Security experts are debating how the breach of Fazio Mechanical Services Inc., a refrigeration vendor that serves Target Corp., may have played a role the retailer's point-of-sale malware attack (see Target Vendor Acknowledges Breach). The Target attack late last year exposed some 40 million credit and debit cards and personally identifiable information about 70 million consumers.
Target had announced in late January that its massive data breach was the result of hackers stealing electronic credentials from one of its vendors (see Target Breach: Credentials Stolen). Then last week, Fazio Mechanical Services revealed it was the victim of a "sophisticated cyber-attack operation."
But security experts disagree on whether it's plausible that a vendor breach could have paved the way, on its own, to the malware attack against Target.
Vendor Soft Spots
Avivah Litan, an analyst with consultancy Gartner Research, says it is plausible that the vendor breach led fraudsters to Target's POS network.
"If the [Target] cardholder data environment wasn't sufficiently segmented from the contractor environment, the criminals could have found their way over to the POS systems just by getting into the contractor account," she says.
"It sounds like this is how the Target network was penetrated," she adds. "It's likely that the credentials were compromised and the hackers poked their way into the cardholder data environment from the contractor's network segment."
While Andrew Komarov, CEO of cybercrime intelligence firm IntelCrawler, acknowledges such a connection between the vendor network and Target is possible, he says it's unlikely.
"In order to place malware on a POS network, the malware has to go through a network perimeter, which could be done using various attack vectors, starting from remote administration channel attacks [and] ending with vulnerabilities exploitation in an external network and/or Web-services," he says. "Payment environments are usually isolated, so we are a bit skeptical that a breach of a third party like this is the reason. Traditionally, networks should be segmented and separated according to PCI compliance."
"It is possible only if there were some misconfiguration errors in network infrastructure," he adds.
Target says it's still investigating the cause of its breach and has no comments about the state of its PCI compliance at the time of its attack or other breach investigation developments.
In a Jan. 29 statement to The Wall Street Journal, Target acknowledged that the breach of an unnamed vendor had been used to access Target's network. "We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system," Target said.
More Than One Attack?
Komarov and malware expert Yotam Gottesman, a senior researcher for the FirstWatch team at security firm RSA, contend that the Target breach was more likely the result of a series of attacks waged over an extended period of time.
That's because a single attack or intrusion is rarely to blame for a POS network compromise.
"I believe the Target attack and the Neiman Marcus attack resulted from multiple attacks by multiple [strains of] malware by multiple gangs," Gottesman says. "It's not usually one breach. It usually just triggers attention at one point in time."
And because there are multiple ways to attack a POS network, there are usually multiple points of entry, he adds.
While third-party vendors pose numerous risks to supply-chain security, Komarov says retailers' dynamic POS infrastructures create security threats of their own. In fact, forensics investigations of many breached retail networks often find that systems were penetrated months or even years before any suspicious activity is detected, he says (see Compromising Data for Profit) .
"We see many people trying to explain how the [Target] breach happened," Komarov explains. "But track data from the card can only be obtained from scanning the POS terminal or by using tampered devices locally, with help of insiders; back-office systems don't keep it [track data]. If they are compromised, they can only reveal customer's data, excluding track 2."
Retail, hospitality and restaurant chains are vulnerable to longer-running, multilayered compromises because of their often disjointed infrastructure, Komarov says. In many merchant environments, POS device configuration and system security varies from store to store, he says.
"It's one of the key reasons we are faced with so many breaches within retail security," he says.
POS systems and devices have proven to be easy targets for attackers, which is why there has been an increase in malware attacks against retailers, Gottesman says.
"Most computers have anti-virus software; that's not the case for POS devices," he explains. "Many POS devices and systems are run and managed by many different people. I believe these systems are often less updated, and fraudsters have just found out about this and the potential return on investment."
Gottesman also notes that POS encryption practices are failing to protect cardholder data.
When a card is swiped at the POS for payment, it not encrypted at the device, he says; data is not encrypted until the transaction is processed.
"Card data from the POS to the computer is not encrypted," Gottesman says. "That data should be encrypted. If each system had different encryption and different keys, it would be hard to install the Trojan on the POS" (see Breach Hearings: How Did Security Fail? ).