Target ‘targeted’ along with 40M consumer credit accounts in a massive holiday retail attack – Was it malware?
Well you can’t say you weren’t warned about the risk in all this Black Friday stuff. It’s more about retail transactions in general. The national news has picked up the story of Target’s massive data breach and the investigation that is ongoing there. The specter of this breach apparently may affect as many as 40 million credit and debit card accounts across the country. The window of attack was set between Nov 27 and Dec 15 of this year. That’s an extended outage that revolves around the Black Friday sales events, the busiest shopping days of the year. There are still many reports floating about out there as this investigation unfolds, and at this time it appears that the breach does not include online sales. That information comes from a report that the data affected is what’s known as ‘track data’. That track data is basically the raw card information as it is gathered at the retail locations. This likely means that retail location servers were compromised and the scariest potential vector in all this is the possibility that there was some type of direct purpose malware behind this.
Deeper details are still to come and the fallout is still out there as well in the not too distant future. Target has thus far put out the following communications notice:
Issue has been identified and resolved
Regulated systems point to malware
Target roped in their infrastructure some time ago in order to get better control, better visibility and save costs. They had been a giant cloud operation prior to that. They’ve also visibly renovated their payment systems with new color POS terminals recently and that likely means some of the infrastructure and systems behind it were updated as well. I state this because this would mean that the systems are up to date and compliant with the PCI payment processing regulations. The fact is that full track data including the CVV (card verification value) codes – those three numbers on the back of your card, those can’t be stored anywhere within the system according to those regulations. Somehow all this info was snatched which means the system was most likely infiltrated at the only place those CVV numbers exist at one place in time- that is in memory at the point of processing. There is no database here. Enter malware, and it not only swiped this information from memory, it also was able to deliver it to the outside. That’s a custom attack. In the meantime there’s all kinds of reports of people’s accounts being used in fraudulent transactions.
One last thing, if the confirmation from Target was not enough to convince you of how big this breach is, the data has hit the black market and it’s for sale.
Credit is a big financial fraud target with big challenges
Retail is always going to be a big target of cybercriminals. The potential to get identity information, credit information – almost any information really, this makes for a constant threat. When you add the volume and chaos of the world’s biggest shopping day to the mix, it is perhaps the biggest target ever especially with each passing year as things like mobile payments, mobile shopping and other tech advancements. Target – being one of the biggest retailers in the land, well that big red target logo couldn’t be more appropriate.
Regulations have their place, but they only go so far. In a recent series we took a look at the new PCI-DSS 3.0 regulations and pointed out some of the shortcomings there. It turns out the answer to the problem may be changing the entire construct altogether. Mark LaRow -Executive Vice President of MicroStrategy, offers some criticisms of the entire credit card process in general:
The reason this can happen is because of three inherent weaknesses with any card-based authorizations:
1. Credit card numbers are physical things that can be stolen or copied
2. Credit card numbers are anonymous so that anyone who steals one, can use it
3. Credit card numbers are presented openly at distributed terminals which makes it possible to intercept them and also to insert fraudulent versions elsewhere
LaRow’s company is behind Usher Mobile, which has a unique product that could make credit card fraud a thing of the past. It brings together mobile, identity and biometrics in a fascinating product that could bring about a new age of credit transactions at a higher level of security. This and a bunch of other use cases open up that could change the way we think about identification. We’ll feature Usher Mobile in an upcoming piece.
In the meantime, this incident brings to light the other side of security. What happens when a breach takes place? What’s your Incident Response plan? How do you conduct your triage? Target says the issue is identified and resolved. They have communicated the damage. The brand reputation damage is undeniable, especially when these attacks went unnoticed for so long. Whether this persists or not depends on a number of factors but Target isn’t going anywhere. It’s a story that will continue to evolve to say the least.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU