Attacks/Breaches
12/21/2013
09:00 AM
0%
100%

Target Breach: 10 Facts

Experts advise consumers not to panic as suspicion falls on point-of-sale terminals used to scan credit cards.

Just in time for the holidays, Target confirmed Thursday that its systems were breached.

Thanks to the breach, one or more attackers successfully stole 40 million credit card numbers. Anyone who used a credit or debit card in any of Target's US stores between November 27 and December 15 may be a victim. Target.com users and customers at Target stores in Canada are not affected.

The Target attackers gained access not only to card numbers, but also card expiration dates, CVV codes, and cardholders' names. As a result, they could use the stolen information to make fraudulent purchases via phone or online as well as to create working counterfeit credit cards.

[For more on the Target breach, see Target Confirms Hackers Stole 40 Million Credit Cards.]

How did hackers likely steal the credit card data, and what should consumers who may have been affected by the breach do next?

Here's what we know about the breach, its likely repercussions for affected cardholders, and how they should respond:

1. Target declines to comment on data encryption questions.
How did hackers manage to steal 40 million cards? That's a pertinent question, since any retailer that stores credit card data, according to the Payment Card Industry Data Security Standard (PCI-DSS), is required to encrypt that data. Furthermore, if the data is properly encrypted in transit and at rest, it shouldn't be of any use to attackers.

"This is a breach that should've never happened," Forrester analyst John Kindervag said in an emailed statement. "The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI [Security Standards Council]."

Reached via email, a Target official declined to respond to questions about whether the retailer had stored the stolen card data in encrypted format, or whether it had been certified as PCI-compliant. "We continue to invest in our security practices to protect our guests' information including the retention of a leading third-party forensics firm to conduct a thorough investigation of this incident," Target spokeswoman Molly Snyder said via email. "We apologize for any inconvenience this has caused our guests."

Target has also declined to address how attackers got their hands on the data in the first place. "As this is an ongoing investigation, we don't have additional details to share on the questions you asked," said Snyder.

2. Malware, point-of-sale apps, and insiders suspected.
The fact that the Target data breach didn't touch its e-commerce operation, but rather its stores, suggests that attackers gained access to information that was gathered via point-of-sale (POS) terminals -- a fancy name for electronic cash registers.

Hord Tipton, executive director of (ISC)2, said in an emailed statement that attackers likely infected massive numbers of POS terminals with malware. "It's one thing to compromise or affect one machine, but to get all of them begs the question of how this was plotted out in the first place," Tipton said. "How were the hackers so efficient? From what I can tell, it looks like an insider threat -- someone on the inside probably helped."

Alternately, attackers may have been able to remotely tap into the POS terminals by exploiting vulnerabilities in their built-in Web servers, Bala Venkat, the chief marketing officer for Web application security vendor Cenzic, said in an emailed statement. "When searching for vulnerable targets, attackers are discovering that many retail merchants and point-of-sale terminals haven't implemented some of the basic security measures required by [PCI]," he said, which would include two-factor authentication on the terminals for anyone attempting to remotely connect to it.

The breach was likely compounded by Target failing to monitor its POS terminals for signs of attack. "This seems rather obvious from the information revealed already about this Target breach," Venkat said.

But Gartner analyst Avivah Litan said in a blog post that the breach was likely not due to malware or hacking, but a very low-tech -- and insider -- attack. "If we've learned anything from the Snowden/NSA and WikiLeaks/Bradley Manning affairs, it's that insiders can cause the most damage because some basic controls are not in place," she said. "I wouldn't be surprised if that's the case with the Target Breach -- i.e., that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access."

3. Full investigation may take months.
Although a statement released by Target said that it "has identified and resolved the issue" exploited by the attackers, it may be many months before Target has a complete picture of how the breach occurred. "It will be interesting to see how the attackers got into the network and what technical countermeasures were in place, but that will take months to surface as the forensics in such a case are extremely time consuming," Qualys CTO Wolfgang Kandek said via email.

4. Stolen cards are already flooding black market.
Security experts said the timing of the breach corresponds with a recent surge of stolen credentials being offered for sale on underground cybercrime forums. "We started to detect that something was afoot on December 11th when [we] detected a massive increase – 10 - 20x -- in availability of high-value stolen cards on black-market sites," read a blog post from security vendor Easy Solutions. "Nearly every bank and [credit union] in the US seems to be affected."

