Security Breach at Target
Home
eMarketing
eSecurity
Mobile Comm
Global e-Business
News & Insights
Contact Us

Articles

Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

Security Breach at Target Part 1: How and why did it happen?
By: Lan Lin, eSecurity Assistant Editor, Internet Journal
02/03/2014

A string of large-scale data breaches hit big-name retailers such as Target and Neiman Marcus in 2013 year-end holiday season. They highlight the public's growing concern on the security of consumers' online data and privacy, and also underscore the risks that large companies are facing when they host a centralized user data system and operate vast, interconnected business systems.

In mid-December 2013, an estimate of up to 110 million Target shoppers' data were stolen, including payment card numbers, expiration dates, three-digit security codes, customer names, phone numbers, mailing addresses, and emails. It was the second largest data breach reported by a U.S. retailer in the history.

When security breaches of this scale occurred repeatedly, one may wonder "What are the weakest links in the transaction process?" and "How to prevent such massive data theft from happening?"

To answer the question of "What", it is generally believed that the Point-of- sale terminal (POS machine) and the back end server are the two weakest links in the retail chain where cyber-attacks often take place.  Since POS systems often run on standard OS, they are vulnerable to rogue hackers. To compound the problem, these POS systems are often connected to other networks and systems, which makes payment data flow accessible to cybercriminals.

For Target case, investigations revealed that hackers used the electronic credentials stolen from a 3rd-party vendor to breach the company's payment system. With those electronic credentials, the attackers were able to connect to the discounter's network and place malicious software in its Point-of- sale terminals cash registers. During the business hours between 10 a.m. and 5 p.m. when the malware file was activated, information on transactions was copied and transferred into an internal Target server that was later attacked by hackers. Since the data on payment cards are encrypted, the hacking system works by getting them in the authorization stage while data are still in the memory of the POS system, unencrypted.

Despite the complexity of the whole hacking process, it is not difficult to identify some issues of Target's payment system that might have contributed to the security breach.

    1. Target's Centralized Consumer Data System

    With approximately 6,000 customers daily at each of over 1,700 stores nationwide, Target is no doubt one of the juiciest targets for those cyber-criminals hunting for credit card information. A centralized system that stores all consumer private data gives hackers a laser-focused target for lucrative return.
     
    What if we could find a way to keep private data in consumer's local device instead of storing in the merchant's server? That seems to be a good approach to alleviate the burden of securing a centralized data system for merchants while making shopping a hassle-free experience for consumers. We will dig deeper into this approach later in part II.

    2. Target's Interconnected Business Network Systems

    Molly Snyder, Target spokeswoman confirmed that the company has "lots of different platforms" that many parties can access. The ongoing investigations give rise to the question -"How can a 3rd-party vendor (a refrigeration contractor in Pittsburgh that connects to Target's systems for electronic billing, contract submission, and project management) have the electronic credentials to access Target's payment system network? "

    To protect high-level security data such as consumer payment and personal information, systems that process such data should be isolated from other networks to mitigate potential hacks. Corresponding regulations should be set up to ensure proper compliance.

    3.   A weak U.S. Card Security in general

    According to the Nilson Report which tracks global payments, nearly half of all card losses in 2012 occurred in the U.S.  It is in part because U.S. payment cards still rely on the old-fashioned magnetic strip to store account information, the same technology used in tape cassettes.  By using easy-to-replicate 20th century cards against highly sophisticated 21st century hackers, the result is predictable and inevitable.


    Today, most of the world has switched the payment systems to "chip-and-pin" smartcards, in which the embedded microchip stores account information and generates a unique code upon each usage. Here is how the system works. A customer places the card into a POS terminal to verify whether the card is authentic. Once it is verified, the customer enters a 4-digit PIN, which is submitted to the smartcard chip for comparison with pre-stored pin information on the chip; if the two match, the chip tells the terminal the PIN was correct and the transaction goes through. Chip makes it virtually impossible to counterfeit cards, while personal identification number (pin) acting as a 2nd factor authentication prevents card thieves from using stolen cards.  The enhanced card security using "chip-and-pin" bars hackers even the most sophisticated ones from card duplication and making fraudulent purchases.

    You may now raise a question why is U.S. lagging behind in payment processing system? Well, Americans were once ahead of others in this arena. According to Nilson Report, the cost of fraudulent purchases is only five cents per $100 charged. The cost is manageable and cheaper than upgrading the whole system. Therefore, it will not be an easy task to reshape the existing structure, especially when it involves multiple parties with their own interests at stake. Retailers rely on credit cards companies to issue more expensive cards. Credit card companies expect retailers to improve their security systems. Banks, meanwhile, want to keep the profits they gain from older payment systems. As a result, it may take quite a while for a change to take place in U.S. payment system. But as hacking activities in the U.S. intensify which is indicated in current industry trend, these involving parties will have to work out something in the near future if it is not now.

    About The Author
    Lan Lin is the Assistant Editor of the
    Internet Journal http://www.intnetjournal.com . Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to editor@intnetjournal.com.

 

[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]

eMarketing