Embed Size (px)
Citation preview
TARGETED BY HACKERS: A REVIEW OF THE RECENT DATA BREACH OF TARGET CORPORATION
Kehinde AdelusiCameron University
ABSTRACT
In this paper, the author discusses how the issue of stolen data in this age of technology has continued to grow as more and more organizations store information about their customers on computers attached to the Internet. The customer data kept by big stores, financial firms, hospitals, etc., are often the target. This paper elaborates on this problem by dissecting the recent data breach of the Target Corporation and some other corporations, how the network was comprised, and how the incident could have been prevented.
Keywords: Network, cyber security, cyber-attack, data breach.
INTRODUCTION
It is very important that customer information is kept securely by the companies that have that information. The issue that is discussed in this paper is the loss of customer data because of the data breach of Target Corporation and other companies like Nieman Marcus. Payment card security has many loopholes. The two biggest credit card companies, Visa and MasterCard, have failed to tackle the growing problems of card security. They are happy to leave the merchants and customers to suffer the consequences of the security flaws like Target and its many customers have since the data breach incident. Of course, the merchant have to take some blame themselves, but the card issuers should be doing more to strive towards having a well-rounded card security standard in place. These big companies to their credit have been trying their best as we will see later in this paper, but they have to work very closely with merchants if their efforts are to yield any fruit. Some of the items discussed include a background on data breach, how the Target network was compromised, and how the incident could have been prevented.
BACKGROUND
About 664 million records have been breached since 2005 (Privacy Rights Clearinghouse [PRC], 2013). These numbers show that data breach incidents are not getting any better. In December 2006, TJX Companies Incorporated, which runs companies like TJ Maxx and Marshalls, was also a victim of data breach as Target and Neiman Marcus. The Target Corporation discovered that its network had been intruded upon on December 15, 2013. Chapman and Hollingsworth (2013) said that Target, the nation’s second-largest discounter, acknowledged that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began on November 27, 2013. The theft marks the second-largest credit card breach in U.S history, exceeded only by the data breach of TJX companies that affected 45.7 million card users (Chapman and Hollingsworth, 2013).
1
HOW TARGET’S NETWORK WAS COMPROMISED
There are many stories about how the network was compromised. Target’s chairman and CEO, Gregg Steinhafel said the full extent of what transpired is not yet known, but what Target does know is that malware was installed on the company’s point-of-sale registers (Quick, 2014). The CEO did not say what type of malware and how it was used. However, another story claimed that one of the pieces of malware the attackers used was something known as a RAM scraper, or memory-parsing software, which enables cybercriminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text (Finkle and Hosenball, 2013). When the Target Corporation was summoned by the senate, they had a much improved story of what happened. Target’s Executive Vice President and Chief Financial Officer testified that they now know that the intruders stole a vendor’s credentials to access their system and place malware on the point of sale registers (Reid, 2014). The malware captured payment card data from magnetic stripes on credit and debit cards before they were encrypted. Figure 1 shows an approximate timeline of events in the Target data breach.
Figure 1Timeline of Target’s data breach
(Source: Dell SecureWorks)
Who exactly was the vendor? Krebonsecurity (2013) reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning, and refrigeration firm in Sharpsburg, Pennsylvania. The credentials were then stolen in an e-mail malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. The firm acknowledged that, like Target, it had been a victim of a sophisticated cyber-attack operation (Fazio, 2014). However, this incident could have been avoided if the companies involved had been fully compliant with industry standards.
HOW THE INCIDENT COULD HAVE BEEN AVOIDED
This incident could have been avoided if the Payment Card Industry Data Security Standard (PCI DSS) had been followed. True, it is well known that the war against cyber-attacks is an ongoing war and that the process of tackling this problem is changing every day. Nevertheless, this incident could have been effectively avoided if EMV (Europay Mastercard Visa) chips were used in cards. This technology is spreading widely in Europe and other parts of the world, but the United States has been slow in accepting and implementing it. Rash (2013)
2
said he was in a line on his first day at CeBIT in Hannover, Germany, to buy lunch in the press building cafeteria. He handed his credit card to the cashier and the cashier looked at his card and asked if he had another one. The card he had was the regular magnetic stripe card that most Target victims used. It turned out that the point of sale terminals in the cafeteria used EMV chips rather than the magnetic stripe on the back of the card. Eventually, they found a cash register with a magnetic stripe reader, and he was able to pay for his Weiner Schnitzel. As soon as he got back to the United States, he called his card issuer and was sent a new card with the EMV chip (Rash, 2013). Rash was able to get the new card because they were available for travelers. Figure 2 shows the regions of the world where EMV technology is in use. Noticeably, the United States is not yet part of the EMV revolution.
