (in one case actually IN a bank!). As the article points out the issue isn't really Chip & PIN but compromised POS systems, vulnerable Web servers (In Ireland & UK, credit card numbers and rear code pinched from a "reward loyalty card" system that should never have had ANY such information). and even Back Office systems (The Remaindered Stock Retailer).

    Fraud is endemic and the Banks admit as little as possible. It's mostly due to incompetently designed systems. People Errors. Computer Error? No Rubbish outsourced systems. Management Errors!

    1. Anonymous Coward
      Anonymous Coward

      Re: Chip & PIN

      Assuming you could make a card that will just say yes, how do you handle establishing the crypto between the led and the card?

      Also an online check of the pin is possible, can even be required, the chip is rather more complex than you seem to understand.

    2. Hans 1

      Re: Chip & PIN

      What ? You guyz do not have chip & PIN - wow, amazing !

      Of course, chip and pin do not alleviate the problem completely, they just make it that little harder for the villans and should have been made compulsory back in the 80's. Every time I am in the US, I always fear for my card details, I know I can only trust ATM's inside banks and even then.... I always hide the keyboard when I type ... my bank does call me when something fishy happens ... somebody tried to use my "card" to buy $800 dollars worth of clothes in Dallas, when I was in the UK at the time ... canceled card etc - nice when you are abroad.

      The other problem being wide-spread use of Windows-based POS software. It would help a lot if you had different OS' out there - the guyz would first have to find out which OS ... with Windows they know the barn door is wide open and tools are readily available. They should probably use openBSD or QNX, but hell, what do you think natural born window cleaners know about IT.

    3. Tree

      Re: Chip & PIN

      Rather Chip, Pin & Windows. Sorry, but Windows ME, CE or Windows (hate) 8 can all get their pockets picked by those who know how. That secret PIN is recorded along with the output of the chip and can be stolen and used to buy other stuff. Please pay cash. Quid and Change.

  3. Anonymous Coward
    Anonymous Coward

    This is why...

    ...hackers should be executed.

  4. Anonymous Coward
    Anonymous Coward

    Americans are so stupid.

    It is known.

  5. Combat Wombat

    Yet more XP related issues

    All the POS devices are running windows XP and they likely aren't being patched or maintained.

    You see the same thing all over the place. I remember doing work for a metal shop who had a virus box somewhere on the network.

    Turned out it was the automated C&C machine, which was running XP SP 0 and according to the manufacturer could in no way be patched updated or even have AV loaded on it.

    It got put on it's own little isolated DMZ in a very short order.

    You are going to see more and more of these hacks, as XP gets older and older and POS providers drag their feet with the replacements.

    1. Tom 13

      Re: Yet more XP related issues

      I wouldn't necessarily tag it to only the POS providers. There's a fair bit of corporate foot dragging that goes with it, and it becomes a viciously re-enforcing process. A buddy of mine did fast food, learned the POS system, then went to work for the POS vendor. They were constantly looking at new systems and deployments, but customers (the actual POS users) only moved so fast.

      But yeah, it's gonna keep getting worse.

  6. pacman7de

    Shortening the remediation Window

    "Security researchers at Cisco have published a blog on detecting future payment card compromises and shortening the remediation window for such attacks"

    The solution is not to use Windows on ATMs. The original software required a visit from two technicians that required entry of two unique serial numbers from a handheld device. Neither of the technicians had access to the numbers and as such hacking the devices was next to impossible.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shortening the remediation Window

      Yes because you can be sure the criminals won't bother to try to attack Linux, it's not as if there's loads of money to act as an incentive. Oh, hang on...

      1. Anonymous Coward
        Anonymous Coward

        Re: Shortening the remediation Window

        Besides, they're less exploiting the OS and more exploiting the actual software doing the hauling, and Linux is no panacea, given it's from them we got the term "pwning" and "rooting" as euphemisms for privilege escalation.

        1. T. F. M. Reader Silver badge

          Re: Shortening the remediation Window

          @AC: "Linux is no panacea, given it's from them we got the term "pwning" and "rooting" as euphemisms for privilege escalation."

