• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Compliance & Regulations   »   Target breach shows need to create more secure payment systems.

Target breach shows need to create more secure payment systems.

  • Posted on:January 4, 2014
  • Posted in:Compliance & Regulations, Cybercrime
  • Posted by:
    Trend Micro
0

An attack on the point-of-sale systems at retail giant Target over the holidays may have exposed sensitive data, including PINs, from tens of millions of payment cards. The breach coincided with Black Friday, the traditional kickoff to the holiday shopping season, and may have extended to mid December. Ultimately, this incident may rank as one of the largest and most costly in retail history, with banks already taking decisive action to protect cardholders from fraud.

The Target breach was confined to POS terminals at the retailer’s locations in the U.S. and Canada and did not affect its website. Malware distributed throughout these brick-and-mortar stores may have facilitated the mass skimming of card data, and this line of attack may demonstrate the blurring line between physical security and cybersecurity.

More specifically, organizations must be equally attentive to on-site vulnerabilities and remotely orchestrated campaigns, as the Target breach was the result of many individual POS systems being compromised by one carefully engineered attack. To this end, antimalware solutions will need to be paired with upgraded payment systems. Ideally, the shift from magnetic stripe to microchip technology in debit and credit cards will shore up POS security, but retailers will also need to be diligent about handling customer data and working with PCI and cybersecurity experts.

Target breach underscores rise in attacks on POS systems
POS systems have become a favorite target for cybercriminals in recent years. During a 2009 breach at Heartland Payment Systems, attackers broke into the organization’s private network and stole data on 130 million payment cards. Similarly, a 2012 incident affecting 63 Barnes & Noble bookstores forced many buyers to change their PINs and/or get new cards.

In this context, the Target breach is the latest and arguably most high-profile attack on POS infrastructure. As in other incidents, perpetrators likely sought to create counterfeit cards using the stolen data, known as track data, and then sell them on the underground market. With fake debit cards, buyers could withdraw cash from ATMs.

“Typically, criminals will steal credit card information and then sell it,” explained ZScaler vice president Michael Sutton. “There’s a very elaborate economy built around this type of crime. That’s a very valuable asset that can be obtained completely through remote Internet access.”

The exact mechanics of the attack remain unclear, but its scale implies that the perpetrators deviated from traditional POS skimming tactics. Business Insider’s Jim Edwards explained that previous attempts to harvest payment card numbers and PINs required installation of a thin layer on top of card readers. However, this approach was high-risk/low-reward, since it required entering the store twice – once to install the device and again to remove it – and only netted a few hundred card numbers per day.

Instead, the Target attackers may have capitalized on employee error and/or leveraged innovative malware to breach POS terminals over the Internet. It’s possible that an insider planted malware in the system, or that a worker fell victim to a sophisticated phishing campaign. Either way, nearly 40 million Target shoppers may be at risk of identity theft, indicating that the attackers successfully scaled their tactics to harvest data from thousands of card readers.

Encrypted PINs may have been compromised
Initially, the breach appeared to affect only payment card numbers, expiration dates and CVV codes. However, PIN numbers were also compromised, raising the prospect of thieves gaining extensive access to bank accounts via debit cards.

Target stated that the PINs are strongly encrypted with Triple DES on-site and during transmission. Still, banks witnessed a high level of fraud on accounts tied to the breach, raising questions about how customer information was handled. While attackers have been looking for creative ways to attack POS systems, merchants may have been exposing customers to undue risk by storing sensitive data for too long.

Writing for Dark Reading, IOActive CTO Gunter Ollmann argued that storing PINs at all was an unsound practice with little practical reward. The theft of the Target PINs, despite their encryption, demonstrates the numerous attack surfaces on POS systems and how merchants must reconsider how they are securing data.

“If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me,” wrote Ollmann. “I can’t think of a legitimate reason why any corporation would want to retain this data – unless it has a process for managing delayed or deferred payments (e.g., reducing the amount it pays to merchant bankers for processing cards at nonpeak times). Regardless, there’s no way that kind of data should be retained for more than a few hours.”

Target breach shows needs for new payment card technology
Despite the damage of the Target breach, the PCI and cybersecurity communities have a clear route toward better protection of payment data. The Target attackers took advantage of the ongoing reliance on magnetic stripe cards in the U.S., but in other countries, this technology has already been superseded by the Europay, Mastercard and Visa standard.

The U.S. currently lags in EMV adoption, but the Target breach may spur retailers and card issuers into action. The latter group aim to shift customers to EMV by October 2015 by shifting fraud liability from themselves to merchants.

“The U.S. is one of the last markets to convert from the magnetic stripe,” stated Randy Vanderhoof, director of the EMV Migration Forum. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

Smart cards with EMV feature more sophisticated encryption and security measures, which have made them popular in more than 80 countries. Only about one percent of U.S. payment cards currently use EMV technology.

While better basic security practices such as keeping software up to date and controlling access to IT system will go a long way to preventing incidents like the Target breach, EMV technology will give retailers and customers a much more secure platform. The Target attack should be the impetus for renewed attention to insider threats and POS system security, ideally pushing retailers toward providing a more secure experience for customers.

Related posts:

  1. Securing payment card data against identity thieves
  2. How much of a skimming risk is the Coin smart payment card?
  3. Beyond the bank: Payment systems under attack
  4. Risk and Reward of Alternative Payment Systems

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.