A total of 16 Hess gas stations are involved, including one in Fort Myers. We're talking about the Hess gas station located on 15260 McGregor Boulevard off Iona Road.
There is information about security breach at Hess gas stations.
Skimming is a physical attack which is different from what's happened at Target. Special skimming devices, which are installed at the pump's MSR (magnetic stripe reader), read and accumulate the cardholder data, then send it to hackers through bluetooth or cell network. In many cases, debit pin numbers are also stolen using fake keyboards installed at pinpad or hidden video camera which is set up to monitor the pinpads' keyboard and record the keystrokes.
I don't know how and why, but Isracoin -- new Israeli Cryptocurrency -- is already on 5th place by market capitalization. It is partially premined, which means that there is a solid part (10%) of the total final supply that is being distributed by some group of people based on their criteria (we don't know either people or criteria). Pre-mining contradicts with basic principles of bitcoin: independance and decentralization. In addition, the national character of this currency (the name associated with Israeli state and the fact that a part of premined supply is provided only to Israeli citizens) contradicts with another basic principle of crypto currencies - globalization. At first glance, besides the national attributes, Isracoin does not have any additional special features that would motivate people to prefer it over Bitcoin, Litecoin, or other crypto currencies.
Interesting report on on various aspects of Bitcoin. Unfortunately, whether intentionally or not, the merchant acceptance figures are missing. The pdf version is available for download here.
This article in The New York Times blog is another example of fallacy of tokenization.
That is a gap that tokenization is meant to fill. The technology works behind the scenes of a digital transaction: Customers still put in their card number, but software then transforms that information into a one-time token — a randomly generated code — that is sent through the payment-processing chain. Thieves who intercept the code can do little with it without the means to unscramble the token.
This description is untrue. Tokenization does not work this way. In order to get authorization for the credit card charge, the point of sale system still needs to send the full card data (the content of magnetic track 1 or 2) to the payment processing server. Such data cannot be just "transformed into a one-time randomly generated token" because the server system must be able to recognize and process it. So the card data should be encrypted using another technology called point-to-point encryption (P2PE) which is different from tokenization. Only after the card data is decrypted and processed at the payment processor's data center, it can be tokenized using the method described above, and the resulting token can be returned to the point of sale system. There are P2PE systems that are able to produce the format-preserving encryption so the resulting encrypted data looks similar to the original input so maybe that's created a confusion. But in any case, the data produced by such system is not "randomly generated", and it's not a token, and it's done in hardware rather than software, and the system is called P2PE and not tokenization. Unfortunately, such misunderstanding and overestimation of tokenization is very common perception.
You can send your virtual PayPal dollars and in exchange get a physical piece of plastic with bitcoin private and public keys. It can be a good gift idea for next bitcoin presentation! Note that you pay for both shipment an888id activation. Sounds like another line of service provider business is building up around bitcoin network, in addition to multiple exchanges, wallets, payment processing, mining pools, etc.
How do I use my card?
Interesting opinion on application of Beacons technology in retail. I would agree.
if it’s not executed properly, it could be interpreted as a violation of privacy
it’s highly untested, and improper execution could do more harm than good.
beacons border “on the edge of cool and creepy”
This essay was previously published by VentureBeat on March 26, 2014
Trustmark National Bank and Green Bank, N.A. filed a class action lawsuit on March 24 against Target and Trustwave, which is Target’s quality security assessor (QSA), over the recent card data breach. Trustwave is a big security firm, and QSA (Qualified Security Assessor) is one of its main lines of business.
But the lawsuit contains some questionable interpretations of the Payment Card Industry Data Security Standard (PCI DSS).
The lawsuit claims:
“Under PCI DSS, merchants like Target are required to encrypt customer names, payment card numbers, expiration dates, CVV codes (Card Verification Value codes), and PIN numbers (“Track Data”).”
This is wrong. PCI DSS requires encryption only for sensitive cardholder data stored on hard drives or transmitted over public networks (like the Internet). Data in computer memory and data on local networks can remain unencrypted, which is allowed by PCI DSS, and such an environment would be still PCI compliant.
The lawsuit also states, “The fact that the three-digit CVV security codes were compromised shows they were being stored.”
This is wrong for the same reason. The fact that CVV codes were compromised does not mean they were being stored. They could be stolen either from memory using RAM scraping techniques or from the local network using network sniffers (there are many other methods, but those two are the most common). And as I said before, PCI DSS does not require encryption of sensitive cardholder data (including CVV) in memory or on a local network. Those are only two short statements from the large lawsuit, but they show that even if the merchant (Target in this case, but it can be anyone else) is PCI compliant, it is not safe from a security breach.
In addition, or maybe even instead of PCI DSS measures, merchants and their payment processors should implement special security technologies such as P2PE (point-to-point encryption), which protects the sensitive cardholder data from the moment it enters the card reader and makes it virtually inaccessible to hackers.
One thing to keep in mind here is that this lawsuit could set a precedent (if Trustwave is found liable), where the PCI security auditor is responsible for card data breaches even when the company they are auditing is fully in compliance with the PCI DSS.
The Bitcoin ATM was installed by Coinage, LLC in Mountin View, CA at Hacker Dojo community center.
What makes this bitcoin ATM experience special is that a user is greeted by a person, ready to answer any questions. Additionally, the ATM uses “biometric authentification”, allowing for extra security. Users will need their government issued ID’s, a personal verification number, and will have their face scanned and palm printed before having access to the bitcoin hardware.
There are Android (malware) apps with crypto-currency mining capabilities.
This malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin.
The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.
The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals.
My article in VentureBeat:
Lawsuit against Target and Trustwave gets the security standard all wrong.
This lawsuit could set a precedent, where the PCI security auditor is responsible for card data breaches even when the company they are auditing is fully in compliance with the PCI DSS.