          I don't think anyone argues that "Linux is a panacea", but you are utterly wrong about its relation to "pwning" and "rooting". The former apparently derives from adjacency of "p" and "o" on English keyboards. The latter is an Android term not related to security at all (you can argue that rooting an Android device is "privilege escalation", but it is not "hostile privilege escalation" that the context implies).

  7. suspicious-mind

    Is it just me?

    Every time there's another one of these mass security breaches I think, there goes the NSA again, screwing up just like every big, bureaucratic organisation that jumps into too-big IT projects.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it just me?

      It's just you. The NSA is too busy watching me.

  8. RedneckMother

    g-zuz, please us...

    I am surprised that so many folks can afford to shop at "Needless Markup".

    1. jake Silver badge

      Re: g-zuz, please us...

      Sad thing is, a large percentage of the idiots who shop at Needless Markups probably don't actually check their bill, line by line. They just mindlessly pay it.

      The crack (not hack![1]) that keeps on giving ...

      Corporate America really needs to place the corporate dick back into the corporate pants, and get the corporate security in hand instead.

      [1] Lack of knowledge of the difference between "hack" and "crack" is a major symptom of the problem, world-wide. I'm eyeballing you, too, ElReg, but thank you for not using either term in the article.

      1. Anonymous Coward
        Anonymous Coward

        Re: g-zuz, please us...

        The meanings of words change through time.

        For example, we used to use "anachronism" to describe something from the past which hangs on despite its obvious lack of purpose.

        Today we just use "jake"

        1. Anonymous Coward
          Anonymous Coward

          Re: g-zuz, please us...

          Bell-end used to be the end of a tent where you stored the cookware and boots that you didn't want in the main tent.

          1. jake Silver badge

            @AC 10:30 (was: Re: g-zuz, please us...)

            Last time I was in Worcestershire, Bell End was a village. Bromsgrove area, I think ... has been a year or two.

            Post a reference to your definition, please? Or are you just being a dick?

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC 10:30 (was: g-zuz, please us...)


              Any good boy scout knows what a bell end is.

        2. jake Silver badge

          @09:58 (was: Re: g-zuz, please us...)

          "For example, we used to use "anachronism" to describe something from the past which hangs on despite its obvious lack of purpose."

          That word, anachronism, I don't think it means what you think it means. 1950s computer technology still runs most of today's governmental & banking systems ... You do know what COBOL and Fortran are, don't you?

          "Today we just use "jake"

          Who is "we", kemosabe? Methinks you are seriously confuzled. I'm not that famous. Except maybe in your eyes, perhaps.

  9. ecofeco Silver badge

    Dodi dodi dodi doe

    The derp is strong among retail companies. It starts with needlessly complicated and unreliable cash registers and ends with a needlessly complicated and unreliable back end with IPSec sucking hind tit.

    Expect more of the same for a few more years.

  10. Winkypop Silver badge

    Safe Sex-urity

    Be careful where you insert your card.

    I'll get my raincoat.

  11. TeeCee Gold badge

    "POS payment technology"

    And very aptly named it is too.

  12. Nameless Faceless Computer User

    I wonder if they're in danger of running out of numbers?

    With the first four digits identifying the bank, and a few digits for a checksum, considering there are retired numbers, are the banks in danger of running out of unique credit card numbers any time soon?

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder if they're in danger of running out of numbers?

      The first four digits are used to identify the card industry and issuer. The rest - typically 12 digits - are the card number and checksum digit. So there are somewhere in the region of 99 billion numbers available to each card provider.

  13. Anonymous Coward
    Anonymous Coward

    My card got cloned this weekend

    Ad because I use it very rarely, it's quite easy to make a shortlist of companies that have the number - and neither Target or N-M are on that list. It's annoying as it's the second time it's happened in less than a year, but I suppose eventually the costs will add up for the banks and the retailers for them to get their heads out of their asses and fast track Chip and Pin in the US so we can catch up with the rest of the world. It will mean I can actually use my card overseas again as fewer and fewer places outside the US even allow pay by swipe any more (even Canada and Mexico have adopted C&P).

    As it is, though, most of the cost and annoyance of card swiping and stealing is born by the customer - I had to call and cancel my card, I have to monitor for additional fake charges, I have to update and notify accounts that have my details, etc etc etc.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020