The Perfect Target

 It was just before Christmas 2013 when news broke of what is perhaps the largest security breach to date to hit the retail business community. Target, the US-based big box retailer of everything from clothing to electronics, initially confirmed that as many as 40 million customers who used their debit and credit cards at its store locations may have been compromised. Almost overnight, the retailer who pioneered the idea of ‘cheap chic’ went from a trusted brand to embattled victim of criminal hackers.

That was just the beginning of the story for the company headquartered in Minneapolis. Present statistics show that the breach has affected more than 100 million customers, and has been the focus of investigations by the US Congress about the recent spate of cyber-attacks affecting the US retail sector.

The security compromise not only had an effect on Target’s bottom line, but has led a push to reform how payment cards are processed in the US. Others have called for adoption of the EMV security features to be accelerated – otherwise known as chip and pin – already in use throughout Europe and Canada. Upon further inspection, it’s likely that internal processes at Target were to blame for the compromise, and that chip-based payment cards would have done little to prevent the breach.

A Developing Story

In terms of revenue, Target is the third largest company in the US retail space, behind only Wal-Mart and supermarket chain Kroger. So when news broke on December 18, 2013, that the company had been the victim of a payment card security breach, the potential widespread effects were recognized immediately. Security researcher and former Washington Post reporter, Brian Krebs, was at the epicenter of the event. He originally broke the news on that day, which was subsequently confirmed by Target. First reports suggested the breach effected customers who used their cards between November 27 and December 15 – right in the midst of the Christmas shopping season.

Lifted from the cards was ‘track data’, containing sensitive data physically stored on the card’s magnetic stripe, along with card number, expiration date and verification code – the type of data that would allow hackers to create and sell counterfeit cards. Target responded in early January that, upon its own investigation, any debit card PIN information would likely be safe. “While we previously shared that encrypted data was obtained”, the company said in a statement, “through additional forensics work we were able to confirm that strongly encrypted PIN data was removed.” Furthermore, the company maintained, it did not store the encryption keys within its own systems, and the data could only be decrypted when it was received by its external payment processor.

It was originally speculated that card skimmers may have been responsible for the breach, but as Aaron Titus, general counsel at Identity Finder, said at the time, such a widespread breach meant that skimmers were unlikely to have been placed at individual retail outlets. “Although skimmers can collect track data”, he noted, “at this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data.” As it turns out, Titus’ assumption appears to have been spot on.

Another preliminary analysis came from Gartner analyst Avivah Litan, who immediately theorized that, due to the nature of the breach and its target (pardon the pun), it was likely that an insider was the culprit for this card massacre. “Insiders can cause the most damage because some basic controls are not in place”, she wrote in a blog when the news broke. “I wouldn’t be surprised if…Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.” Although she was not 100% accurate in this assessment, subsequent analysis has also proven Litan’s assumptions to be on the right track.

According to a February 24 report in USA Today, the [Target] breach cost the company $61 million in the fourth quarter — $17 million in net expenses, and “counting a $44 million insurance receivable”. These numbers include payments to the card networks “to cover losses and expenses related to reissuing cards, lawsuits, government investigations and enforcement proceedings”. Target itself has not issued a total cost for the incident, which continues to rise, but Gartner’s Litan has given a ballpark estimate of between $400 to $450 million before all is settled.

It’s far more conservative than the $8 billion or more in clean-up costs floated by Erik Bataller, a principal security consultant with Neohapsis. He said that, according to current averages of about $200 dollars per record, the incident could cost Target $8 billion or more to remediate. Of course, this was a preliminary estimate based on the 40 million compromised cards estimate. As the weeks and months passed by, the scope of the Target breach began to grow.

Big-box Breach Gets Even Bigger

As if the original reports were not bad enough for Target, the company confirmed in mid-January that an additional 70 million customers were exposed, as the hackers who made off with the card details also stole names, mailing addresses, phone numbers, and email addresses of in-store customers. It’s this personally identifiable information that may have been even more damaging to Target’s customers, says Bob Russo, general manager of the PCI Security Standards Council – the payment card industry forum responsible for creating and maintaining payment card security standards.

“The PII they stole was almost more important than the card data”, Russo contends, “because the hackers are able to send emails to the victims that look like they come from Target.” He added that, as of this point, it appears there are no aspects of the Target breach that indicate a shortcoming in the PCI standards, but that the forensic investigation is still underway, so it is too early to tell. “But we are looking at this”, Russo told Infosecurity, “to see if anything needs to be updated and addressed.”

Before Russo told us this, however, more details about how the Target hack was executed surfaced – again thanks to Brian Krebs. The retailer did confirm on January 12, via its former chief executive, Gregg Steinhafel, that the attack originated through point-of-sale (POS) malware.

