If you’ve ever parented a teen, you might have noticed that the human species sometimes only learns hard lessons after suffering—firsthand—through the negative consequences of an experience. As much as we try to warn our kids of the potential risks of certain decisions (usually based on mistakes we’ve already made ourselves), it seems they occasionally have to get “burned” before learning themselves.
Unfortunately, evangelizing information security (InfoSec) best practices sometimes seems like giving advice to teens. Everyone understands what you are saying, and might even see some logic behind your advice, but still secretly thinks, “That horrible network breach won’t happen to me; I’m fine with just my [insert some legacy defense here].”
Nonetheless, I still sincerely believe we can learn from history if we pay close enough attention to what it tells us. With that in mind, let’s take a closer look at what the industry knows so far about the Target data breach, so we can try to learn from someone else’s painful experience.
In this article, I will describe:
There’s a lot to cover, so I’ll jump right in, but feel free to skip to whatever section most interests you.
Let’s Start with the Facts So Far
Though you’d have to live with an undiscovered, indigenous tribe in Papa New Guinea to not have heard about it, let me share a few facts about the Target breach, as we know them so far.
- On Dec. 18th, 2013, Brian Krebs reports that sources had informed him Target was investigating a potentially big data breach.
- Dec. 19th, Target officially confirms and discloses the first real information about the breach, sharing the following:
- Between Nov. 27 and Dec. 15, unknown attackers breached Target’s network and stole the debit and credit card data of 40 million account holders.
- The stolen data included the card’s magnetic track information (track 1 and track 2 data), which includes the cardholder’s name, card expiration data, and CVV number (but not CVV2 number).
- Target also noted that the breach did NOT affect their online shoppers, which suggests it was not due to a web application vulnerability in their e-commerce site.
- Dec. 20th, Target’s CEO apologizes to customers for the data breach.
- Dec. 27th, Target warns the attackers also stole the PIN information associated with the cards, contrary to their original report. However, the PINs were scrambled with Triple-DES encryption (and probably salted); thus, likely unrecoverable by the attackers.
- Jan. 10th, Target disclosed that the attackers had also stolen 70 million other accounts, unrelated to the cardholder data. These accounts contained a lot of personally identifying information (PII), including names, addresses, phone numbers, and email accounts. Though there is likely customer overlap between the 40 million cardholder records and the 70 million account records, the total account loss jumps to 110 million.
- Jan. 10th, Krebs also reports that Neiman Marcus and three other unnamed small retailers are also investigating a network infiltration and card data breach. Despite the parallel timeline, this breach seems unrelated so far, though similar.
- Jan. 13th, we learn the first technical detail about the breach. In a video interview with CNBC, Target’s CEO shares that Point-of-Sale (PoS) malware was found on Target PoS register systems (more likely, it was found on the central servers responsible for processing the register transactions)
- Jan. 15th, Krebs claims that the PoS malware associated with the breach is BlackPoS, a malware variant I talked about early last year.
- Jan. 16th, iSIGHT Partners claim that the Target malware was not directly BlackPoS, rather a derivative variant called Trojan.POSRAM . They call the attack campaign KAPTOXA. The Wall Street Journal also leaks a 16-page report by iSIGHT and the US government, detailing the malware and some “indicators of compromise,” intended for private distribution to big retailers and security companies.
- Jan. 17th, a security research firm called Intercrawler allegedly ties the BlackPoS malware to a 17-year-old hacker from Russia, along with another Russian “bad actor.” However, it’s still unclear if these actors are really associated directly with the Target breach, or just created and sold the malware.
- Jan 20th, Texan authorities arrest two credit card fraudsters that used fraudulent cards allegedly associated with the Target breach, and may (or may not) be associated with the breach.
- Jan 23th, Neiman Marcus finally shares some details about their breach. They say attackers stole 1.1 million credit cards and that the breach occured between July 16 and Oct. 30.
- Jan 23th, FBI warns retailers to expect more PoS system attacks. Be on the lookout for retail cyber attackers.
- Jan 25th, Michaels craft stores also report they suffered from a payment system breach. It’s still unclear whether it’s related to the Target breach.
- Jan 29th, Brian Krebs released a story identifying a popular IT management server product that may have played a role in the target breach.
So now you know all that’s publicly disclosed about the attacks so far. However, I think it’s just as important to recognize what we don’t know about this attack yet.
- We don’t know how attackers got the PoS malware into Target’s network and onto PoS systems (It could be spear phishing, watering hole attacks, web application flaws, or an insider attack).
- We don’t know if Target made any sort of security mistake or wrongdoing. In fact, I’d argue that so far it sounds like they are handling this horrible situation pretty responsibly. Signs point toward them following basic security and encryption best practices so far, and having invested in at least some security (though we still don’t know all the details). At the very least, they had been PCI compliant.
Hey, I Shop at Target! What Should I Do?
Before I move on to what other retailers, businesses, and security practitioners might learn from this breach, let’s first talk about what to do if you are a normal Target shopper yourself.
If you shopped at Target between Nov. 25 and Dec. 15, like my wife did, you likely have already received a letter or email from Target warning you about the breach, and you’re wondering what to do as a consumer. Well, my advice all comes down to remain vigilant!
