Security Breach at Target Part 1: How and why did it happen?
By: Lan Lin, eSecurity Assistant Editor, Internet Journal
A string of large-scale data breaches hit big-name retailers such as Target and Neiman Marcus in 2013
year-end holiday season. They highlight the public's growing concern on the security of consumers' online data and privacy, and also underscore the risks that large companies are facing when they host a centralized user
data system and operate vast, interconnected business systems.
In mid-December 2013, an estimate of up to 110 million Target shoppers' data were stolen, including payment card numbers, expiration dates,
three-digit security codes, customer names, phone numbers, mailing addresses, and emails. It was the second largest data breach reported by a U.S. retailer in the history.
When security breaches of this
scale occurred repeatedly, one may wonder "What are the weakest links in the transaction process?" and "How to prevent such massive data theft from happening?"
To answer the question of "What", it is generally
believed that the Point-of- sale terminal (POS machine) and the back end server are the two weakest links in the retail chain where cyber-attacks often take place. Since POS systems often run on standard OS, they
are vulnerable to rogue hackers. To compound the problem, these POS systems are often connected to other networks and systems, which makes payment data flow accessible to cybercriminals.
For Target case,
investigations revealed that hackers used the electronic credentials stolen from a 3rd-party vendor to breach the company's payment system. With those electronic credentials, the attackers were able to connect to the
discounter's network and place malicious software in its Point-of- sale terminals – cash registers. During the business hours between 10 a.m. and 5 p.m. when the malware file was activated, information on transactions
was copied and transferred into an internal Target server that was later attacked by hackers. Since the data on payment cards are encrypted, the hacking system works by getting them in the authorization stage
while data are still in the memory of the POS system, unencrypted.
Despite the complexity of the whole hacking process, it is not difficult to identify some issues of Target's payment
system that might have contributed to the security breach.
1. Target's Centralized Consumer Data System
With approximately 6,000 customers daily at each of over 1,700 stores nationwide, Target is
no doubt one of the juiciest targets for those cyber-criminals hunting for credit card information. A centralized system that stores all consumer private data gives hackers a laser-focused target for lucrative
What if we could find a way to keep private data in consumer's local device instead of storing in the merchant's server? That seems to be a good approach to alleviate the burden of securing a
centralized data system for merchants while making shopping a hassle-free experience for consumers. We will dig deeper into this approach later in part II.
2. Target's Interconnected Business Network Systems
Molly Snyder, Target spokeswoman confirmed that the company has "lots of different platforms" that many
parties can access. The ongoing investigations give rise to the question -"How can a 3rd-party vendor (a refrigeration contractor in Pittsburgh that connects to Target's systems for electronic billing, contract
submission, and project management) have the electronic credentials to access Target's payment system network? "
To protect high-level security data such as consumer payment and personal information,
systems that process such data should be isolated from other networks to mitigate potential hacks. Corresponding regulations should be set up to ensure proper compliance.
3. A weak U.S. Card Security in general
According to the Nilson Report which tracks global payments, nearly half of all card losses in 2012 occurred in the U.S. It is in part because U.S.
payment cards still rely on the old-fashioned magnetic strip to store account information, the same technology used in tape cassettes. By using easy-to-replicate 20th
century cards against highly sophisticated 21st century hackers, the result is predictable and inevitable.
Today, most of the world has switched the payment systems to "chip-and-pin"
smartcards, in which the embedded microchip stores account information and generates a unique code upon each usage. Here is how the system works. A customer places the card into a POS terminal to verify whether the
card is authentic. Once it is verified, the customer enters a 4-digit PIN, which is submitted to the smartcard chip for comparison with pre-stored pin information on the chip; if the two match, the chip tells
the terminal the PIN was correct and the transaction goes through. Chip makes it virtually impossible to counterfeit cards, while personal identification number (pin) acting as a 2nd factor authentication prevents
card thieves from using stolen cards. The enhanced card security using "chip-and-pin" bars hackers even the most sophisticated ones from card duplication and making fraudulent purchases.
now raise a question – why is U.S. lagging behind in payment processing system? Well, Americans were once ahead of others in this arena. According to Nilson Report, the cost of fraudulent purchases is only five cents per $100 charged. The cost is manageable and cheaper than upgrading the whole system. Therefore, it
will not be an easy task to reshape the existing structure, especially when it involves multiple parties with their own interests at stake. Retailers rely on credit cards companies to issue more expensive cards. Credit card companies expect retailers to improve their security systems. Banks, meanwhile, want to keep the profits they gain from older payment systems. As a result, it may take quite a while for a change to take place in U.S. payment system. But as hacking activities in the U.S. intensify which is indicated in current industry trend, these involving parties will have to work out something in the near future if it is not now.
About The Author
Lan Lin is the Assistant Editor of the Internet Journal http://www.intnetjournal.com
. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and
global e-Business. If you have any comments about Internet Journal, please send email to