Well you can’t say you weren’t warned about the risk in all this Black Friday stuff.  It’s more about retail transactions in general.  The national news has picked up the story of Target’s massive data breach and the investigation that is ongoing there.  The specter of this breach apparently may affect as many as 40 million credit and debit card accounts across the country.  The window of attack was set between Nov 27 and Dec 15 of this year.  That’s an extended outage that revolves around the Black Friday sales events, the busiest shopping days of the year.  There are still many reports floating about out there as this investigation unfolds, and at this time it appears that the breach does not include online sales.  That information comes from a report that the data affected is what’s known as ‘track data’.  That track data is basically the raw card information as it is gathered at the retail locations.  This likely means that retail location servers were compromised and the scariest potential vector in all this is the possibility that there was some type of direct purpose malware behind this.

Deeper details are still to come and the fallout is still out there as well in the not too distant future.  Target has thus far put out the following communications notice:

Issue has been identified and resolved

MINNEAPOLIS — December 19, 2013

Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.

More information is available at Target’s corporate website. Guests who suspect unauthorized activity should contact Target at: 866-852-8680.

Regulated systems point to malware

CVV Numbers

Target roped in their infrastructure some time ago in order to get better control, better visibility and save costs.  They had been a giant cloud operation prior to that.  They’ve also visibly renovated their payment systems with new color POS terminals recently and that likely means some of the infrastructure and systems behind it were updated as well. I state this because this would mean that the systems are up to date and compliant with the PCI payment processing regulations.  The fact is that full track data including the CVV (card verification value) codes – those three numbers on the back of your card, those can’t be stored anywhere within the system according to those regulations.  Somehow all this info was snatched which means the system was most likely infiltrated at the only place those CVV numbers exist at one place in time- that is in memory at the point of processing.  There is no database here.  Enter malware, and it not only swiped this information from memory, it also was able to deliver it to the outside.  That’s a custom attack.  In the meantime there’s all kinds of reports of people’s accounts being used in fraudulent transactions.

One last thing, if the confirmation from Target was not enough to convince you of how big this breach is, the data has hit the black market and it’s for sale.

Credit is a big financial fraud target with big challenges

Retail is always going to be a big target of cybercriminals.  The potential to get identity information, credit information – almost any information really, this makes for a constant threat.  When you add the volume and chaos of the world’s biggest shopping day to the mix, it is perhaps the biggest target ever especially with each passing year as things like mobile payments, mobile shopping and other tech advancements.  Target – being one of the biggest retailers in the land, well that big red target logo couldn’t be more appropriate.

Regulations have their place, but they only go so far.  In a recent series we took a look at the new PCI-DSS 3.0 regulations and pointed out some of the shortcomings there.  It turns out the answer to the problem may be changing the entire construct altogether.  Mark LaRow -Executive Vice President of MicroStrategy, offers some criticisms of the entire credit card process in general:

The reason this can happen is because of three inherent weaknesses with any card-based authorizations:

1. Credit card numbers are physical things that can be stolen or copied

2. Credit card numbers are anonymous so that anyone who steals one, can use it

3. Credit card numbers are presented openly at distributed terminals which makes it possible to intercept them and also to insert fraudulent versions elsewhere

LaRow’s company is behind Usher Mobile, which has a unique product that could make credit card fraud a thing of the past.  It brings together mobile, identity and biometrics in a fascinating product that could bring about a new age of credit transactions at a higher level of security.  This and a bunch of other use cases open up that could change the way we think about identification.  We’ll feature Usher Mobile in an upcoming piece.

In the meantime, this incident brings to light the other side of security.  What happens when a breach takes place?  What’s your Incident Response plan?  How do you conduct your triage?  Target says the issue is identified and resolved.  They have communicated the damage.  The brand reputation damage is undeniable, especially when these attacks went unnoticed for so long.  Whether this persists or not depends on a number of factors but Target isn’t going anywhere. It’s a story that will continue to evolve to say the least.