> Swipe transaction are perhaps easiest to describe. The data encoded on the magnetic stripe is static, formatted according to ISO7813 in three tracks, with the third one typically unused. One of the fields in this track layout is the Card Validation Code (CVC) or CVC1. which serves as a cryptographic integrity check on the track contents.
I think that makes sense from someone who doesn't understand how the security of credit card works. But if online purchase requires one to give up the cvv code, then verifying a physical card would also require one to be able to read that code.
Back side of the card contains CVV2 code, I'm pretty sure that it's not recorded on magnetic tape. Probably, in the original article should be mentioned that difference.
The CVV2 is intentionally not stored on the card to make shopping online or over the phone with a skimmed card more difficult.
If Target has the CVV2 included in this data dump they're in for a whole world of hurt from the credit card companies since storing that number for any longer than it takes to verify a transaction is utterly forbidden.
They would not be storing the CVV2, as they would not collect that at POS (and if someone does ask you for that when you swipe your card, be very suspicious). It's the CVV1 that they've stored, which is still utterly forbidden by the PCI standards.
A: Target isn't saying how it happened. Industry experts note that companies such as Target spend millions of dollars each year on credit card security, making a theft of this magnitude particularly alarming."
The article starts out by stating, "The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards."
I guess, then, that the 'millions' spent budget didn't include basic compliance measures. Next time, Target might as well take out an ad in the NYT with all this info, though....It'd be less effective than what's already happened to them.
> Is the CVV code the same as the three digit code on the back of my card?
> No, the CVV code is not the same as the security code on the back of your card. As of now we have no indication that the three digit code on the back of the card has been impacted.
There are two CVV codes, CVV1 and CVV2. CVV1 is on the magstripe but not printed on the card. CVV2 is printed on the card but not on the magstripe (it's the three digit code printed on the back).
It sounds like Target was storing the CVV1 code (which they shouldn't have been), but there's no way they could have the CVV2 code, since the POS computer never sees it.
This means that the stolen data could be used to make a cloned card for physical purchases, but couldn't be used for an online purchase (unless the online store doesn't ask for the CVV2).
If the POS terminals were compromised, attackers could have retrieved CCV1 numbers at the point of reading the card. In other words, it's still possible Target complied with the PCI requirement of not storing CCV numbers. But since nobody knows how the attack happened, it's all just speculation.
It bugs me when these guys just offer the advice to go back and check your statement for suspicious activity. When 40 million cards are stolen, it's not as if the thief/thieves are going on a personal buying spree. They obviously intend to sell the cards on the black market.
So, their advice to not replace cards is irresponsible and literally helps the thieves to comfirm to potential buyers that the cards are likely still good.
And, of course, once your card is exposed you're always at risk of future fraud. Are we all just supposed to be paranoid now (moreso than usual, that is)?
http://www.businessinsider.com/target-credit-card-hackers-20...
On HN the main discussion is here:
https://news.ycombinator.com/item?id=6934248 (cbc.ca) (66 comments and counting)
Another discussion:
https://news.ycombinator.com/item?id=6930258 (krebsonsecurity.com) (8 comments)
Other submissions:
https://news.ycombinator.com/item?id=6935413 (boingboing.net)
https://news.ycombinator.com/item?id=6935142 (cnn.com)
https://news.ycombinator.com/item?id=6934595 (target.com)
https://news.ycombinator.com/item?id=6934535 (securityweek.com)
https://news.ycombinator.com/item?id=6934216 (wsj.com)
https://news.ycombinator.com/item?id=6934038 (rt.com)
https://news.ycombinator.com/item?id=6933163 (chicagotribune.com)
https://news.ycombinator.com/item?id=6932782 (usatoday.com)
https://news.ycombinator.com/item?id=6932186 (arstechnica.com)
https://news.ycombinator.com/item?id=6932141 (theverge.com)