Krebs maintains, via two sources familiar with the investigation, that “attackers broke into Target after compromising a company web server. Somehow the attackers were able to upload the malicious POS software [known as BlackPOS] to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.” A source also told Krebs that the attackers needed to periodically collect this information, and “apparently had persistent access” to the control server.

So, how did these hackers gain access to Target’s web server? On January 30, Target spokesperson Molly Snyder confirmed that the attackers were able to access company systems via stolen credentials from a third-party vendor. If we harken back to Avivah Litan’s prediction, about the likelihood of an insider aspect to the breach, then it appears she was indeed correct. What is not clear, as the investigation still unfolds, is whether the stolen credentials are the result of the wilful act of a malicious insider, or purely a crime of opportunity.

After this revelation, the story of the Target breach takes a strange and interesting twist. ‘Target Hackers May Have Gotten in through the Air Conditioner’, read Infosecurity’s headline on the development, as the company confirmed in early February that the POS malware was uploaded to a central server via stolen credentials from a third-party contractor. Krebs continued to get the scoop on the story, as his sources revealed that one of Target’s HVAC contractors, Pennsylvania-based Fazio Mechanical Services, was the likely source of the stolen credentials. Apparently, as the sources relayed, Fazio had been paid a visit from the US Secret Service, which was investigating the Target breach.

If this is true, and Target’s central server was compromised, it could indicate that the retailer somehow failed to segment its network in such a way that it segregated cardholder data from the rest of its IT systems. “Target chose to allow a third party access to its network, but failed to properly secure that access”, says Jody Brazil, CTO of FireMon. “Even if Target had a valid reason for giving the third party access, the retailer should have segmented its network to ensure that they had no access to its payment systems.”

PCI’s Russo, however, cautions about a rush to judgement in the Target breach. “We want to know how the malware got onto the system, and we hear it was from a third-party credential, but we have no confirmation”, he comments. Russo, who recently testified in front of Congress about this and other recent retail breaches, said Target’s executives, “were adamant that they didn’t know what exactly happened yet in this breach.”

Where Things Went Wrong

In early February, Target announced a $100 million program to accelerate the use of chip-enabled smart cards to protect against cyber thefts. Security experts agree that although deployment of chip-based cards would make re-use of the data stolen more difficult, it would not have realistically prevented the breach that occurred at Target.

“It’s a good idea, and it will help solve many problems”, says Eric Cole, a security expert and instructor with the SANS Institute. “Yet it would not help in these particular cases because the information was taken from back-end systems.” In reality, Cole says, the preventive capabilities of chip cards had very little to do with how the data was stolen in the Target example.

PCI’s Russo largely agrees with this assessment, but still finds value in the transition to EMV payments. “[EMV] would probably have devalued the data, preventing the hackers from making counterfeit cards. But the data could have been used for things like online or telephone card fraud. It would not have prevented the [Target] breach.”

Cole asserts that the retailer should have stored card information only on heavily segmented networks, “so when somebody breached the external perimeter, it would have limited the hacker’s ability” to use the data. For him, the Target breach comes down to three big failures: a lack of asset inventory, poor asset configuration, and poor change control. “It was clear that Target did not know what was on its network”, Cole comments, “and changes were being made so quickly that they didn’t know what was going on.”

Security firm Symantec recently issued a special report on attacking POS systems. While Target apparently failed to segregate its POS system from the rest of its corporate network, as the report pointed out, it’s not a violation of the PCI standards.

“The current standards recommend, but do not require the CDE [cardholder data environment] to be network-segmented from other non-POS systems and the public internet”, the report noted. “While a strictly controlled and completely isolated POS system network would be quite secure, it is too impractical for serious consideration.”

The most common pathway to a POS system, as Symantec explained, was through the general corporate network, and often attackers are able to gain access to the corporate network via spear-phishing emails. It has been insinuated by Krebs’ investigation that this is exactly how the Target hackers gained access to the company’s POS system – first by compromising a third-party credential via phishing at Fazio, then entering the Target corporate network, and finally onto its POS system.

“As in any breach, there were failures that allowed those third-party credentials to get the access they needed”, Cole observes. “If the environment was configured correctly, then the damage could have been contained and controlled.” He notes, like most security analysts, that organizations will inevitably be compromised. “You have to accept that fact”, Cole maintains, but in this case, he concludes, “Target should have segregated their systems.”

Recent developments surrounding the Target breach include a Bloomberg report claiming that the company ignored alterts from it's own security tools during the ongoing incident. And while Target has agreed to bolster payment security by deploying chip-and-pin on all of it's store-branded payment cards, the post-breach response has not been enough to avoid a serious shake-up of the firm's senior management team – including the ouster of its chief executive in May of this year. 

It appears, at least for one of America’s largest retailers, the company could have prevented – or at least limited – this data breach through better design. Perhaps it’s time for Target to put Isaac Mizrahi to better use?