By Evan Francen, President FRSecure
The story broke this week on Brian Krebs’ blog, “Sources: Target Investigating Data Breach”. My first though was (just like it was mentioned on KARE11’s 10 o’clock news last night) OH CRAP! This thought is justified by the fact that Brian is a very credible investigator and he relies on very credible sources. I have a lot of respect for Brian; his investigations, his writings, and his logic.
Brian broke the story yesterday afternoon. What do we know so far?
- The breach appears to affect people who shopped in Target stores between November 27th, 2013 and December 15th, 2013.
- Compromised information includes “customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code)” – We are going to assume that Target is referring to the CVV1 code and not the CVV2 code. The CVV1 code is contained within the magnetic stripe, and the CVV2 code is on the back of your card. This is an important distinction because without the CVV2 code, a bad guy can’t make “card not present” and online purchases, which means that a bad guy has to create a new card and present it physically to a merchant.
- The number of cards that are affected is believed to be “about 40 million”.
- The breach appears to affect stores nationwide; Target has 1,797 stores in the U.S.
- Target has confirmed that it has identified and resolved the issue (as of December 15th).
What we don’t know with any certainty is how the breach happened, and who might be affected. You (who are reading this) might be wondering if YOU are affected.
How did the breach happen?
We can speculate, but at this point there hasn’t been enough information made public yet. This is a very active investigation at this point. Eventually we will know, but for now we wait.
This was an attack against Target’s point-of-sale system, and it required inside access. There are some (including the Chicago Tribune) who are claiming that it was software installed on the point-of-sale terminals. This is feasible.
I believe that the attack was made against end point systems, either at the terminals or at one or more core server systems. The question is, how did an attacker gain access to the terminals and/or core server systems?
Malicious code that an employee inadvertently installed on one or more systems inside Target’s network. The typical attack scenario:
1. Identify the system (target) – No pun intended, but Target is the target.
2. Identify a vulnerability in the system – The easiest vulnerabilities are usually people-related.
3. Compromise the vulnerability, getting a foothold into the system – How about sending one or more people an email with a malicious file attached; one that has been tested to get past your anti-virus. The malicious file might give an attacker access to a single user system.
4. Elevate privileges, thus gaining administrator (or privileged user account) access – Now the fun begins in identifying other internal systems to compromise and gathering authentication data inside the network. This is tedious work because the attacker doesn’t want to set off any alarms.
5. Install a backdoor or method to come back later – Once an administrator/privileged account has been compromised, the attacker might plant a back door that he/she can use to come back later. Maybe at this point, the attacker plants the code to obtain credit/debit card data.
6. Remove evidence that you were ever there (if possible) – Delete logs and trace evidence. Unless getting caught is part of the game.
Obviously, an actual attack wouldn’t be this simple. You get the point (I hope). Bottom line is the attack consisted of a compromise of the terminals and/or core processing systems (again, my quess).
Should you worry?
More on this in another forthcoming article; “I’d rather live with risk than in fear”
Quick answer: Not much more than you always should.
As consumers, we have little or no power to control what retailers do with the information that they collect. We should always remain vigilant and expect a breach to happen sooner or later. Knowing that we cannot prevent a breach from happening, what are the next best things? Detection and Response.
You should always be looking through your account statements. If you see a transaction that you don’t recognize, respond to it.
Honestly, banks and card issuers do a pretty good job of monitoring our accounts and detecting fraud.
It might be a good idea to find a security news outlet or two, and subscribe to their news feeds. Brian Krebs’ blog is obviously a good source, but so are SANS Newsbytes and others.
Every good response requires preparation. Are you prepared for a breach?
Here are two things that you should do in order to prepare for a breach, without panic.
1. Write down your own personal incident response plan. The plan should contain contact information for your bank(s), contact information for the Federal Trade Commission, contact information for the credit reporting agencies (Equifax, Experian, and TransUnion), good websites for advice (Privacy Rights Clearinghouse might be one), and contact information for someone you trust. The incident response plan should contain step-by-step instructions for important possible scenarios; compromise of credit card, compromise of debit card, compromise of Social Security Number (Ugh!), compromise of medical record(s), etc.
I don’t include account numbers in my own incident response plan!
2. Store your incident response plan in a place that you can easily obtain it and you won’t forget it. I store mine in the glove box of my car.
2. Keep 7 – 10 days’ worth of cash on hand in a safe place. It may take 10 days (or so) for your bank to conduct their own investigation and restore access to your money. You should have a stash of cash to get you through.
The Target breach is an unfortunate event, but it’s not anything more than it is. Don’t let it take away from your holiday season.
Author: Evan Francen, FRSecure (www.frsecure.com)