January 10, 2014
Target: 70 million cards compromised. Payday for Hackers? Billions.
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
Target initially reported that _only_ 40 million credit cards and encrypted PINs had been stolen. This has since changed and it is now being reported that not only was the number much higher (70 million) but it also contained email addresses, home address, names, and phone numbers. This is a pretty damaging blow to consumers who shopped at the store. TrustedSec isn't here to point blame at Target or show fault in how the incident or security was handled. Breaches can happen to anyone, but - based on the large volume of cards taken, we are confident that a new trend will emerge, and 2014 will be the year of retail breaches. The payday for these hackers could be multiple billions of dollars. If we take that a current card on the market goes from anywhere between $10 to $100, and we average the going rate as roughly $80 per card. Hackers could have as much as 5.6 billion dollars just from the Target breach alone.
Target will go down as the largest credit card breach in U.S. history, and with a PCI compliance stamp of approval prior to this occurring. As we are hackers on the good side, thinking like a hacker - this type of breach will set a precedent for the Retail industry in 2014 and beyond. If hackers can make multiple billions or hundreds of millions of dollars from one compromise of a retail store, they will invest all their time and effort on them. This breach shows it's possible, and on a much larger scale than originally perceived.
In addition, it was initially reported that the point of sale systems (PoS) were compromised. TrustedSec believes that this report isn't accurate. The actual PoS may have been compromised but in order to get access to the additional information, access would need to be maintained to the server infrastructure at Target. In traditional retail, the PoS systems integrate into a server, mostly located in stores or back in the segmented PoS environment at the corporate infrastructure. It's TrustedSec's opinion based on the information available today that the attackers had maintained access to multiple points of the environment including the server and core infrastructure.
This was a heavily coordinated and sophisticated attack with long-term maintained access. There's a number of methods that could have caused the initial breach and the further exploitation of the rest of the network. One thing is clear, if you are in the Retail industry, you are on notice for other hackers.
Tips for the consumer:Cancel your card now: We mentioned this on multiple news agencies, cancel your credit card now. There are reports all over that the banks are finally admitting defeat and re-issuing cards as a preventative measure. TrustedSec had mentioned canceling your credit card the first day of the reported breach while others said hold and wait. Whenever something like this happens, you need to cancel your credit card immediately. Fraud prevention from the banks is a valuable service if you don't know your card has been compromised. We know that your card if you used it at Target is compromised and actively being sold on the underground carder market.
Beware for phishing schemes: Also reported as being breached were email addresses, names, and home addresses. If we were a malicious attacker and your credit card didn't work, we would simply send you an email with your full credit card number that I had and say something was reported again on your new credit card and to send us your full credit card number to confirm originating from your bank. The hackers now have a ton of valuable information about how to phish and target you.
Monitor your credit: This part is the worst of them all because it requires active monitoring. Perform a quarterly credit check just to make sure everything is good on your credit and nothing new has been opened up in your name. This is a good practice to do in general regardless of the Target breach.
This breach is bad, and as Target finds more information about what actually occurred, it's going to get worse. The underground community will be focusing heavily on mass paydays like Target and expanding the attacks to multiple other retailers from here on out. Last year, the financial sector was a heavy focus, now it will be a larger focus on the retail industry.
TrustedSec stays away from using companies as a case study of problems with INFOSEC as a general practice. However,based on the information given today, this will be the worst breach we've seen in the history books.
Mark this day January 10, 2014. This will be the year of large-scale retail breaches. - TrustedSec
Update 10:47AM EST: This affects ANY credit card used at Target, not just the "Target card".
Update 1/15/14: IT appears to be personal information, not specifically cardholder data. Number hasn't been fully communicated on the extent of credit cards that were compromised.