Sophos Cloud Optix
Target’s massive security hole was ripped open in spite of warnings from the retailer’s security people about potential vulnerabilities in its payment system.
In essence, bad timing led to a perfect security storm, former Target employees and others familiar with the breach investigation told the Wall Street Journal.
In the months leading up to December 2013, when Target disclosed the breach, these are some of the conditions that paved the way for thieves to steal more than 100 million customer records:
- Bad luck with timing of staff departures. Target lost several members of its cybersecurity team months before the 2013 holiday shopping season – the time when hackers siphoned off the customer records. The WSJ reports that people familiar with the matter, plus a search of social media profiles, shows that many left for “more prestigious jobs” with other employers.
- Bad luck with timing a system upgrade. At least two months prior to the attack, at least one analyst suggested thoroughly reviewing the security of Target’s point-of-sale (PoS) terminals prior to the retailer updating the terminals – an update that could potentially create new security vulnerabilities.
- Bad timing in the retail calendar. The PoS system upgrade came ahead of the high-pressure, highly competitive retail event that can make or break a business: Black Friday.
The WSJ quoted one former employee:
It is everyone's worst-case scenario. As an intelligence analyst, there is only so much you can do.
Neither the specific nature of the security holes that prompted the warning nor whether Target carried out the requested review is clear at this point.
What is known is that it concerned the PoS systems – the terminals that customers see when they swipe their bank or credit cards, the WSJ reports.
In January 2014, Target said that the hackers got into its network by using a vendor’s credentials.
As discussed in a recent Chet Chat podcast, once the crooks were inside Target’s network, Naked Security thinks they used a shabbily coded service process with a hardwired password (if you have a listen, the Target piece starts at 08:49).
Security blogger Brian Krebs earlier this month reported that the thieves used the credentials of Fazio Mechanical Services, an HVAC and refrigeration services business to break through the network’s hard shell to get to the gooey good stuff inside.
The WSJ reports that during recent congressional hearings about the breach, Target Chief Financial Officer John Mulligan said that his company had in September 2013 passed an audit that certified its compliance with payment industry requirements for protecting card data.
As Naked Security’s Chester Wisniewski pointed out in Chet Chat No. 133, however, Payment Card Industry (PCI) standards [PDF] prohibit having service accounts with default or static passwords – hence, Target may well not have been PCI compliant.
At this point, the WSJ reports, it’s looking like Target might not have done enough to segment its vast network – a shortcoming the company claims it has since rectified.
Without the necessary walls between Target’s platforms and networks, the hackers were able to move laterally until they got to the system that handled payments at cash registers.
That route never should have been open. The WSJ mentions a recent memo sent by the FBI to retailers, warning about a cash register crimewave.
Target wasn’t named in the memo.
But the FBI described the situation that Target apparently had in place: i.e., connecting credit and debit card readers to remote management software, then topping it off with weak passwords.
Given hackers’ recent success in targeting PoS systems, it’s a dangerous time to be either a retailer or somebody who pulls out plastic to make a purchase.
As SophosLabs researcher Numaan Huq describes in this Naked Security article, one particular type of card fraud – called RAM scraping – is ripe for setting us up to get card data plucked from our hands and sucked into a card swiper.
In fact, “Buy candy, lose your credit card” is the name of the RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, on 26 February 2014.
What’s really interesting about all this is, in fact, relevant to those same PCI standards that Target was reportedly found to be compliant with in September 2013.
As you’ll learn if you read Huq’s paper or if you attend the presentation at RSA, contrary to what you’d imagine, data isn’t encrypted end-to-end in PoS systems, in spite of their being compliant with PCI-DSS.
Being standards-compliant and being secure are, unfortunately, two different things entirely.
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
The problem is in the architecture of the processing system, which is designed to make it easy to do phone and mail and internet charges. Since the merchant gets charged back by the credit card companies, and they actually add a fee, why do they care?
The credit card processors protect their own stand alone machines from the time data leaves the machine. For a variety of self-serving reasons, they have designed a system that requires merchants to be at risk inside their network, even though stand alone machines are not at risk inside the same network. You will have to get a new college degree and study for 5 years to understand it, but it’s NOT the merchants’ doing. It is the credit card companies, who are going around acting innocent and above it all. “Hey, if the merchant can’t defend an impossible situation, it must be the merchant’s fault”.
They have published one of the worst technical documents in the history of mankind in the “PCI DSS”. It is more like gossip and homilies than any precise specification. The worst part is that they are so incompetent they don’t realize it, so they run around spouting off their puffed up condescension to journalists who dutifully print it as fact. Not our job, not our fault, we told you so, if you would just repair all the design errors we made, it would all work safely.
Another huge part of the problem is Microsoft and its philosophy to make everything “easy.” Windows silently and automatically connects machines and servers without human authentication. It is hugely complex, disorganized, and error prone from top to bottom. No human can set it up securely, expert or not. All registers should be Unix, but POS vendors like Windows. That lowest common denominator.
With so many self styled “experts” running around crying the sky is falling, you can be sure that whenever anything happens, someone somewhere told them so. How many security concerns have been expressed at companies where no breach followed? That’s the question you need to know.
When the credit card companies have to eat some of the fraud costs instead of charging it back to merchants, adding a fee, and creating a new revenue stream, the problem will vanish so fast we will all wonder what it ever was in the first place.
Merchants will leap on cardless electronic settlement from Google, Apple, eBay, Amazon or whoever so fast it will make V and MC look like Sears and Montgomery Ward.
And then there’s the good old administration, spending more on deportation than all other enforcement combined, spending most of the rest on the War on …, and leaving cyber criminals to do as they wish.
I’ll just add I’ve been trying to get end to end encryption for almost 5 years. The credit card companies and processors talk about it, but they just won’t do it.
You hit the nail squarely on the head there.
I almost built out our own. A single board computer between the swipe and the register, one Mac mini locked in a vault, and a bit of software could solve the problem. But once again, they suckered me into waiting on the credit card industry with marketing blitzes that it was all just around the corner. That was 18 months ago now.
The current stall is by the issuers. The move to end to end has been allowed to be tangled with the move to chips on the cards. They aren’t actually related at all.
And the issuers are balking at the $1 per card and stalling the schedule.
I defy you to find one end to end solution out there. You can find plenty who say they have it, but try ordering one. They won’t have the processing quite ready, or the device won’t quite be interfaced, or supplies will be too short or something.
And V and MC sitting at the top of the heap just aren’t committed to it. As I said, they are making money on this.
And the “experts” are making millions pontificating after their protracted post mortems, from which they release no hard useful information, citing security concerns.
Contrast with airlines, the NTSB and the totally transparent accident investigation process. When it starts to cost the companies in control of the industry process, it will miraculously change overnight.