(Update: Jesper Jurcenoks has posted more useful advice at Critical Watch.)
Just to give a summary of the incident that happened about two weeks ago (before I went offline for a while), it’s claimed that somewhere in the region of 40 million card details were stolen from shoppers at around 1,800 Target stores across the United States, and this reportedly happened between 27th November and 15th December. One of those who commented on Brian Krebs’ blog reckon it happened as early as the 18th November. We could suppose the criminals had timed this attack for when they knew Target would have the highest volume of transactions.
For some reason the experts commenting on this reckon it happened through the POS terminals (or maybe the card readers attached to them), but the information that’s available suggests otherwise.
I scanned Target’s Wikipedia page, and it turns out the company does have roughly 1,800 stores across the United States, and Krebs’ research suggests the crims were reading the data from multiple stores simultaneously. From this we could infer the crims compromised something that enabled the capture of card details across every store, and that something was a central management system for all the POS terminals, perhaps an Active Directory or third-party SaaS thing. Given the cards affected were all used within a definite period, we could also infer that the criminals hadn’t dumped a database, but instead used a Remote Access Toolkit to capture the transactions in real-time (Target officially stated that malware was involved).
This certainly doesn’t mean the company was negligent, that it failed to provide basic security, or that the attack was sophisticated in any way. Any system handling that many transactions over the Internet is a target for the most skilled and determined malicious hackers out there, and it only takes a minor screw-up for a security breach to happen.
What the crims did next
Another question is what happened to the card details that were stolen from Target? Obviously they’d be sold, but for what ends? The only information we have on this so far is what Brian Krebbs dug up, and I haven’t been on the Onion (yet) to verify it.
Apparently the smaller banks weren’t privy to the intelligence gathered by the police or major card issuers, so they could only determine which accounts were used at Target during the reported period. Fraud analysts working for one of these (un-named) small banks purchased a few batches from a carder site and concluded the theft likely happened between 27th November and 15th December. With the help of Krebs, one of the players was identified as someone going by the name ‘Rescator’, who was a well-established character on the Lampeduza Russian crime forum. Rescator him/herself was most likely reselling the card details.
It turns out Rescator had his own domain, rescator[.]la, with DNS and SSL services bought from CloudFlare, which was used for the purpose of ‘aggressively marketing’ the stolen data. The latter point does hint the theft was opportunistic.
The other problem
I don’t know the politics, the business case or the reasoning behind the failure to make Chip-and-PIN standard in the United States. Maybe it’s cheaper to deal with the fallout from card fraud than a mass upgrade, but it’s rather pointless for the government to complain about economic espionage until this is addressed properly – this problem affects people directly and it’s more widespread.
Unfortunately it’s not a purely economic problem either, with stolen card details being common across a range of other crimes, especially where they’re used to buy hosting for C&C servers, malware, etc. If identity theft was nailed, a lot of these problems would disappear overnight.
What could the individual do? For a start, be paranoid and guard your financial details with your life – bank accounts are critical assets most of us can’t function without. The following shouldn’t be taken as expert advice, but here’s how I see it:
I personally avoid getting into the bad habit of paying by card, as the risk increases the more it’s done. That’s just my own reasoning. Assuming that one in every x number of card readers and ATMs has been compromised in some way, the ‘attack surface’ and risks of having card details skimmed increases with the number of these systems a person uses. Consider using a set group of ATMs, preferably ones installed in places where tampering and thefts are harder to pull off without drawing attention, and pay with cash wherever possible. With this strategy, there’s a much better chance of noticing anything that’s out of place, and hopefully the fraud detection system will also play its part.
Target is one of those companies big enough to survive the aftermath, but I don’t think the issue is resolved for its customers by a long shot.