Figure 2
EMV in the United States
What is EMV?
EMV stands for Europay MasterCard Visa. EMVCo (2014) said EMV is a trademark dating back to 1999, created after Europay, MasterCard, and Visa founded EMVCo with the purpose of developing specifications for secure payment transactions. Some other card companies have joined EMVCo, such as American Express, Discover, JCB, and UnionPay of China. The EMV specifications and related testing processes aim to facilitate worldwide
3
interoperability and acceptance of secure payment transactions. Some of the EMV specifications that are managed by EMVCo include:
EMV Contact EMV Contactless EMV Next Generation EMV Common Payment Application (CPA) EMV Card Personalization Specification (CPS) EMV Tokenization Specification, which is the newest undertaking of EMVCo
Figure 3 below show how to identify a contactless card. The four little arcs on the card tell the card holder that the card is a contactless card and can be used on a contactless reader.
Figure 3Contactless sign on a card
Figure 4 shows how to identify a contactless reader. The same sign on the card is used to identify a contactless reader. The noticeable difference is the inclusion of a hand near the four arcs.
4
Figure 4Contactless sign on a reader
This is a little background on EMVCo and what the company has been doing with the EMV trademark. The EMV contact and contactless specifications are the ones that are related to chip-based payment cards. Some of the advantages of the EMV chip are what make it unique and are what make it the right direction to follow when it comes to card payment security. These advantages include:
Providing added security against certain types of fraud through the use of features such as data authentication, PIN entry, and cryptographic technology.
Providing a transaction-unique digital seal or signature in the chip that authenticates the card in an offline environment and prevents criminals from using fraudulent payment cards.
Providing a transaction-unique online cryptogram that is used to secure online payment transactions and protect cardholders, merchants, and issuers against fraud.
Supporting enhanced cardholder verification methods Storing more information than the magnetic stripe cards (EMVCo, 2014).
How does the EMV chip work?
The EMV chip that is embedded in the credit card is actually a microprocessor that holds an encrypted version of the information that is on the magnetic stripe. It establishes communication with the point of sale terminal and passes the credit card information to it while
5
keeping the data encrypted (Rash, 2013). The specification in which the card makes contact with the point of sale terminal is the EMV contact specification. The transaction is only possible if the card with the chip in it makes contact with the point of sale terminal. The contactless EMV, as the name suggests, does not make contact with anything. It works by holding a contactless chip-based payment device, usually a smartphone or even a card, close to a contactless-capable reader. The embedded chip is energized by the reader, and data exchange takes place with the help of a radio signal. Figure 5 below shows in a nutshell how the EMV chip card works.
Figure 5Chip card payment processing infrastructure
6
EMVCo (2014) said that research has shown that a contactless transaction can be approximately 53 percent faster than a traditional magnetic stripe credit card transaction and 63 percent faster than using cash. Figure 6 shows an example of a contactless transaction using a smartphone. The smartphone is placed near the reader and the transaction takes place.
Figure 6Smartphone and Reader
The card information from the magnetic stripe is encrypted after the information is passed across to the point of sale registers. The attackers who gained access into Target’s network were able to get the data they needed before it was encrypted. But unlike the magnetic stripe, the EMV chip already has the information encrypted before it is passed across to the point of sale register. Therefore, if anyone steals it, (which is very difficult) it will be more or less useless to them. Furthermore, the EMV technology supports four types of Card Verification Method (CVM). These include:
Signature – Cardholder’s signature. Online PIN – Verified by the issuer. No CVM – Used for low risk transactions. Offline PIN – Verified by the card.
The EMV chip is used by very few card issuers in the United States. Rash (2013) said the problem is that for the EMV chip to be useful, the customer has to have the embedded chip and the merchant has to have a reader that can read the card. The card readers are installed in some stores in the United States, but many do not want to spend the money to upgrade to new card
7
readers. The issuing of cards that have the embedded chip is not a big problem for the card issuers. The problem is having merchants and retailers such as Target upgrade to the card readers that are compatible with the EMV cards. Many of the card issuers like MasterCard, Visa, and Discover already have roadmaps they hope to follow in implementing the EMV technology in the United States. For instance, Visa has a readiness guide that was compiled to help merchants with the integration of the EMV technology. The guide talks about a dual-interface terminal which has the capability of processing various chip transactions from contact chips to contactless chips, mobile devices, and even magnetic stripe cards. Figure 7 below shows what the dual-interface terminal is all about.
