US retail giant Target has confirmed that hackers gained access to payment card data that could mean 40 million credit and debit card accounts are at risk. An official statement says that the retailer is "aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores" and is now working with law enforcement and financial institutions having "identified and resolved the issue".
The accounts in question were targeted, no excuse for the pun, between November 27th and December 15th in order to hit the increasingly busy seasonal shopping period. Gavin Millard, Technical Director at security experts Tripwire says that the two most worrying aspect to the breach "are time frame, because it occurred on the busiest shopping period in the US calendar year when millions flood to the big box retailers and the fact that the “track data” was captured, enabling the attackers to create counterfeit cards."
Meanwhile, Mark Bower, vice president at Voltage Security thinks that sadly this massive security breach is simply a reflection of the times we live in. "The size, scale and coordination required for this attack illustrates the lengths that attackers will go to steal valuable credit and debit information including card track data and CVV codes – the ultimate prize" Bower says. Typically there are two points in the retail chain where attacks take place – the POS or the payment switching back end. "POS systems are often the weak link in the chain and vulnerable" Bower continues "They often run a standard OS and are thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider."
The problem with POS and checkout systems during the seasonal shopping rush is that they are, pretty much, in constant use and therefore less frequently patched and updated. In turn, this leaves them more vulnerable to malware compromise impacting massive amounts of cardholder data. Although we don't yet know if this was the case at Target. If the breach was further up the chain, perhaps in the authorization and settlement switching systems in the retail back end, then the track data and CVV codes should never have been stored – even if encrypted. "There’s no need" Bower warns "and it’s forbidden under PCI DSS, yet sadly still happens."