Target told to carry out security review just months before breach

Target was warned of payment system vulnerabilities before data breach

Computer Target, image courtesy of iStockTarget’s massive security hole was ripped open in spite of warnings from the retailer’s security people about potential vulnerabilities in its payment system.

In essence, bad timing led to a perfect security storm, former Target employees and others familiar with the breach investigation told the Wall Street Journal.

In the months leading up to December 2013, when Target disclosed the breach, these are some of the conditions that paved the way for thieves to steal more than 100 million customer records:

  • Bad luck with timing of staff departures. Target lost several members of its cybersecurity team months before the 2013 holiday shopping season – the time when hackers siphoned off the customer records. The WSJ reports that people familiar with the matter, plus a search of social media profiles, shows that many left for “more prestigious jobs” with other employers.
  • Bad luck with timing a system upgrade. At least two months prior to the attack, at least one analyst suggested thoroughly reviewing the security of Target’s point-of-sale (PoS) terminals prior to the retailer updating the terminals – an update that could potentially create new security vulnerabilities.
  • Bad timing in the retail calendar. The PoS system upgrade came ahead of the high-pressure, highly competitive retail event that can make or break a business: Black Friday.

The WSJ quoted one former employee:

It is everyone's worst-case scenario. As an intelligence analyst, there is only so much you can do.

Neither the specific nature of the security holes that prompted the warning nor whether Target carried out the requested review is clear at this point.

What is known is that it concerned the PoS systems – the terminals that customers see when they swipe their bank or credit cards, the WSJ reports.

In January 2014, Target said that the hackers got into its network by using a vendor’s credentials.

As discussed in a recent Chet Chat podcast, once the crooks were inside Target’s network, Naked Security thinks they used a shabbily coded service process with a hardwired password (if you have a listen, the Target piece starts at 08:49).

Security blogger Brian Krebs earlier this month reported that the thieves used the credentials of Fazio Mechanical Services, an HVAC and refrigeration services business to break through the network’s hard shell to get to the gooey good stuff inside.

The WSJ reports that during recent congressional hearings about the breach, Target Chief Financial Officer John Mulligan said that his company had in September 2013 passed an audit that certified its compliance with payment industry requirements for protecting card data.

As Naked Security’s Chester Wisniewski pointed out in Chet Chat No. 133, however, Payment Card Industry (PCI) standards [PDF] prohibit having service accounts with default or static passwords – hence, Target may well not have been PCI compliant.

At this point, the WSJ reports, it’s looking like Target might not have done enough to segment its vast network – a shortcoming the company claims it has since rectified.

Without the necessary walls between Target’s platforms and networks, the hackers were able to move laterally until they got to the system that handled payments at cash registers.

That route never should have been open. The WSJ mentions a recent memo sent by the FBI to retailers, warning about a cash register crimewave.

Target wasn’t named in the memo.

But the FBI described the situation that Target apparently had in place: i.e., connecting credit and debit card readers to remote management software, then topping it off with weak passwords.

Given hackers’ recent success in targeting PoS systems, it’s a dangerous time to be either a retailer or somebody who pulls out plastic to make a purchase.

As SophosLabs researcher Numaan Huq describes in this Naked Security article, one particular type of card fraud – called RAM scraping – is ripe for setting us up to get card data plucked from our hands and sucked into a card swiper.

In fact, “Buy candy, lose your credit card” is the name of the RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, on 26 February 2014.

What’s really interesting about all this is, in fact, relevant to those same PCI standards that Target was reportedly found to be compliant with in September 2013.

As you’ll learn if you read Huq’s paper or if you attend the presentation at RSA, contrary to what you’d imagine, data isn’t encrypted end-to-end in PoS systems, in spite of their being compliant with PCI-DSS.

Being standards-compliant and being secure are, unfortunately, two different things entirely.