News on Christmas Eve remains focused on two stories: the Target payment card breach, and Reuters' allegation of RSA collusion with NSA to weaken encryption.
Both Target and the banks that issue the affected payment cards are working to contain the damage to consumers' accounts (and their brands' reputations). While PR experts generally give Target's communication with customers high marks, class-action litigation has already begun, and five US states' attorneys general have requested information on the incident. (Indeed, Target has invited all states' attorneys general to a conference call with its corporate counsel.) The US Department of Justice has opened a criminal investigation of the theft. Financial analysts predict the cost of issuing replacement cards will be high.
Two interesting tactical notes emerge from the breach. First, "decoupled debit cards" like Target's own Red Card have turned out to be less interesting to the criminals, and therefore now seem to have a security upside. Such decoupled cards (which draw funds from a separate issuer) had hitherto generally been regarded primarily as low–end bankcard alternatives.
Second, stolen cards are being marketed with the location of the stores where they were used, enabling local (and thus less obviously fraudulent) criminal exploitation.
RSA categorically denies having been paid by NSA to use a knowingly weakened encryption algorithm, but many critics claim that the algorithm in question had been suspect for years. (How much of such criticism depends on hindsight remains unclear.)
Reports claim the Japanese government wants US help developing offensive cyber capabilities.