Target Breach: What Happened?Expert Insight on Breach Scenarios, How Banks Must Respond
Was it a point-of-sale attack? A network breach? Or was it an inside job?
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Security experts offer varying opinions about how U.S. retailer Target Corp. may have exposed 40 million U.S. debit and credit accounts (see Target: 40 Million Cards at Risk).
Target is not sharing details beyond what it reported Dec. 19 - that U.S. POS transactions conducted between Nov. 27 and Dec. 15 were likely compromised by a data breach.
In the meantime, banking institutions should educate customers about how to protect themselves from any fraud linked the attack.
In a letter to customers, Target notes that customer names, credit and debit card numbers, as well as card expiration dates and card verification values - three-digit security codes - were exposed during the breach, which was first reported by blogger Brian Krebs on Dec. 18.
"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the retailer says in its statement. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."
Target customers who suspect they may have been impacted have been instructed to contact Target directly and monitor credit accounts. The company operates 1,797 stores in the U.S. and 124 in Canada.
Experts can only theorize about what may have happened to Target. And while fraud expert and Gartner analyst Avivah Litan speculates about whether an insider is to blame for the breach, many other experts say Target's compromise likely resulted from an external attack.
As fraud expert and Aite analyst Shirley Inscoe points out, Target's reference to "unauthorized access" suggests an outside hack.
"This incident appears to be tied to their [point-of-sale] system since [card not present] transactions were not impacted," she adds.
An executive with one of the leading U.S. card issuers affected by the Target attack, who asked not to be named, says he believes about 40,000 of the retailer's 60,000 point-of-sale terminals were infected with an executable file, likely malware that was automatically downloaded from a hacked server. Once infected, the devices were instructed to store and forward mag-stripe data collected during transactions at the POS, the executive says.
"Clearly, it was an external intrusion," the executive says. "It would follow that it was done through the infrastructure that Target uses to send updates down to their POS terminals."
An executive with another leading issuer also says the breach most likely was initiated at the network level, via an external attack, given the breadth of the attack.
Al Pascual, a financial fraud analyst with consultancy Javelin Strategy & Research, says the data leak was likely caused by a POS system attack, given that expiration dates and CVVs were lost. "I seriously doubt Target transmitted that data across an open network in the clear to their processor or stored the data," he adds.
John Buzzard of FICO's Card Alert Service says most indicators suggest Target was struck by an external attack that most likely infected its network with malware.
"A compromise involving all 1,800 U.S. stores would point to more of a virtual intrusion," he says. "I don't think there were criminal minions on the ground physically visiting all 1,800 stores. I think many issuers are also wondering if they will eventually have PIN [personal identification numbers used with debit transactions] exposure around this compromise."
No significant reports of PIN fraud with a suspected connection to Target have yet been reported, Buzzard says. "But I'm sure it's on the minds of many," he adds. "FICO Card Alert Service is watching very carefully for anything that indicates that PINs are in play and being used for unauthorized ATM withdrawals, even though we are not seeing any evidence of this today."
But Gartner's Litan questions whether the compromise was linked to an outside malware intrusion.
In a blog posted Dec. 19, just after Target confirmed the attack, Litan speculates that the compromise is most likely be connected to an insider.
"If we've learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it's that insiders can cause the most damage because some basic controls are not in place," she writes. "I wouldn't be surprised if that's the case with the Target breach - i.e. that Target did a great job protecting their systems from external intruders, but dropped the ball when it came to securing insider access."
Litan also says she thinks the card data was most likely stolen from Target's switching system for authorization and settlement, and was not intercepted because of malware that was remotely installed.
Outdated Mag-Stripes to Blame
Regardless of how the card data was compromised, the outdated magnetic-stripes on payment cards, which are vulnerable to skimming, contributed to the breach, security experts say.
"Bottom line: It's time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system," Litan notes in her blog.
And Randy Vanderhoof, executive director of the Smart Card Alliance, which supports a move in the U.S. toward chip payments that conform to the Europay, MasterCard, Visa standard, says CVV data would not have been accessible from a chip-based transaction.
"EMV chip cards are more secure and replace static CVV values with dynamic CVVs, which stops criminal from counterfeiting cards with stolen transaction data," Vanderhoof says. "This breach shows that despite best efforts by major retailers to protect cardholder data generated from magnetic-stripe card transactions, criminals will find a way to get this data. The U.S. market needs to adopt secure EMV chip cards as most of the world has already done, including Canada."
Advice for Banks
For now, banking institutions should focus on informing their customers about monitoring accounts for fraudulent activity and taking advantage of fraud alerts offered by institutions, Pascual says.
"Twenty-eight percent of the consumers affected by this breach will likely have their cards misused to commit fraud," he says. "This is another example of why financial institution executives want retailers held to a higher standard. How many more of these need to happen before we get national legislation off of the ground?"
Already, some banking institutions have taken the initiative to alert their customers. TD Bank, for example, has posted "Security Alert: Target Store data issue" atop its online banking login page. "TD wants to advise customers that Target announced a data compromise at its US stores from Nov. 27 - Dec. 15," the alert reads, pointing customers to Target's corporate site for more details.
Buzzard says the Target breach offers a fertile ground for social-engineering schemes, such as phishing attacks, smishing/texting attacks and phone calls that fool consumers into divulging personal information.
"Make sure that you are clear on how your organization will reach out to customers so that they can identify legitimate communication," he says. "This is an excellent time for everyone to leverage their secure online banking websites to communicate with customers. If consumers want to have their cards replaced, it's critical that you manage their expectations closely. This isn't the time of year to close a card before a replacement arrives in the mail."
And Mary Ann Miller, managing director of fraud consulting and industry relations for security solutions firm NICE Actimize, says banks should remind consumers that they are not responsible for fraudulent charges, but they are responsible for monitoring their accounts.
"Banks should also recommend that their customers change their PINs [personal identification numbers] associated with their cards, continue to closely monitor their bank statements for unauthorized charges and report fraudulent transactions immediately if they are spotted," she says.