I woke up to an email from my husband: “I suppose you heard about the Target breach. I checked our credit card statement, and it looks like we’re okay for now. But I wouldn’t be surprised if we got a credit card replacement soon.”
Wait, what? Target was breached?
If you haven’t heard yet, Target suffered a retailer’s worst nightmare and at the worst possible time of the year. According to Brian Krebs, the breach is believed to have begun on or just before Black Friday and the latest reports say it continued until December 15, affecting millions of credit and debit cards. And who knows if December 15 really is the end. As Krebs wrote:
“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
This was no fly-by-night breach, either, as HBGary's research director, Matt Standart, explained to me in an email:
To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation of their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort to do. Black Friday was the date to execute their primary mission objective most likely due to two factors. The first is the increase volume of transaction data (i.e., credit card information) that was available, and the second is the increase load on IT systems and security personnel due to the high volume of transactions (making for a distraction to give more operational security to the adversary).
Standart provided another thought regarding this breach: It is time to discuss the topic of the outdated magnetic stripe credit card technology. Aaron Titus, CPO and general counsel at Identity Finder, agreed with this assessment, telling me exactly why the time has come to change the way we swipe our cards at checkout:
‘Track data’ is extra sensitive data physically stored on a credit card magnetic stripe, in addition to the card number, expiration date and verification code. Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.
As the bad guys get smarter, retailers and any business that relies on credit card or debit card transactions need to improve the security on their technology. Card readers that automatically encrypt customer data are one logical way to go.
The Target breach raises another concern. Two of the worst breaches of the year have happened (or were at least announced) since Thanksgiving. Is this simply a trend that happens at the end of the year or when most of us are busy with other activities, or is this a bad omen for 2014?