Millions of shoppers who visited Target between November 27 and December 18, 2013, received notices that their payment card data had potentially been compromised. In what has turned out to be one of the largest cyber breaches in U.S. history, hackers infiltrated Target’s payment network and obtained the credit or debit card information of 40 million shoppers, as well as the personal information of approximately 70 million customers.
The Minneapolis-based Target Corporation went public about the breach on December 19, and has been faced with more questions than answers ever since. What tools did the hackers use to siphon off the credit card information unnoticed? Was Target doing enough to protect its customers? Could a breach like this have been prevented?
Investigators have found that RAM random access memory (RAM) scraping malware was used to infect the point of sales (POS) terminals where customers swipe their credit or debit cards. Levi Gundert, lead analyst for Cisco’s threat research analysis and communications team, says that the malware works because payment card industry security standards require that payment card data be encrypted at the POS terminal and transmitted across the network in an encrypted state. That data becomes vulnerable at one single point: when it is decrypted to be read by the machine.
“The [payment] process, as it runs, basically has to move the data from the magnetic stripe into memory on the computer workstation or terminal,” Gundert says. “Whenever it resides in memory for even a split second, it’s very simple to write some code, write a program…that basically strips out any data residing in memory even momentarily.” He says the program accesses RAM on the infected machines constantly, looking for patterns of digits that match the information contained on a payment card’s magnetic stripe.
To install the RAM scraping malware on POS terminals, hackers needed to gain initial entry into Target’s network. In late January, investigators announced that this was achieved through stolen access credentials from a third-party vendor. The press later found that the login credentials were stolen from Fazio Mechanical Services, a refrigeration and HVAC services provider based in Sharpsburg, Pennsylvania. Once the hackers were inside Target’s network, they had the ability to move throughout all of the retailer’s systems, allowing them to steal the names, mailing addresses, phone numbers, and e-mail addresses of millions of customers.
“They were able to breach an outside system and get to multiple areas within Target, which suggests things weren’t compartmentalized,” says Chester Wisniewski, senior security adviser at Sophos. He adds that a best practice for companies to prevent such a breach is network segmentation, which would include, for example, having one set of access credentials and directory restrictions for a payment system and another set for a Web site.
Gundert of Cisco adds that focusing on intrusion detection, rather than attempting to keep criminals out of a network, is most important. “If you’re segmenting your point of sale terminals from the rest of the network, then it should be fairly straightforward to put detection in place.”
Lysa Myers, security researcher at ESET, says the hackers who pulled off the heist could have easily obtained their tools on the black market, making the scenario one that could occur again if a network is unprotected. “The way the malware market is moving is that you don’t necessarily have to have the skills to break into someone’s machines, you have to have access to the malware that’s being released and sold out there,” she says. “It’s a huge payday for [the bad guys]. They targeted the store during the busiest shopping week of the year so they got a massive number of sellable card details in a couple of weeks’ time.”
he nature of payment card transactions in the United States, which require that all the payment information be embedded on a magnetic stripe, lends itself to theft at POS terminals, Wisniewski says. Businesses in most of Western Europe, as well as Australia, New Zealand, and Canada use EMV (Europay, MasterCard, and Visa) technology, which limits the amount of information on the card itself.
EMV is based on a chip-and-PIN method. The user swipes a card that contains a chip inside, and then must enter a unique PIN to complete the transaction. “With these chip cards, the only information that goes in the memory on the computer is a cryptographic token that represents that transaction, but doesn’t actually have the 16 digits off the front of the card in it,” Wisniewski notes. If a criminal steals that information, they don’t get your card number, but just a transaction ID that represents what you were purchasing. This data, which doesn’t allow them to purchase anything, is “totally useless to steal,” Wisniewski says.
The credit card industry has set a deadline for U.S. businesses to install the EMV technology by 2015, but whether that deadline will be met remains to be seen. In a briefing by the National Retail Federation on February 11, Senior Vice President and General Counsel Mallory Duncan said the undertaking could take years. “Obviously when you’ve got billions of cards out there that have to be reissued and millions of terminals that have to be replaced, it’s not going to happen overnight,” he said.
In a hearing before the Senate Judiciary Committee, Target’s Chief Financial Officer John Mulligan testified that the retailer is moving to support the chip-and-PIN system for its store credit cards, an effort it says will cost about $100 million. "We’re committed to moving forward and accelerating our efforts in that area,” he said.