Was Target’s breach the result of an insider job? Or was it a network hack? Or was it ….
Target is America’s third largest retailer with over 1500 stores in the US. Credit and debit cards used in Target stores between November 27 and December 15 may have been compromised. This is the official timeline; customers on various sites are reporting that their cards have had fradulent transactions even though they used their cards at Target outside of the breach window(both before November 27 and after December 15). Though many websites are claiming that the number of cards that have been compromised are around 40 million, we are unable to find the source of this reported number. Brian Krebs (of the ever popular krebsonsecurity.com website) reports that he has spoken to some sources from major card issuers and he has been given to understand that more than a million cards may have been compromised.
What we know.
Target is PCI DSS compliant.
Track data has been stolen. Track data contains card numbers, names, expiry dates and card security code. All this data can be stolen just by swiping the card. All cards in the US are based on magnetic strips – an invention by IBM in 1960. Many parts of the world are moving to the more difficult to steal EMV cards (data from EMV or chip based cards can an also be stolen but it is a much more complicated and time consuming process and criminals have not yet descended upon this activity)
It was initially reported that PINs had not been stolen. Subsequently, Target announced that PINs were indeed stolen.
If a customer card has been fradulently charged, the customer does not have to foot the bill.
The online store and the stores in Canada have not been affected.
What is not clear.
How did the breach happen? Was it a network attack? Were POS terminals hacked? Was it an insider job? The more popular ones are:
POS terminals were infected with malware. How did the hackers gain access to the server that originally pushed updates to the POS terminals? Was this server inside Target’s network? Was the server and the activity of updating outsourced to a third party vendor? Not clear.
The router/switch/other part of the network was hacked.
It was an inside job. This is a very plausible scenario considering the fact that restrictions on insiders are generally lax.
Did the POS terminal have basic security measures as specified by the PCI? This might not be a relevant factor as far as this breach is concerned.
What can be done to prevent such instances in the future?
Since we don’t know what exactly happened, we can’t protect against it, can we? At this stage, what we can do is draw up mechanisms to protect against the possible causes of the attack.
The most difficult things to protect against are insider jobs – how does an organization achieve a balance between placing curbs on people and giving them enough freedom to perform their jobs efficiently. This is a thin line to tow and one that requires a lot of understanding of processes, where data is, how it flows and who has access data.
Stay tuned for updates