Our Blog

Fall-out from Target data breach

Target Flickr

Lessons from the Target attack

– US retail giant plans $100m investment in Chip-and-PIN after late 2013 systems hacking

IT has been a troubling period for Target – the second largest retailer in the US; their PCI compliance auditor Trustwave Holdings and, of course, the 110 million customers in Target’s 1,797 US stores whose details were compromised in the hacking that took place between November 27 and December 15, 2013.

Computer hackers stole credit and debit card information from 40 million Target customers during the late 2013 holiday shopping season.

In January, Target revealed that personal information – names, mailing addresses, telephone numbers and email addresses – had also been stolen from an additional 70 million customers. That’s a total of 110 million Target customers potentially affected by the security breach.

In early May Target’s CEO Gregg Steinhafel announced his retirement after a 35-year career with the megastore. To make matters worse profits fell 16% in the first quarter of 2014, this followed a 46% fall in profits in the last quarter of 2013 when compared with the same period in 2012.

All this after Trustwave Holdings audited Target’s system and declared it PCI-compliant in September 2013, just two months before the data breach.

What actually happened?

In January 2014 Target confirmed that the data breach occurred when malware infected its POS terminals.

One of the pieces of malware used – according to a Reuters article – was a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text. The system is designed to strike during those milliseconds when card details are unencrypted, or ‘in the clear’. RAM scraping – first reported in 2009 – is an old hacking technique that has been given a new lease of life for the purpose of compromising payment systems.

Target – in their FAQ section related to the data breach – have stated that CVV1 information (three digits that are stored within the track2 data encoded on the magnetic stripe of a credit card) was compromised. Target added that they have no indication that CVV2 data was compromised; and therefore, no indication that the three- and four-digit security codes were affected during the 2013 hacking. This tallies with an attack where the contents of the magstripe is compromised.

Target was alerted by credit card processors that its systems might have been compromised. The credit card processors had noticed a surge in fraudulent transactions involving credit cards used at Target.

The affected payment cards include Target’s REDcard private label debit and credit cards as well as other bank cards.

Target confirmed that on December 27, 2013, they were able to confirm that strongly encrypted PIN data was removed. They added that they remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within their system, and remained encrypted up to the point of removal.

Target added that it does not have access to, nor does it store, the encryption key in its system. The PIN information was encrypted within Target’s systems and can only be decrypted when received by a payment processor, such as someone like First Data. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

An article in Bloomberg Business week stated that Target’s internal security operations centre missed two red flag alerts from their Bangalore-based security firm FireEye. Hackers had installed malware in Targets payments system before Thanksgiving but on November 30, as the hacking operation began FireEye noticed something suspicious. They notified the Target security centre in Minneapolis: nothing happened. It was the same on December 2: no action in Minneapolis. Soon 40 million credit card details as well as 70 million pieces of personal information were compromised.

What now?

Target have since announced that they will accelerate the introduction of chip cards as another layer of protection for consumers.

All of Target’s U.S. stores will have the new payment devices by September 2014, some six months ahead of schedule. In addition, a POS system revamp will cost Target $100 million.

The retailer has also claimed that it would begin issuing chip-and-PIN-enabled Target REDcards in the first quarter of 2015. During that same period, Target will accept chip-enabled cards in their 1,797 stores.

Unfortunately, Target could also be liable for the data breach. The PCI – the group representing the big five credit card companies – doesn’t take kindly to breaches of cardholder information. Potentially, Target could be fined $90 for every individual breach: that equates to Target facing a $3.6 billion liability.

Target has also been sued by shoppers – the lawsuit based on negligence and invasion of personal security. “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to the complaint. This line is almost the exact opposite of what the PCI DSS demands from companies that store, transmit or process sensitive cardholder data.

It could have been worse. In April, two banks – who had initiated legal action against Target for the ‘monumental losses’ they faced because of the data breach – dropped their lawsuit.

It was a small sliver of relief for Target in what has become a maelstrom of embarrassment.

What can be done in future to mitigate similar attacks?

There is no doubt that, given the current state of both POS technology and payment switching technology, that many other retailers run the risk of being the victim of attacks similar to that on Target.

For some retailers, card tokenization may offer protection. In our opinion, all retailers should be looking closely at point-to-point encryption (P2PE), as it could well be the most appropriate solution to introduce. All retailers should be looking to secure their POS devices to ensure that track 2 data is encrypted prior to leaving the card reader, thus dramatically reducing the attack surface for Target-type hacking efforts.

Aviso Novate supports full transaction encryption and Hardware Security Module (HSM) encryption for transaction data, solving the server-side of this puzzle. Talk to us if you are serious about not being the next Target.