It is ludicrous that 16 digits, a month/year and a three digit code internal CVC1 are essentially all the information anyone needs to steal anything -- and its all already on the stripe! It's a system that is broken by design. I'm actually very surprised this didn't happen 15 years ago. Ironically, the CC companies were so worried about online fraud that they actually put in a few features for "non-verified" transactions that query the back end for more information (name, address, zip code, that 3 digit CVC2 printed on the back).

But for face-to-face, those 22 digits are all that matters.

And we computer geeks have had these useful -- and provably secure -- things called private/public keys for decades now -- that people use daily without even knowing it while they web browse all the time.

Its time the banks switched over to them for their Credit and debit transactions.

And as a side story: my wife's debit card number was actually one of the first ones detected. This was on the Tuesday before the details were first released on Friday.

She used the card at a gas station that morning, then attempted to use it an hour later after a haircut and it was declined. She had me call the credit union, they asked if she was in San Diego as someone had just made a purchase of exactly $200 at JCPenny. Someone had made another physical card using an exact copy of her magnetic stripe information. The card itself could have had anyone's name on it. Half an hour later they had attempted another transaction of $150 at, ironically, the Target down the street.

They had her stop by and get a new card and that was that. I being a computer security guy figured it was some kid who added software to copy the stripe information from a gas pump they worked at which is a really obvious place for this fraud.

Three days later my Computer Security fraud blogs I follow were all abuzz about Target getting millions of number stolen and then I knew. It matched what happened to her perfectly.

The original text-based OS on NCR hardware was on a closed network with proprietary POS software; the register computers didn't have IP addresses, and could only communicate with the local back-office server. I think they used NetBEUI (my networking knowledge is not thorough and I know very little about non-IP stuff). When we upgraded to the new Fujitsu hardware and a different proprietary POS software on Windows 2000, it was all IP-based. You could reach any register in any store from any other register. The stores were all on one /16 segment, though, and I believe that segment was firewalled.

Now, I left H&M almost seven years ago, and I'm sure their networking setup has had some dramatic changes since then. So by now the stores could very well be closed, and maybe even each store has its own firewall.

--
"Being Irish, he had an abiding sense of tragedy, which sustained him through temporary periods of joy." - Yeats

Here's how I see it happening:

1) Hackers manage to hack into the network that Target uses for POS connectivity.
2) They use this network hack to access the actual POSs and discover a vulnerability.
3) They create a compromise based on this vulnerability and push it to all of the POS's on the network and collect some card numbers as a proof of concept.
4) Once they know it works, they fan out to other Targets, infiltrate the networks, and push out the software update.

Could they go up to the Target corporate network, or the data warehouse? Maybe, but it's not really necessary.

the CEO is obfuscating. The malware on the POS systems is where they harvested the data, but that's not where the hack started. I'm sure they are on a private network, but there are going to be several dual homed systems that sit on that network as well as one that has an internet connection. There's also the thought that this was at least on some level an inside job.