Figure 7Dual-interface Terminal
One big concern that most of the card issuers like Visa, MasterCard, and American Express discussed in their roadmaps is the issue of fraud liability. They all hope to institute a liability shift in 2015. This shift would hold whoever is at fault (issuer or merchant), responsible for any counterfeit fraud. They also hope to extend the liability shift to cover ATMs and fuel dispensers by 2017. Figure 8 shows the progress MasterCard has made with regard to their roadmap.
8
Figure 8MasterCard roadmap progress
They have completed all they wanted to do in 2012 and 2013. In 2015, they hope to institute the liability shift.
CONCLUSION
This paper described how the Target Corporation’s network was breached and how the breach could have been prevented if the card technology standard EMV, which has been working very well in Europe and many other parts of the world had been fully implemented in the United States. Measures are being taken to make the EMV chips fully functional in the United States, but it should have been done a long time ago. One would hope that in the wake of this data breach tragedy, the implementation of the EMV card technology that has worked so well in Europe and other parts of the world would be fast-tracked and the incident of credit card data breach would be substantially reduced.
REFERENCES
About EMV. (2014). EMVCo. Retrieved from https://www.emvco.com/about_emv.aspx
A First Look at the Target Intrusion, Malware. (2014). KrebsonSecurity. Retrieved from http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
Bergert, D. (2011 February 10). International merchants with EMV no longer need to have PCI compliance validated. [Web log post]. Retrieved from http://www.paymentsystemsblog. com /2011/02/10/international-merchants-with-emv-no-longer-need-to-have-pci-
9
compliance-validated/
Chapman, M., & Hollingsworth, H. (2013, December 19). Target security breach affects up to 40M cards. Journal Sentinel. Retrieved from http://www.jsonline.com/business/national /target -40m-accounts-may-be-involved-in- breach648fde78ab7a4e838a2eced0da89b9 bra5-236530941.html
Chronology of Data Breaches. (2013). Retrieved from https://www.privacyrights.org/data-breach
Fazio, F. E. (2014). Statement on Target data breach. Fazio Mechanical Services. Retrieved from http://faziomechanical.com/Target-Breach-Statement.pdf
Finkle, J., & Hosenball, M. (2014, January 12) More well-known U.S retailers victims of cyber Attacks. Reuters. Retrieved from http://www.reuters.com/article/2014/01/12/us-target- databreach-retailers-idUSBREA0B01720140112
How do you know if you have a Contactless credit card? (2011, June 13). Kubera. Retrieved from http://www.kubera.cc/tag/technology/
Jarvis, K., & Milletary, J (2014 January 24). Inside a Targeted Point-of-Sale data breach. KrebsonSecurity. Retrieved from http://krebsonsecurity.com/wp-content/uploads/2014/01 /Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf
Progress Against Roadmap. (2013). Mastercard.us. Retrieved from http://www.mastercard.us /_assets/docs/MasterCard_EMV_Timeline.pdf
Rash, W. (2013). How Target's Credit Card Security Breach Could Have Been Avoided. Eweek, 4.
Reid, P. (2014, February 4) Target executive apologizes to congress for data breach. CBSNews. Retrieved from http://www.cbsnews.com/news/target-executive-apologizes-to-congress- for-data-breach/
Quick, B. (2014, January 12) Target CEO defends 4-day wait to disclose massive data attack. Consumer News and Business Channel. Retrieved from http://www.cnbc.com/id/10132 9300
Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. (2013). Visa.com. Retrieved from https://usa.visa.com/download/merchants/visa-merchant-chip-acceptance-readiness- guide.pdf
What are chip-enabled EMV payments cards? (2012). Smart Card Alliance. Retrieved from http://www.smartcardalliance.org/pages/slideshows-20120409?template=slides
10
About the Author:
Kehinde Adelusi is a student of Cameron University in Lawton, Oklahoma. He is studying Information Technology with a concentration in Cyber Security and Information Assurance. He has received numerous awards during his time at Cameron University. Among them are: Freshman Writer’s Award, Phi Eta Sigma, Phi Kappa Phi, Who’s Who Among Student in American Colleges and Universities, and Cameron University’s top 20.
11
