DrayTek

28th January 2015

Blog: The Target Hack - What we can all learn

Target CheckoutsOver a year ago, at the end of 2013, the breach of Target's payment system was the largest retail hack ever experienced. For anyone not familiar with Target, they are one of the US's largest retailers. Their stores sell houseware, food, toys, sports goods, clothing - it seems like pretty much everything; it's a great store!  

Even over a year later after the Target hack, lessons are being learnt, information is coming out and lawsuits continue. Some 40 million customer's credit/debit card details and encrypted PINs were stolen.  Target is an American store with 1800 locations with a turnover of up to $100Bn per annum.  


The Hack Methodology

The attack itself was the result of malware being installed onto Target's EPOS (Electronic Point of Sale) systems - the computers that operate the stores' registers. It is currently unclear how the malware got onto the servers; there are suggestions that the hackers had inside help, either to load it, or in providing working knowledge of the Target systems.

One operational, every time a customer put in their credit card into the register and paid for their goods, the malware slurped that card data and stored it on a Target server which the hackers had control of.  

The fallout was huge and costly. Banks cancelled and re-issued new cards to millions of consumers as a precautionary measure and as we type, some 90 lawsuits are pending in the US against Target.

American Payment Systems - It's so 80's

Despite the USA's leadership in so many technological areas, in respect of credit and debit card handling, the USA is curiously way behind Europe. Chip-and-Pin is being introduced, as is contactless but both are still relatively rare, so magnetic strips are still predominant (and easy to clone). PINs are only used at some retailers, and mostly for debit cards; the mag-stripe and signature is still the most common method (when was the last time you, as a European signed a credit card transaction?).  There are even retailers still using carbonated manual impressions (yes, really - the author used one in Florida last year).

The reason why the largest consuming country in the world has the, apparently, least sophisticated  payment methodology seems to be a cost/benefit judgement - with so many retail outlets in the USA, upgrading the technology in stores is a huge and costly task, so retailers will resist it.  Offset that cost with the cost of fraud, and who pays for it, and it's a calculated risk.  Also, with so much card faud now being online, chip-and-PIN wouldn't help (until such a time when card readers (either chip or contactless) are integrated into PCs, phones and tablets.

However, all of these methods would not have actually prevented the Target hack because ultimately, if you have a card number, expiry date and PIN, you can steal.

The lack of universal chip-and-PIN (eliminating all other single-factor authentication) will always make this possible.

So, was the hack inevitable?

Put simply, no.  According to what we know, two serious failings made the hack possible. Target has already identfied the risk of hacking and had, responsibly put systems in place; systems which, if they had been used properly, would have prevented the hacking, or at least reduced its effect.  

Target, only 6 months earlier, had installed an anti-malware tool - software which cost a reported $1.6M which would detect any new or unauthorised code or executables on their servers.  This software DID detect the malware - the malicious code put onto the servers by the thieves. However, upon being alerted to the breach (30th November), it is alleged that Target did nothing about it. It was only when the American Department of Justice alerted Target, that Target reacted to the problem.

It's unclear whether this was a command chain management issue, a nonchalent attitude to warnings or something more sinister like an insider within Target, but what it does highlight is that spending $1.6M on a security system and then either ignoring its warnings or not having systems in place to alert and react to its warnings is clearly such an obvious error that it's surprising that an enterprise as large as Target could have allowed it to happen. Of course, much information may be sensitive and not disclosed and there may be other factors at play and maybe there there was no specific failure on Target's part. Humans are often the biggest weakness in any organisation, especially if they are wreckless, sloppy dishonest.

As time passes, investigations continue and law suits fly around, we'll learn more about what really happened, but for those of us with more modest concerns, we'll hopefully never put another alert or warning system in place without also putting in a plan for receiving and reacting to those warnings.


Further Reading : Business Week wrote a detailed article about the Target hack here.


 

Note : This article is an editorial piece and does not necessarily reflect the views of DrayTek Corp, its staff or any associated person or company. The information is provided in good faith based on publicly available information however has not been independently verified. As such, no reliance, commercial or otherwise should be placed on the information which is provided for discussion or interest only.

 




Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)



NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.