Strong Reactions to the Target AttackRetailer's Breach Spurs Theories, Suggestions for Action
Forensics will likely discover a point or points of compromise in the Target Corp. breach. But how the attackers were actually able to penetrate Target's network - as well as who is ultimately to blame for the breach that exposed up to 40 million U.S. debit and credit cards - may never be known.
See Also: You've Got BEC!
Was an insider to blame? Did someone with administrative privileges fall for a spear phishing scheme that ultimately provided the proverbial keys to the kingdom? Were Target's point-of-sale devices and network not in compliance with the Payment Card Industry Data Security Standard? Or was a third party, such as a payments processor, to blame for the security breach that led to the attack?
The Target breach illustrates yet again that the U.S. payments security system is broken.
Many of our readers have offered detailed responses to our stories about the massive breach, weighing in with theories and suggestions for action.
In response to our Dec. 20 story, Target Breach: What Happened?, one reader writes: "Given that [the] ROW [rest of the world], other than the U.S., uses smart cards with supposedly less ID theft, seems the card guys are not helping U.S. customers with protecting their financial info ... Maybe this is where the guys in Washington could leverage their authority to protect the customer, just as the cigarette manufacturers had to put warning labels on packs."
In response to our Dec. 24 article, Target: Breach Caused by Malware, another reader writes: "I work in the payment card industry, both issuing and processing. Honestly, this is not Target's fault. They are PCI compliant as required and they take great pains to keep information secure. I am sure some person in a room somewhere spent months looking for a micro second glitch that they could exploit and when they found it they got lucky it was Target. What about the Adobe breach? Card information was being captured from their site for over four years; no one is hopping up and down about that breach. No press about it and many others like it. Why is the press blowing this event out of proportion?"
And in response to our Dec. 27 article, Target Confirms Encrypted PINs Stolen, a third reader writes: "The cost to the industry of this compromise would have gone a long way toward converting to EMV [Europay, MasterCard, Visa standard]. To their credit, Target is EMV ready and one of half a dozen large retailers who have been pushing for the issuance of cards. ... The difference in EMV is not simply in the card but in what the merchant sees. For example, he does not see and cannot store the identity of the card. The merchant is able to demonstrate the presence of the card and the entry of the PIN without seeing or storing anything that can be replayed for his benefit or that of others."
Industry experts also are weighing in with their reactions. Mike Versace, global research director for industry analysis firm IDC, tells me that the analysis and publicity surrounding the Target breach has "gotten way out of control."
"As if the breach wasn't bad enough, now we have all the industry analysts and some security experts saying that the impact will be muted by the use of strong encryption on PIN data," Versace says. "My guess is that the bad guys in this case have distributed computed resources sufficient to successfully complete a brute force attack on the encrypted data in time to make a certain percentage of the data usable in fraudulent transactions. The point we should be making is that the POS is not secure, and focus less on cards. Buying at POS is less secure than e-commerce? Is that possible?"
A Broken System
When hackers penetrate processors and retailers, they usually exploit multiple vulnerabilities. It's not just one security gap or hole.
The Target breach illustrates yet again that the U.S. payments security system is broken. We ask retailers and processors to ensure PCI compliance, but we have no definitive authority enforcing that compliance.
What's more, how we define compliance is varied, at best, depending on how the qualified security assessor interprets PCI. We also know - and have known for years - that magnetic-stripe payment cards are vulnerable to skimming attacks, which ultimately copy card data, yet card issuers have been reluctant to migrate to a more secure technology, such as chip cards using the EMV standard.
The card brands aren't without fault either. None has made significant waves to encourage stronger payments security. At some point, someone needs to step in and mandate stronger card security through enforcement and steep penalties.
I'm hopeful that the Target breach could serve as a catalyst for a security overhaul of the U.S. payments infrastructure.