Target's Christmas Data Breach

Why, oh, why would Target be storing debit card PINs?

A week after Target's breach and probable compromise of 40 million credit and debit card details, there appears to be little new public information as to how the attack occurred and what remedies Target has taken to prevent it from happening again. This is, of course, both worrying and par for the course, unfortunately.

A number of press articles have focused on the likelihood of PIN data also being accessed by the attackers. According to the New York Daily News, Target spokeswoman Molly Snyder stated, "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised."

The fact that PIN data has even come up in the discussions concerns me for two reasons. Either Target finds it necessary to store PIN data along with debit card details in some system or another, or the compromise vector was via the point-of-sale (POS) system directly.

If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me. I can't think of a legitimate reason why any corporation would wantto retain this data -- unless it has a process for managing delayed or deferred payments (e.g., reducing the amount it pays to merchant bankers for processing cards at nonpeak times). Regardless, there's no way that kind of data should be retained for more than a few hours -- and I hate the idea of it happening at all because it exposes customer data to unnecessary threats. Having worked with many other retail organizations around the world, I've never encountered any legitimate organization willfully storing PIN data.

So if that has been removed from the table, the only other place PIN data could exist (ideally in a transitory and encrypted state) should be at the POS system. Attacking the POS system offers a number of challenges. For one, while the POS register may be networked for inventory tracking and price lookups, the actual card swipe components generally operate autonomously and are secured at the hardware level. This typically means that the attackers must physically compromise or replace the hardware. Unfortunately, this attack vector occurs more frequently than people willingly admit. For example, last year 63 Barnes and Noble stores were hackedthis way, resulting in the chain removing the customer PIN pads.

Alternatively, the POS system may route all PIN pad operations through a back-office system in order to better handle store cards, gift cards, and other partial payment options. This means that the customer PIN pad simply proxies the data from the POS to a centralized system. I'd hope that the transaction details (including the PIN) are encrypted, but you never know. Regardless, this store-centralized payment processing system would be an extremely valuable target for attackers. Such a system may make economic sense for a retailer, but it raises its risk profile considerably.

While Target keeps the details of its breach close to its collective chest, there is very little information to form an opinion about negligence or attacker sophistication. That doesn't mean people aren't already lining up with their hands out for compensation. Apparently there are already three class-action lawsuits filed in the wake of the breach, seeking more than $5 million in damages.

I'm not opposed to the use of fines as a means of correcting errant business practices, but my first reaction to hearing about class-action suits is "opportunistic money-grabbers." I'd rather support a system that forces breached organizations to increase the security of their customers' data than a system that forces the attacked organization to simply take out insurance policies and argue over minimum levels of legal compliance. Earlier this month, I wrote about an alternative means of upping the information security stature of an organization through the divvying up of data breach finesin which larger fines are imposed and a high proportion of those funds are directed back at the organization for investing in new defenses.

U.S. Sen. Robert Menendez (a member of the Senate banking committee) is investigating whether the Federal Trade Commission (FTC) has the authority to impose a fine for data breaches, such as this one affecting Target. If the FTC does not, then he intends to propose legislation that would grant it that power. I'd be an advocate for that, subject to a proportion of that fine going back to directly secure the organization.

It is unfortunate that data breaches are on the rise. However, I see it is a reflection of criminals perpetually targeting where the money is, and the increasing gap between professional hacker and corporate compliance teams. This isn't the first time Target has been the victim of a data breach, and it won't be the last, and I feel comfortable saying that it isn't the only one happening right now ... merely the latest to be detected.

-- Gunter Ollmann, CTO IOActive Inc.