Target: What Do We Know, What Have We Learned

What a mess!  Every day it seems some new fresh hell emerges from the Target Christmas attack story.

  • Brian Krebs, a security consultant an blogger, releases a story first describing the exploit.
  • 40 million credit card transaction sessions, including card number, expiration date and PIN numbers stolen straight off the point of sales systems (POS) used at the store checkout lanes.
  • These cards are sold on the Dark Net, the Internet underground where cyber-criminals exchange this sort of information for cash.  Cloned cards are created and cause fraudulent charges to show up on affected Target customers’ credit card statements.
  • JP Morgan Chase bank first to notice and report fraudulent activity.  Puts limits on affected accounts while replacing cards of card holders.
  • Another 70 million customer records are pilfered from another Target server with customer names, addresses, email accounts, and other personal information.
  • Target issues an apology email, which many victims are worried might just be a phishing scam by the cyber-crooks.
  • Target advises customers that they do not necessarily need to change their card numbers.  This is bad advice.  If your credit card is affected, call your card issuer and get it replaced!
  • Target suffered an attack on the POS terminals, which turned all the check-out systems into a huge bot-net, and the information gathered at the POS systems was transferred to a compromised Target server, and was downloaded daily to a remote command and control server operated by the cyber-criminals.
  • The software writer for the POS malware, BlackPOS, turns out to be a 17 year old Russian super-hacker.  While not part of the gang that orchestrated the attack, he did create the software that made it possible.
  • Neiman Marcus stores suffered a similar security breach, which was active on their systems since July 2013.  It appears that Neiman may have been a test site for the bigger Target exploit.
  • There may be more retailers who have fallen victim to this attack.  At least three more unnamed retailers were thought to have been involved.

Here is the most disturbing fact.  A simple change from the credit cards used in American to the system that has been in use for ten years or more in Europe would have made this type of attack almost impossible.  These EMV cards use a chip instead of a magnetic stripe to store user information, the data is encrypted on the card, and the card number information changes after every transaction, so even if a cyber-criminal could decrypt the card number, it cannot be used a second time for another illicit purchase.  The US in not scheduled to have these cards fully implemented until 2015-2016!  If you have been directly affected by the Target attack, you might want to write your Senator and Congressman (sure, maybe they can actually get something done…) and ask them to get this conversion accelerated.  You might also check with your credit card provider and see if they can send you an EMV card.  They won’t help you everywhere, but at least if you are shopping at some forward-thinking, ahead of the curve retailer, you can get the added security for those transactions.

If you want to read more deeply into this sad story, each of the links above will take you to a longer article that covers each part of the story.

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.