Target: The breach that should’ve never happened

Target is one of the largest retail chains in North America, so a data breach at any level is serious. Yet, a data breach that focuses on card data only, and during the time of year when retail traffic is at its highest levels, is worse.

In a statement, Forrester Vice President and Principal Analyst, John Kindervag, says that the incident itself should’ve never happened.

“This is a breach that should’ve never happened. The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC.”

“Without knowing the exact breach vector it’s hard to say exactly what happened, but clearly by exposing CVV information target has demonstrated a blatant disregard for PCI DSS compliance regulations as well as card security best practices. It’s a brand disaster at the busiest shopping time of the year.”

Kindervag isn’t alone in his opinions, Identity Finder’s Aaron Titus, the Chief Privacy Officer and General Counsel, said that Target’s problems mirror those faced by Heartland Payment Systems in 2009. Adding to that, he said organizations that follow PCI-DSS guidelines should be able to prevent most of these types of breaches.

“The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”

Note: To be fair, PCI is a point-in-time measurement of security. So it’s possible for Target to have been fully in compliance with PCI-DSS, and still face the same type of compromise.

I asked Alex McGeorge, senior security researcher of Immunity Inc., to speculate about how this breach could have happened. At this point, the facts of the incident are unknown to the public at large, but given how retail networks operate, it is unlikely that the root cause will be anything too complex.

In a statement, McGeorge said that the key piece of evidence is the data that was taken. That the attackers were able to take track data means a few things are likely. It’s possible, he said, that they were able to hack the card readers directly, but at scale this type of attack would be difficult. Another attack method would see the registers themselves being targeted. Many of these systems run Windows, a criminals favorite target when it comes to malicious code, but again scale is the issue.

“…you’re still looking at pushing malware to hundreds of thousands of endpoints. The skillset to do this is readily available as malware authors write software to do this all the time,” he said.

Finally, McGeorge presented a third option, where the card data was intercepted at a central network location. “I don’t know why Target would do something like this but it is possible. Another interesting thing is the timing, they put this into motion during the busiest shopping season of the year. And this would require a lot of planning and testing to do.”

The speculation about how the breach occurred led to questions about IOCs, or indicators of compromise. What should big box retailers be looking for when it comes to these types of attacks. More importantly, what should mom and pop retailer be looking for? My answer came from Kerstyn Clover, an Incident Response Consultant for SecureState. She offered some basics, which with all things considered, are red flags that Target should have noticed as well.

“Unfortunately, a lot of merchants’ first IOC is contact from their bank due to customers reporting card fraud. Before that point, monitoring activity within the PCI zone is key: multiple failed logins to an account, or attempts to log into multiple accounts from the same location; if new code or programs show up without authorization, things like that. Anything suspicious should be escalated for further review. Network traffic is also important – if data is being sent/received at odd hours or to/from unknown addresses this is highly suspicious.”

Target said in a statement that they detected the problem internally, and moved to address it immediately. However, by the time the breach was detected, it was already too late. So to me, the question centers on how they were storing and accessing their card data, and why it took so long for an abnormality to appear? We may never know.

In a statement, James Lyne, global head of security research at Sophos, said that Target’s security problems will likely register as one of the largest financial information breaches to date. Speaking to the card data compromised during the incident, Lyne said the loss of such a large stockpile indicates poor architectural and business process practices “though the full details of the root cause are not entirely known yet.”

“Target is just another name to add to the list of financial data breaches this year, though this could be one of the largest yet. It is critical that organizations handling such data take steps to protect it–such large volumes of data should never be accessible by one user or process – and should be encrypted to segment the data and should be detected if an export of such size occurs.”

In related news, fraud detection vendor Easy Solutions said they detected a massive increase in the availability of high-value stolen cards on December 11, which correlates with the lifecycle of the Target breach. However, there have been no official reports of credit cards compromised via Target being linked to fraudulent charges.