Target has yet to say how it learned of the breach. But having a massive quantity of stolen credit cards flooding the market would have been a red flag for card issuers. One quick tipoff about the source of the breach would likely have been the large number of Target Redcard credit and debit card numbers.

5. PCI compliance failed to stop the breach.
Critics of the PCI standard -- created by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa -- have long suggested that businesses that technically comply with PCI may not have robust information security practices in place. Furthermore, critics have charged that enforcement of the industry-advanced standard lacks teeth, as evidenced by the PCI Council sometimes retroactively revoking certifications.

In 1997, for example, TJ Maxx parent company TJX was breached, resulting in the theft of 90 million credit card numbers. In the wake of the breach, investigators revealed that TJX wasn't in compliance with nine of the 12 PCI data security standards. The breach reportedly served as a wakeup call for retailers to get compliant with PCI.

"PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts," said Rich Mogull, CEO of Securosis, in a blog post earlier this year.

But has PCI resulted in major retailers taking information security seriously? Witness the spectacle earlier this year of Visa suing PCI-compliant sports clothing retailer Genesco for $13 million, after the retailer suffered a data breach. The council also retroactively revoked the retailer's PCI compliance. That maneuver, Mogull alleged, allowed the PCI Security Standards Council to continue saying that "no PCI compliant organization has ever been breached."

"This is a clear fallacy -- merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications," Mogull said. "Fines are then levied against the acquiring bank and passed on to the merchant."

Going forward, Target will reportedly have to hire one of the 10 firms in the United States that are certified to perform PCI investigations. That firm also can't be the same as the company that certified Target's PCI compliance.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
rradina
50%
50%
rradina,
User Rank: Apprentice
12/23/2013 | 6:48:16 PM
Re: Lets Try Some Facts.....
Why does the time period imply theft at time of purchase?  If I was designing a POS/cash management system that required time to clear transactions, balance accounts and reverse returns, I'd keep recent transactions for some time period and then purge them. There is also the data warehouse side of things. Sometimes mapping and cleansing routines are updated resulting in numbers that don't balance. Often data gets reloaded to correct such issues.  It's plausible that this could have been an inside job where someone copied a temporal 30-day tlog database to a thumb drive and walked out the door.

Of course all of these activities rarely require the full account info.  Generally PCI requires truncation to store transactions but Target may have demonstrated a mitigating factor by encrypting all transactions.  Thats why its probably an inside job... someone with access to the necessary decryption information.

Another article I read said the cvv codes were not stolen which meant the stolen accounts are not useful for most on-line purchases.

IMO ... regrdless of this article's title, we don't really know what happened yet.
cjoshdoll
100%
0%
cjoshdoll,
User Rank: Apprentice
12/23/2013 | 3:40:05 PM
Lets Try Some Facts.....
First:

"..."The fact that three-digit CVV security codes were compromised shows they were being stored..."

I'm not sure why data storage is even mentioned in the story, much less the encryption piece.  The fact that the breech is limited to a 3-4 week window of time would clearly indicate that the card data was stolen at the time of purchase, NOT stolen from a database. Thus, lodging the claim that Target was doing a "no-no" by storing ccv data, is just slander, IMO.  If this data was stolen from a database, where Target was saving CC data that they should not be saving, then A) there wouldn't be such a short window of time (you don't compromise a window of records in a database, it's all or nothing) and B) its highly likely that target.com's CC data would have been compromised too.

 

Secondly, the throwing the encryption for data in transit subject in with the encryption for data at rest issue is poor timing.  PCI requirements for encryption are different for data at rest and data in motion, and CC data is NOT required to be encrypted, according to the PCI DSS, unless it is traveling over a public network (the internet) or over wireless networks.  In fact, most banks / acquirers can't even support end-to-end encryption for CC transactions.  There are a very limited number of acquirers that can support E2E encryption, and most of those are new niche businesses that are providing a new model for transaction encryption.

 

While it's easy for these "experts" to sit back and say how everything should be encrypted and secured tight as can be, its careless to make accusations that Target wasn't doing everything that they could to prevent this.  We are talking about a system for credit processing that pre-dates the internet, and the everything is connected world.  Businesses are trying to play catchup to secure these systems while leveraging new technology to make their supply chain more efficient and reduce costs with tech.

 

I have NO ties to Target, and I am not here to defend them.  I am however the lead Security Architect for a mid-size, national retailer, in charge of PCI compliance and CC transaction security, so I have personal experience living up to the PCI DSS, and trying to balance business requirements with customer protection.  I have no issue burning them at the stake if they are to blame, but let's get the FACTS before we indict Target.  There are PLENTY of scenarios where Target could have been doing EVERYTHING right, and still have this happen.

 

My $0.02
MelvinGaines
100%
0%
MelvinGaines,
User Rank: Apprentice
12/23/2013 | 12:37:56 PM
Re: When?
I think we may need to consider that this was an exceptional breach that likely occurred internally. I think it is entirely plausible that the information was not leaked immediately so as to not tip off whoever was causing the internal breach to take place. I don't ever recall the Secret Service being involved with previous credit card breaches (to my knowledge).  In my mind, whether the public knew about it within 4 days or 7 days doesn't really matter that much if you look at the overall number of 40 million. Only a small fraction of that number will be affected.
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
12/23/2013 | 7:50:30 AM
Re: Kudos? Target was outed by a journalist
This is one of the things that bothers me most.  Target didn't come out and notify customers to protect them, they kept quiet as long as they could and it sounds like the "fix" for this is a knee-jerk reaction by the banks who issued the cards.  If the tren of punishing customers after a data breech continues we're going to see a lot more people protecting themselves by avoiding companies who have had data losses in the past.
samicksha
0%
100%
samicksha,
User Rank: Apprentice
12/23/2013 | 2:41:36 AM
Re: Kudos? Target was outed by a journalist
I am not shocked and neither surprised but yes, was it so easy for hackers to attack, i mean 40 million accounts is not a small number. We have been discussing and claiming about more rigid and bulletproof security but still hacker manages to find good loop holes. I am not sure but i read CVV number was also stolen which ideally should be available only with user physically on the card.
Chris1001
50%
50%
Chris1001,
User Rank: Apprentice
12/23/2013 | 1:47:47 AM
Kudos? Target was outed by a journalist
The breach was reported to the public by Journalist Brian Krebs.  Target was outed.  They did not "come clean" of their own accord.
Banker666
100%
0%
Banker666,
User Rank: Apprentice
12/22/2013 | 9:37:02 PM
Millions of dollars
I work at a bank that does card processing and I for one can say PCI is a joke in my opinion.   After being audited they made us move all of the card processing off onto it's own seperate mainframe systems.  They were totally clueless about how a mainframe works and how it processes.  As a result our company spent millions of dollars to meet their compliance.   In my opinion the vast majority of breeches occur on the retail side.   For example I walk into a store and use my card and the clerk doesn't ask for any ID from me.   How about making these retailers make their employees go thru a fingerprint and background check like we had to where I work at.  I wonder if Target was using offshore IT services.  Duh let me guess.   The discussion where I work has been how many cards are we going to have to re-issue because of this and not to mention all of the account forwarding processing we'll likely have to do.  The bigger issue is that who ever pulled this off won't be jailed, much less captured and brought to justice and they likely know it too.    If I pulled off something like this in the U.S. I'd be put into prison.   I know one thing for sure we'll be re-evaluating offshore access and their use.  Maybe even put them all out the door.   Gawd I could not imagine our reputation ruined because of a major breech like this.          
PaulS681
0%
100%
PaulS681,
User Rank: Apprentice
12/22/2013 | 12:04:05 PM
Re: When?
I aree you have to be 100% positive but if they were on the 15th then why didn't we hear about it? I think if target came out and said why they waited it might help a little. Although this is the least of Targets problems as class action lawsuits are popping up all over the place due to the fact they were breached.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
12/22/2013 | 6:28:54 AM
Transitions are Important
Banking has come a long way since pre internet times but as people continue to use electronic forms to make payments the need to increase the security standard increases while at the same time complexity needs to be kept to a minimum.

Almost all developing countries have a banking sector but not all of its population are banked, the reason for this are many, and one reason is that the population view banks as being too complex, another is a view that banks are not as secure as they should be. 40 million is a large number, before never forms of payment become discredited, I think it is vital to add security and limit complexity before it starts to affect the number of transitions carried out. 
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
12/22/2013 | 5:41:35 AM
Re: When?
I hear you and understand that the need to quickly disclose any kind of data breach is a matter of extreme importance for the protection of customers likewise, it is also important to confirm and be 100% sure that a data breach has taken place before releasing an alert, because false positives would not only cause unnecessary panic for the customer but it will also undermine the legitimacy of future alerts.
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.