During the breach, attackers stole two distinctly different types of information, both of which serve different purposes to attackers:
- Credit card magnetic stripe data – They can use this to create fake credit cards for physical purchases, or physical ATM withdrawals (if they can decode the PINs, which is unlikely).
- Personally Identifying Information (PII) – They have 70 million customer names, numbers, addresses, and emails, which they can start to use for identity theft (though they’d probably have to first get your social security number, too), or they can use the email addresses in future phishing attacks.
As far as the PII is concerned… Frankly things like your name, address, phone number, and email are probably already out there. The additional risk on this info due to the Target breach isn’t zero, but it’s probably relatively negligible. Furthermore, without other information, like your social security number (or your national ID number if you’re outside the US), attackers don’t have enough info to totally steal your identity. Nonetheless, you should monitor your credit to make sure fraudsters aren’t registering new accounts as you, and be on the lookout for scam emails that seem to come from Target.
The credit card data leak has more severe repercussions though. The good news is most experts believe the attackers do not have enough information to make unattended, online (sometimes called card-not-present) purchases with this stolen card data. For instance, even though a credit card stores a CVV number on its magnetic stripe (magstripe), it doesn’t store the CVV2 number there. The CVV2 is the physically written number on your card, which you use to confirm online purchases. That said, attackers do have enough data to make a clone copy of your card, which they can try to use to make fraudulent, in-person purchases. Finally, if they do crack the supposedly protected PINs, they could also make ATM withdrawals, like in the big $45 million dollar ATM heist of last year.
With that in mind, here are four things you can do to protect yourself from the Target credit card data theft. The tips are in order of importance.
- Monitor your credit – Pay attention to your credit card statements regularly and look for unexpected purchases. You should also sign up for Target’s free year of credit monitoring and identity theft protection (details here). The good news here is Target has made a promise of “zero liability,” meaning if you find fraudulent charges on a card due to this breach, Target or your bank will pay for them.
As an aside, these credit-monitoring agencies will likely ask you for personal information, like your social security number, when you sign up. While it might seem ironic to be sharing such sensitive information again, do know the agencies already have your information (since you have a credit card), they are just asking for it to verify who you are. There really is no additional harm in giving it to them again. Also, you really ought to always monitor your credit, as a general rule, and Lifehacker shares a great article with tips on how you can do so for free.
- Change your card’s PIN – Though Target is still fairly adamant that they don’t believe the attackers can decrypt the PIN data they stole; I recommend you change your card’s PIN anyway (for any cards you used at Target during the breach period). Changing a card’s PIN is a relatively easy and painless process, and it’s better to be safe than sorry.
- Get a new credit card – So far Target is not actively pushing customers to get replacement credit cards. Their logic is that criminals cannot use this stolen data in online purchases, and that so far fraudulent activity from this theft has been low. However, I worry that they just don’t want to absorb the cost of all the replacements.
In the end it’s up to you. Do you think the future chance of fraudulent activity is so low that it’s not worth your time and the hassle of changing your card, or would you rather just change the card now so you don’t have to worry about it at all? Personally, I don’t see the down side to replacing your card, unless you happen to use it for many automatic payments, in which case you’d have to update all those as well. Note: At least one card issuer, Citi, has already decided to replace all their users’ cards on their own.
- Close unused accounts – I don’t know about you, but sometimes in the past I’ve opened a credit account I don’t really need, simply to take advantage of some promotion. For instance, you go to a store and learn you can get 30% off on your first purchase if you apply for free, in-store credit. Maybe you open the account for that one time deal, and then never use it again? Perhaps Target’s REDcard was that unused account for you?
The problem with these unused accounts is you often forget about them. Since you forgot about them, you probably won’t even notice when bad guys use them fraudulently. While this advice doesn’t necessarily pertain directly to the Target breach, I recommend you use this opportunity to review your credit accounts, and close any that you never use (Granted, be aware closing too many accounts can affect your credit score).
If you follow at least the first two or three tips above, the Target breach shouldn’t cost you anything, other than a bit of time.
What Can Businesses and Retailers Learn from the Target Attack?
Now that we know the facts around the breach, let’s get to the true point of this article—trying to figure out what we can learn from Target’s misfortune. Based on what we know about the attack so far, here are some of my take-aways and tips:
So far, we’ve only scratched the surface of what we may eventually know about the Target breach, and how the attackers infiltrated what many think was a relatively well-protected network. Yet already, there’s a lot we can learn from this unfortunate incident, if we’re willing to look closer.
As an industry, I feel like security professionals are often quick to lambast the victims of network breaches. We’re always looking for that one big mistake some company made that allowed an attacker in… “See, I told you so!”
However, in my opinion, Target has actually handled this breach quite responsibly so far. They have apologized, been as transparent about the incident as they can, and even taken accountability, offering zero liability to their customers. It also looks like they had many industry-approved security practices and controls in place. Perhaps I’m naive, but I believe Target is sincere in their promise to find the culprit and improve their security.
The truth is, any one of us can suffer a breach like Target did. Even if you do all the right things, and implement all the right defenses, everyone is human. A simple mistake can be the hole that lets that persistent advanced attacker in. Rather than blame the victim, we need to find and prosecute the attackers, but also learn from these unfortunate events so that we can make it a little harder for the criminals to succeed next time. Consider implementing some of my tips and take-aways above, and perhaps you can avoid the next big credit card data breach.
— Corey Nachreiner, CISSP (@SecAdept)