Target Breach Should Spur POS Security, PCI 3.0 AwarenessAdvanced skimming attack against Target's whole network of point-of-sale devices will likely keep momentum moving forward for improving payment application security
The breach of cardholder data for 40 million Target customers that's been speculated to have been triggered by attacks against Target's point-of-sale (POS) systems has served as prime example for why security professionals have pushed for improved POS and payment application security in the last few years. And with increased scrutiny expected by the payment card brands on POS and payment application security as a result of more stringent standards written into PCI DSS 3.0 and PA DSS 3.0, Target's breach serves as further reminder for why POS systems need to be on retailers' immediate-term radar, experts say.
"There are some sophisticated attackers that understand payment processing and possess the high level of hacking skills needed to break into larger, more secure victims," says Lucas Zaichkowsky, enterprise defense architect at AccessData.
According to Chris Strand, director of compliance for Bit9, the difference between the Target attack and most traditional forms of skimming attacks that attack individual POS devices is the sweeping nature of data collection across a whole network of devices. Rather than physically tampering with devices, attackers are going to be looking for a path of least resistance.
"This is a common type of attack that we're going to see more and more prevalent because the attackers will take the path of least resistance, and, in this case, they're realizing that these POS systems are not protected from a vulnerability perspective," Strand says. "The fact is that the current security mechanisms they're using to guard the internals of these POS systems is vastly inadequate to protect the inner systems and software running on these things."
In addition to the scale of the attack and volume of cardholder data taken, also troubling was the depth of that data, which included track data.
"Loss of the track information from the credit cards is particularly nasty as it can allow for card cloning," says James Lyne, global head of security research at Sophos. "That said, just the cardholder's name, card, and security code has the potential for widespread online ordering fraud, which can be particularly nasty considering we're in the midst of the holiday season."
Lyne says he believes the Target breach points to poor architectural and business practices.
"It is critical that organizations handling such data take steps to protect it -- such large volumes of data should never be accessible by one user or process -- and should be encrypted to segment the data and should be detected if an export of such size occurs," Lyne says.
[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]
According to experts with SecureState, a PCI Forensic Investigator, they believe that as further details emerge it will be shown that Target was not compliant with PCI standards. Part of the issue, experts say, could be that Target's custom developed payment application was not up to par with PA DSS requirements.
"For a hacker to be able to infiltrate Target's network and access the POS application, several PCI-DSS and PA-DSS controls must not have been implemented effectively. Thus, Target was not compliant during the time of the breach," says Ken Stasiak, CEO of SecureState. "How can I be so sure? We handle these investigations for the payment card brands, and in all of the investigations we performed, the merchant was not compliant to PCI-DSS controls during a breach."
But many security insiders have noted that Target has a particularly secure information security practice -- they point to its fast discovery and disclosure of the breach as testament to that -- and some wonder what the other factors at play may have been.
"As Target is known to encrypt wireless transmission between the point-of-sale terminal and the wireless router, intercepting the personally identifiable information must have happened elsewhere in the processing chain," says Girish Bhat, senior product manager at Wave Systems. "To carry an attack of this magnitude during the busiest holiday season is extremely difficult and may have involved multiple insiders."
Regardless of the intricacies of the cause of the Target breach, the ultimate lesson is that organizations need to pay greater attention to the POS-related changes put forward by the PCI Security Standards Council.
"The security controls that merchants are using to meet the requirements on those POS systems are being highly scrutinized by the standard," Strand says. "If you read through the standard, the overarching theme is to take a proactive stance when you implement your security controls for guard these systems. That is going to cause merchants to go out and say we need to readdress this. In the time being, I think we're going to see more breaches like the recent Target breach."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio