Inside knowledge likely in Target breach, experts say

The Target security breach that left millions of debit and credit card holders at risk of becoming victims of fraud left experts pondering the question of how such a massive theft might have occurred.

Theories varied, but the scant details released by the retailer Thursday left some experts believing the criminals had to have some inside knowledge of the company's point-of-sale system in order to compromise it so effectively.

Either people inside the organization were involved or, "at the very least, (the thieves) had sophisticated knowledge and a clear understanding of the cardholder data flows, in order to pinpoint where to steal this very specific data and then exfiltrate it," Mark Bower, director of information protection solutions at Voltage Security, said.

Target reported Thursday that card data, including customer name, credit or debit card number and the card's expiration date and CVV code, had been stolen from 40 million accounts used for shopping between Nov. 27 and Dec. 15. The CVV code is the three-digit security number found on the back of cards.

The theft may have involved tampering with the machines used to swipe cards when making purchases, The Wall Street Journal reported. The information stolen, called track data, is stored in the metal strip on the back of cards.

Target declined to discuss the breach, which a spokeswoman described as "a very sophisticated crime." The Journal reported that the theft involved Target stores nationwide and as many as 40,000 card devices may have been affected. Target has 1,797 stores in the U.S.

Bower believes the thieves may have planted malware in the electronic cash register attached to the card reader. When a card was swiped, the malicious app would copy the data likely traveling in plain text from the reader.

Modern cash registers often run on Linux or Windows operating systems, so are as vulnerable to malware as regular computers. However, how the collected data got to the thieves' computers is a head-scratcher, because the registers were likely on a closed network that isn't accessible from the Internet.

Because of the difficulty of compromising so many point-of-sale systems, other experts believed the breach more likely occurred at the corporate data center where card data may have been sent from stores before being relayed to a card-processing company.

Lucas Zaichkowsky, enterprise defense architect at AccessData, said hackers may have compromised the corporate system and planted malware that copied data just before it entered the system.

If the network between the stores and corporate systems were closed, then the data may not have been encrypted, until it left the internal network, said Zaichkowsky, a former employee of card processor Mercury Payment Systems.

"There's only three, maybe five, of these really advanced financial attackers, and they're really good at breaking in and hacking and they understand credit-card processing inside and out," Zaichkowsky said.

The fact that CVV codes were stolen was a red flag for John Kindervag, analyst for Forrester Research, who said it was an indication that Target may have had a serious security flaw.

If CVV data were stored, then that would have been a violation of the Payment Card Industry Data Security Standard (PCI DSS) that financial institutions require of businesses accepting credit cards. In addition, if the data wasn't encrypted, then that could also run against the standard.

Because so much account data was stolen in such a short amount of time, Kindervag believes its more likely the thieves broke into a database somewhere on Target's network and grabbed the data, as opposed to intercepting it in transit on the network.

"When you see that many credit-card numbers breached in a single instance, that would lead me to believe that a credit-card database itself had been stolen," Kindervag said.

Avivah Litan, analyst for Gartner, said she was confident Target was in compliance with PCI DSS, but that doesn't mean the retailer was protected 100 percent.

"It's impossible to plug up all the holes when you're a retailer," Litan said.

She gave it a "50-50 chance" that either an insider with privileged access to Target's network was involved or the thieves obtained the credentials of a privileged user.

No matter the cause, the breach is likely to cost Target millions of dollars, Litan said. Credit-card issuers are likely to raise its merchant fee on every transaction and fine Target whether it was in compliance of PCI DSS or not. In addition, the retailer may have to pay back card issuers for any fraud resulting from the breach.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity theftapplicationsThe Wall Street JournalVoltage Securitywall street journalCredit card fraudIdentity fraud / theftdata protectionTarget data breachPCITargetsecurityTarget breachsoftware

More about AccessDataForrester ResearchGartnerLinuxWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place