Experts advise consumers not to panic as suspicion falls on point-of-sale terminals used to scan credit cards.

Mathew J. Schwartz, Contributor

December 21, 2013

10 Min Read

Just in time for the holidays, Target confirmed Thursday that its systems were breached.

Figure 1:

Thanks to the breach, one or more attackers successfully stole 40 million credit card numbers. Anyone who used a credit or debit card in any of Target's US stores between November 27 and December 15 may be a victim. Target.com users and customers at Target stores in Canada are not affected.

The Target attackers gained access not only to card numbers, but also card expiration dates, CVV codes, and cardholders' names. As a result, they could use the stolen information to make fraudulent purchases via phone or online as well as to create working counterfeit credit cards.

[For more on the Target breach, see Target Confirms Hackers Stole 40 Million Credit Cards.]

How did hackers likely steal the credit card data, and what should consumers who may have been affected by the breach do next?

Here's what we know about the breach, its likely repercussions for affected cardholders, and how they should respond:

1. Target declines to comment on data encryption questions.
How did hackers manage to steal 40 million cards? That's a pertinent question, since any retailer that stores credit card data, according to the Payment Card Industry Data Security Standard (PCI-DSS), is required to encrypt that data. Furthermore, if the data is properly encrypted in transit and at rest, it shouldn't be of any use to attackers.

"This is a breach that should've never happened," Forrester analyst John Kindervag said in an emailed statement. "The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI [Security Standards Council]."

Reached via email, a Target official declined to respond to questions about whether the retailer had stored the stolen card data in encrypted format, or whether it had been certified as PCI-compliant. "We continue to invest in our security practices to protect our guests' information including the retention of a leading third-party forensics firm to conduct a thorough investigation of this incident," Target spokeswoman Molly Snyder said via email. "We apologize for any inconvenience this has caused our guests."

Target has also declined to address how attackers got their hands on the data in the first place. "As this is an ongoing investigation, we don't have additional details to share on the questions you asked," said Snyder.

2. Malware, point-of-sale apps, and insiders suspected.
The fact that the Target data breach didn't touch its e-commerce operation, but rather its stores, suggests that attackers gained access to information that was gathered via point-of-sale (POS) terminals -- a fancy name for electronic cash registers.

Hord Tipton, executive director of (ISC)2, said in an emailed statement that attackers likely infected massive numbers of POS terminals with malware. "It's one thing to compromise or affect one machine, but to get all of them begs the question of how this was plotted out in the first place," Tipton said. "How were the hackers so efficient? From what I can tell, it looks like an insider threat -- someone on the inside probably helped."

Alternately, attackers may have been able to remotely tap into the POS terminals by exploiting vulnerabilities in their built-in Web servers, Bala Venkat, the chief marketing officer for Web application security vendor Cenzic, said in an emailed statement. "When searching for vulnerable targets, attackers are discovering that many retail merchants and point-of-sale terminals haven't implemented some of the basic security measures required by [PCI]," he said, which would include two-factor authentication on the terminals for anyone attempting to remotely connect to it.

The breach was likely compounded by Target failing to monitor its POS terminals for signs of attack. "This seems rather obvious from the information revealed already about this Target breach," Venkat said.

But Gartner analyst Avivah Litan said in a blog post that the breach was likely not due to malware or hacking, but a very low-tech -- and insider -- attack. "If we've learned anything from the Snowden/NSA and WikiLeaks/Bradley Manning affairs, it's that insiders can cause the most damage because some basic controls are not in place," she said. "I wouldn't be surprised if that's the case with the Target Breach -- i.e., that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access."

3. Full investigation may take months.
Although a statement released by Target said that it "has identified and resolved the issue" exploited by the attackers, it may be many months before Target has a complete picture of how the breach occurred. "It will be interesting to see how the attackers got into the network and what technical countermeasures were in place, but that will take months to surface as the forensics in such a case are extremely time consuming," Qualys CTO Wolfgang Kandek said via email.

4. Stolen cards are already flooding black market.
Security experts said the timing of the breach corresponds with a recent surge of stolen credentials being offered for sale on underground cybercrime forums. "We started to detect that something was afoot on December 11th when [we] detected a massive increase – 10 - 20x -- in availability of high-value stolen cards on black-market sites," read a blog post from security vendor Easy Solutions. "Nearly every bank and [credit union] in the US seems to be affected."

Target has yet to say how it learned of the breach. But having a massive quantity of stolen credit cards flooding the market would have been a red flag for card issuers. One quick tipoff about the source of the breach would likely have been the large number of Target Redcard credit and debit card numbers.

5. PCI compliance failed to stop the breach.
Critics of the PCI standard -- created by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa -- have long suggested that businesses that technically comply with PCI may not have robust information security practices in place. Furthermore, critics have charged that enforcement of the industry-advanced standard lacks teeth, as evidenced by the PCI Council sometimes retroactively revoking certifications.

In 1997, for example, TJ Maxx parent company TJX was breached, resulting in the theft of 90 million credit card numbers. In the wake of the breach, investigators revealed that TJX wasn't in compliance with nine of the 12 PCI data security standards. The breach reportedly served as a wakeup call for retailers to get compliant with PCI.

"PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts," said Rich Mogull, CEO of Securosis, in a blog post earlier this year.

But has PCI resulted in major retailers taking information security seriously? Witness the spectacle earlier this year of Visa suing PCI-compliant sports clothing retailer Genesco for $13 million, after the retailer suffered a data breach. The council also retroactively revoked the retailer's PCI compliance. That maneuver, Mogull alleged, allowed the PCI Security Standards Council to continue saying that "no PCI compliant organization has ever been breached."

"This is a clear fallacy -- merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications," Mogull said. "Fines are then levied against the acquiring bank and passed on to the merchant."

Going forward, Target will reportedly have to hire one of the 10 firms in the United States that are certified to perform PCI investigations. That firm also can't be the same as the company that certified Target's PCI compliance.

6. Consumers: don't panic.
What should consumers who may have been affected by the data breach do next? "React, don't panic," Eva Velasquez, president and CEO of the Identity Theft Resource Center, said via phone. "Because we know that this is causing a lot of anxiety." On the upside, Target said that only card information -- and not people's personal information -- appears to have been stolen by attackers. "So now is the time to monitor statements very carefully," she said. "If you find any other evidence of fraudulent activity, obviously contact your financial institution."

One measure of people's panic is that Target's Redcard website and phone lines have been largely inaccessible since the company confirmed the breach Thursday. "We are working hard to resolve this issue by adding team member support and system capacity as quickly as possible. We apologize for the inconvenience and appreciate our guests' patience," Target spokesman Eric Hausman told the Minneapolis/St. Paul Business Journal Friday morning. In the meantime, the retailer is attempting to triage the outages by fielding customers' questions via Twitter.

7. Visa: we're investigating.
The Identity Theft Resource Center's Velasquez said that anyone who discovers fraud shouldn't have trouble getting help. "This is so big that if fraud is discovered on your card, it's not like your financial institutions are not going to know about this issue," she said.

Figure 2:

Officials at Visa, for example, said Thursday that they're aware of the breach and have already begun working to mitigate any fallout, in part by working to distribute stolen card numbers to all affected issuers. "When such incidents occur, Visa works with the breached entity to provide card issuers with the compromised accounts so they can take steps to protect consumers through fraud monitoring and, if needed, reissuing cards," Visa said in an emailed statement. "Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows."

8. Watch fraud-reporting time limits.
Despite those assurances, anyone who might be a victim of the Target breach should beware card issuers' fraud-reporting windows. Different organizations, for example, may place 30-, 60-, or 90-day limits on when they'll accept a fraud notice, following a cardholder receiving their statement. Others, such as American Express, have no time limit for reporting fraud.

9. Debit card holders: call your bank immediately.
Debit card users should be especially vigilant. Credit card users won't be out of pocket if they suffer fraud and contest the charges, but the opposite is true for debit card holders since fraudulent transactions may take their bank balance to zero.

Accordingly, Velasquez recommended that any debit card users who might have been Target breach victims immediately contact their card issuers and ask for advice. "Tell them you're a victim of the Target breach," she said. To help combat fraud, different institutions offer different options, such as putting passwords on accounts or changing PIN codes. "But alerting your specific financial institution is really the way to go, because they all have different rules," she said.

10. Kudos to Target for coming clean quickly.
When it comes to information security, Target may have blown it. But according to Velasquez, the retailer does deserve credit for coming clean about the breach so quickly. "Four days? That's lightning speed," she said. "I think they deserve at least a few points for taking the hit and alerting their consumers ahead of time, and not trying to push it off until after the Christmas sales."

Compare the speed of Target's notification, for example, to the recent breach at JP Morgan Chase, for which the financial institution didn't issue an alert for more than two months. Or take the breach of the Washington State court system, which was publicly revealed in May 2013 after being detected in February. But state officials don't actually known when the breach occurred, saying they'd narrowed the window only to sometime since September 2012 and before February 2013.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights