Many Americans spent some post-Thanksgiving quality time at Target stores, stocking up on everything from tree lights to cards to sweaters. And therein lies the problem: anyone who swiped a card at a Target store between Nov. 27 and Dec. 15, the busiest shopping time of the year, could potentially be a victim.
First uncovered by security researcher Brian Krebs and then confirmed by Target itself, the breach’s details are still emerging. It’s not totally clear how the heist was carried out, or if all US-based stores were affected, but the perpetrator(s) were able to lift “track data,” which enables the attackers to create (and sell) counterfeit cards. That makes the breach a bit more dramatic than if card data alone had been captured. And for many, it also offers some clues as to the attack vector.
Aaron Titus, CPO and general counsel at Identity Finder, a sensitive data management solution provider, explained the implications in an emailed comment. “Track data is extra sensitive data physically stored on a credit card magnetic stripe, in addition to the card number, expiration date and verification code,” he said. “Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”
Eric Chiu, president & co-founder of HyTrust, said in an email that the breach was likely an inside job, stemming from a lack of access controls. “The Target breach, on the heels of Adobe, Vodafone, and Snowden is another wake up call to the new threats in a connected world,” he said. “POS systems run software and are connected to networks as well as transmit credit card data to central repositories in the data center. This is yet another example that companies need to take an inside-out model to security and make sure that access to critical systems and data is protected from the inside through fine-grained access controls, including the NSA's new 'two-man' rule as well as role-based monitoring. This is the only way to protect against insider threats, which are the number one cause of breaches.”
Gartner analyst Avivah Litan agreed on the insider angle. In a blog post, she said that she suspects data was stolen from Target’s switching system for authorization and settlement.
“If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insiders can cause the most damage because some basic controls are not in place,” she wrote. “I wouldn’t be surprised if that’s the case with the Target Breach – i.e. that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.”
Target is a victim too, of course. Erik Bataller, principal security consultant at Neohapsis, told Infosecurity that according to current averages – about $200 per record – the 40 million cards could cost Target upwards of $8 billion or more in cleanup.
The kicker is that it is highly unlikely that Target skimped on security. As one of the largest big-box retailers in the business, the damage to its brand (and lost revenue) from something like this will have much bigger implications for its future viability than that initial $8 billion – a fact it was surely aware of in crafting security measures.
So, some had advice for Target, while others had sympathy. “Organizations that strictly follow PCI-DSS 2.0, and PCI-DSS 3.0 should be able to prevent most of these sorts of breaches, so I imagine Target has already begun the process of locking down, analyzing and securing their systems,” Identity Finder’s Titus said. “The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”
"Target has likely invested heavily in security, in technologies and approaches many would consider modern and right,” said Chris Petersen, LogRhythm CTO and co-founder, in a note to Infosecurity. “Unfortunately, todays threats are quickly outpacing current security technologies and approaches. What was recently modern and right, is quickly becoming outdated and ineffective."
He added, "Companies are in an arms race against determined foes, whether they be cyber criminals, hacktivists or nation states. Their only hope of defending themselves is to ensure their defenses are truly modern. In some cases, this might mandate running next-generation technologies in parallel with their legacy counterparts."
24 December 2013
Four checkouts running two customers every minute with approximately ninety percent using some card (debit, credit, target card) and the store being open for more than twelve hours would put these numbers much higher. If one has ever worked retail checkout during the holiday, then one could see the above numbers are very reasonable.
23 December 2013
I also think that people should start watching this Krebs guy ... he seems to ALWAYS have the inside track on many data breaches way before the others and is "breaking" news.... Makes you go Hmmmmmm Just saying.
23 December 2013
I find many things wrong with this issue. One I had my card lifted and used several weeks prior to the "event" over in Italy. On review I had shopped at Target every week dating back to Halloween. I am quite certain that they are either ignorant to the fact that it is much more large scale or in typical large company fashion doing the duck and cover and are not letting people in on that scope.
If you look at it and do the numbers they just don't add up. 1700 stores over 15 days leaked 40mil card numbers? YIKES that is approx. 1600 unique card numbers on average at each store day in day out for 15 days...just doesn't seem reasonable. Either they are miss quoting time or confusing transactions with card numbers.
Not to beat a dead horse but I am the CEO/Founder of a mid sized computer forensic and security company focusing on small - mid sized businesses and it seems to be the penny wise pound foolish mentality. It wont happen to me!! Then it does and they are OH HOW DID THIS HAPPEN!!! PCI is in my opinion a joke and revenue generator if you are PCI compliant it doesn't mean you are secure BUT if you are secure you are most likely PCI compliant.
I think people as well as companies by and large need to wake up and smell the coffee and have some common sense. It is like home security would you leave your house wide open with 1 million dollars on the table and a sign on the lawn that said hey were gone, the house is open and there is money on the table. The same is true with computer security. If you are claiming ignorance then shame on you. Most cases it is to cut costs nothing more ... always about the bottom line.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.