All it takes is one big nasty security breach and the whole world will be watching you through a microscope. Minneapolis-based Target Corporation (NYSE: TGT) issued a press release this past Thursday confirming that 40 million credit and debit card accounts may have been compromised between Nov. 27 and Dec. 15, 2013.
When I first heard of this it had me shaking my head, and (seconds later) quickly looking back through my bank statements to see if I made any purchases in that timeframe.
This is the second largest breach ever reported in the retail industry.
How could this happen to one of the largest retailers in the United States?
Target’s security was only breached in stores, when credit and debit cards were swiped at the cash register. No online security breaches occurred. There is speculation that sophisticated malware was installed on all card readers, though knowing what we know, this seems unlikely.
As an ethical hacker who regularly tests the security of large national corporations, there are two conclusions I can draw from experience. Looking at a breach of this magnitude, the most logical conclusion is that data was likely not stolen at the registers because hackers are lazy in the sense that they will look for the “lowest hanging fruit” first, and installing malicious software on all card readers simultaneously is complicated. There are easier ways to capture this data. It is also unlikely that data was stolen directly from it’s final location (database, ledger, system of record, etc…) because it only included transactions from retail stores from a specific time period, suggesting the data was compromised while in transition. Therefore, the breach most likely happened somewhere in the myriad of complex systems between the retail stores and whatever final endpoints store and process the transactions.
Assuming this occurred (keep in mind that I’m speculating), this type of breach indicates the attackers got to Target’s internal network and captured the data by compromising one or more of the internal systems that
handle the transactions. Such an internal compromise is characteristic of multiple weak points in the organization’s defense.
handle the transactions. Such an internal compromise is characteristic of multiple weak points in the organization’s defense.
It is not uncommon for organizations, no matter how polished they may appear on the outside, to have more lax security practices internally. For example, many organizations build systems under the assumption that all authenticated IT staff can be trusted.
The scary truth: users are typically the weakest security link in an organization.
Even if all employees could be trusted beyond any shadow of doubt, there are still areas that can be compromised. For example, an employee’s computer can be compromised with malware, an employee can click on a phishing link, or an employee can reuse a password from another system, making it easier to discover.
We see these issues all the time during security assessments. This presents a significant problem when the security around internal systems is built on the assumption that all internal users can be trusted.
How could Target have prevented this? The public may never know.
Without an insider view on exact details, there is no way to know could have prevented this. This type of breach was probably not anything new and likely due to a systemic problem.
Preventing a security breach requires investing in building solid security programs that focus on both external and internal threats. Corporations must routinely check for and install software patches. When sensitive data is at stake, sufficient security controls must be built into every stage of a system, and thorough security testing should be conducted with every new software release.
What about the consumers affected?
If your card is among the unlucky forty million cards compromised, the best advice is to monitor your statements for fraudulent charges, contact any major credit bureaus to place a credit alert on your accounts, and obtain a replacement card.
The only sure way avoid this risk during future holiday seasons is to not use your main credit or debit card for shopping. Temporarily use a pre-paid credit card for the holiday season, or pay cash for your gifts (only for the ultra-paranoid).
Until more details are revealed and customers come forward with fraudulent charge reports, we won’t know what will unfold. Our only hope is that corporations better protect their customers from security breaches in the future.
Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.