An attack on the point-of-sale systems at retail giant Target over the holidays may have exposed sensitive data, including PINs, from tens of millions of payment cards. The breach coincided with Black Friday, the traditional kickoff to the holiday shopping season, and may have extended to mid December. Ultimately, this incident may rank as one of the largest and most costly in retail history, with banks already taking decisive action to protect cardholders from fraud.
The Target breach was confined to POS terminals at the retailer’s locations in the U.S. and Canada and did not affect its website. Malware distributed throughout these brick-and-mortar stores may have facilitated the mass skimming of card data, and this line of attack may demonstrate the blurring line between physical security and cybersecurity.
More specifically, organizations must be equally attentive to on-site vulnerabilities and remotely orchestrated campaigns, as the Target breach was the result of many individual POS systems being compromised by one carefully engineered attack. To this end, antimalware solutions will need to be paired with upgraded payment systems. Ideally, the shift from magnetic stripe to microchip technology in debit and credit cards will shore up POS security, but retailers will also need to be diligent about handling customer data and working with PCI and cybersecurity experts.
Target breach underscores rise in attacks on POS systems
POS systems have become a favorite target for cybercriminals in recent years. During a 2009 breach at Heartland Payment Systems, attackers broke into the organization’s private network and stole data on 130 million payment cards. Similarly, a 2012 incident affecting 63 Barnes & Noble bookstores forced many buyers to change their PINs and/or get new cards.
In this context, the Target breach is the latest and arguably most high-profile attack on POS infrastructure. As in other incidents, perpetrators likely sought to create counterfeit cards using the stolen data, known as track data, and then sell them on the underground market. With fake debit cards, buyers could withdraw cash from ATMs.
“Typically, criminals will steal credit card information and then sell it,” explained ZScaler vice president Michael Sutton. “There’s a very elaborate economy built around this type of crime. That’s a very valuable asset that can be obtained completely through remote Internet access.”
The exact mechanics of the attack remain unclear, but its scale implies that the perpetrators deviated from traditional POS skimming tactics. Business Insider’s Jim Edwards explained that previous attempts to harvest payment card numbers and PINs required installation of a thin layer on top of card readers. However, this approach was high-risk/low-reward, since it required entering the store twice – once to install the device and again to remove it – and only netted a few hundred card numbers per day.
Instead, the Target attackers may have capitalized on employee error and/or leveraged innovative malware to breach POS terminals over the Internet. It’s possible that an insider planted malware in the system, or that a worker fell victim to a sophisticated phishing campaign. Either way, nearly 40 million Target shoppers may be at risk of identity theft, indicating that the attackers successfully scaled their tactics to harvest data from thousands of card readers.
Encrypted PINs may have been compromised
Initially, the breach appeared to affect only payment card numbers, expiration dates and CVV codes. However, PIN numbers were also compromised, raising the prospect of thieves gaining extensive access to bank accounts via debit cards.
Target stated that the PINs are strongly encrypted with Triple DES on-site and during transmission. Still, banks witnessed a high level of fraud on accounts tied to the breach, raising questions about how customer information was handled. While attackers have been looking for creative ways to attack POS systems, merchants may have been exposing customers to undue risk by storing sensitive data for too long.
Writing for Dark Reading, IOActive CTO Gunter Ollmann argued that storing PINs at all was an unsound practice with little practical reward. The theft of the Target PINs, despite their encryption, demonstrates the numerous attack surfaces on POS systems and how merchants must reconsider how they are securing data.
“If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me,” wrote Ollmann. “I can’t think of a legitimate reason why any corporation would want to retain this data – unless it has a process for managing delayed or deferred payments (e.g., reducing the amount it pays to merchant bankers for processing cards at nonpeak times). Regardless, there’s no way that kind of data should be retained for more than a few hours.”
Target breach shows needs for new payment card technology
Despite the damage of the Target breach, the PCI and cybersecurity communities have a clear route toward better protection of payment data. The Target attackers took advantage of the ongoing reliance on magnetic stripe cards in the U.S., but in other countries, this technology has already been superseded by the Europay, Mastercard and Visa standard.
The U.S. currently lags in EMV adoption, but the Target breach may spur retailers and card issuers into action. The latter group aim to shift customers to EMV by October 2015 by shifting fraud liability from themselves to merchants.
“The U.S. is one of the last markets to convert from the magnetic stripe,” stated Randy Vanderhoof, director of the EMV Migration Forum. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”
Smart cards with EMV feature more sophisticated encryption and security measures, which have made them popular in more than 80 countries. Only about one percent of U.S. payment cards currently use EMV technology.
While better basic security practices such as keeping software up to date and controlling access to IT system will go a long way to preventing incidents like the Target breach, EMV technology will give retailers and customers a much more secure platform. The Target attack should be the impetus for renewed attention to insider threats and POS system security, ideally pushing retailers toward providing a more secure experience for customers.
