How retailer Target blew it: Missed alarms and 40 million stolen credit cards

“The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success,” Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack report for Businessweek. “In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”

“It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon,” Riley, Elgin, Lawrence, and Matlack report. “Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.”

“On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis,” Riley, Elgin, Lawrence, and Matlack report. “And then… Nothing happened. For some reason, Minneapolis didn’t react to the sirens… Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

Read more in the full article here.

MacDailyNews Take: O-rings fail below 40 °F.

Related articles:
Massive data breach: Target’s Windows-based PoS terminals were infected with malware – January 13, 2014
Target debacle: Retailer now says 70 million people hit in massive data breach – January 10, 2014
NY Apple thefts eyed in Target’s nationwide credit breach – December 20, 2013
Target hit by massive credit-card breach – December 19, 2013

19 Comments

  1. Earlier this month I gave a talk about the Target et al. attack system and history. From my research, here is some relevant information for those interested:

    – The original hacking tools, used to create the POS (point of sale) devices were finished and began distribution in March of 2013. They were created by a 23 year old in St. Petersburg Russia. (Rumors about a 17 year old were wrong). The developer either sold his tools for $2000 each or for a share of the take from resulting hacks.
    – Neiman Marcus began being hacked in June of 2013.
    – The first identified hack was discovered in Ukraine October 27, 2013. IOW: The hack became public knowledge.
    – Target began being hacked around November 25th, although it was discovered that hackers had been testing and preparing to hack Target for nearly two months previous to that date.
    – Target didn’t figure out they were hacked until December 15th.
    – Target’s IT security staff had WARNED management in October, after the Ukraine incident, that they were likely to be attacked. Target’s IT executives IGNORED the warning. IOW: The hack never had to happen if Target was security competent, which they are not.
    – 110 million (NOT ’40 million’) Target accounts were stolen.
    – In early February it was estimated at least 42 companies had been similarly hacked by a variety of revisions of what was then called the ‘BlackPOS’ malware.
    – Since February the proliferation of ‘BlackPOS’ has been vast, extending into Java drive-by Internet infections thanks to Oracle’s worst-in-class security protection of Java on the Internet. Taxi cabs and gas stations have been known to be infected and stealing card accounts.
    – NFC (Near Field Communication) ‘chip and pin’ cards would NOT have prevented the attacks. NFC has ben used as a red herring in an attempt to divert blame away from incompetent Target and other companies.

    The core problem exploited by BlackPOS is placing card data in-the-clear in RAM on POS devices. BlackPOS directly extracts account data out of RAM then ships it over the Internet to node servers, from which the accounts are then sold to crooks.

    Until end-to-end encryption is used everywhere, such hacks will continue.

    My Conclusion: Corporations around the world are essentially security illiterate. They’re either going to wake up and get serious about security or they will continue to be taken down by hackers. Seeing as ‘the spirit of the age’ in modern business continues to be ‘screw thy customer’, I don’t much hope in companies protecting themselves, and therefore their customers, from identity theft and credit account hacking.

    1. I understand that they entered the Target network using the password access that the air conditioning / heating service supplier used. If you do not keep your accounting and personal data off the same network that the janitor and service people use, you are looking for trouble. They would not give that group the keys to the front door or their bank account information.

      Separate network wires and networks without a bridge across and then your in house network is safer.

      1. Absolutely.

        Brian Krebs stated, after he’d discovered this connection:

        It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

        http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

        Kind of cuckoo.

    2. They will fix it when it significantly affects THEIR bottom-line. In the meantime they are apathetic to the individual victims (and the credit card companies). Yes, yes I know they apologized — big deal, that cost them nothing. Hopefully someone will start lawsuits for gross negligence that will motivate these companies to do the right thing and protect their customers. Absolutely shameful business practices.

      1. Target has expenses associated with this fiasco – replacing all of their customer credit cards with new cards and account numbers didn’t come free, nor is the no-charge 12 month credit monitoring they’re offering to all of their customers (whether they were impacted by this or now) $0 cost to them. The question becomes though – do those cost end up impacting the bottom line significantly enough for them to make changes? Or is it just a line item write off that doesn’t amount to a pimple on a flea’s a$$ to them.

  2. Ok, that is funny MDN. “O-rings fail below 40 °F.” I have been in the rubber industry for almost 40 years now. Where did you get that information from. Even the Fluorocarbon o-rings that failed and destroyed the space shuttle could go below 40°F. They were stiffening up that morning in the 20’s because the rubber they chose had a brittle point of -15°F. They should have used the -40°F or -62°F type of Fluorocarbon rubber. Some types of rubber like Natural rubber and Silicone rubber go much lower. We have to drop the cryogenically tumbled de-flashing down to -60°F and -80°F all the time to get the rubber material stiff enough to break the flash off.

    e-mail me and I will forward you some basic rubber properties if you want them.

    1. Really? Do you really have no clue in comparing the article to MDN’s comment? It has nothing to do about rubber! It’s mismanagement…Target to NASA, they both “dropped the ball”. Put Target in NASA’s place in this paragraph, then go back to MDN’s comment…both end in disaster…. “The Rogers Commission found NASA’s organizational culture and decision making process flawed. NASA managers had known contractor Morton Thiokol’s design of the SRBs contained a potentially catastrophic flaw in the O-rings since 1977, but failed to address it properly. They also disregarded warnings from engineers about the dangers of launching posed by the low temperatures of that morning and had failed in adequately reporting these technical concerns to their superiors.
      What Rogers did not highlight was that the vehicle was never certified to operate in temperatures that low. The O-rings, as well as many other critical components, had no test data to support any expectation of a successful launch in such conditions. Bob Ebeling from Thiokol delivered a biting analysis: “[W]e’re only qualified to 40 degrees …’what business does anyone even have thinking about 18 degrees, we’re in no man’s land.'” THINK BEFORE YOU TYPE!…Someone of your age should be able to put two and two together and not have to be corrected by someone half your age…

      1. Let’s fill in the blanks, shall we…“Consumers found Targets organizational culture and decision making process flawed. Target managers had known contractor Microsofts design of the POS (point of sale) system contained a potentially catastrophic flaw in Windows since 1977, but failed to address it properly. They also disregarded warnings from engineers about the dangers of launching posed by the low temperatures of that morning and had failed in adequately reporting these technical concerns to their superiors.
        What Comsumers did not highlight was that the systems was never certified to operate in temperatures that low. The POS, as well as many other critical components, had no test data to support any expectation of a successful launch in such conditions. Computer security firm FireEye delivered a biting analysis: “[W]e’re only qualified to 40 degrees …’what business does anyone even have thinking about 18 degrees, we’re in no man’s land.’”

  3. Security is like insurance, unfortunately Target spent $M on detection and left the response process to manual labor. Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through.

    They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.