Target Hack Increases from 70-110 Million

bobloblaw

http://www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-customers.html?hpw&rref=business&_r=0

Bad time for Target and their CISO.

Ukimokia

Our local radio DJ was talking about it this morning that last night he caught someone using his card. It had ben compromised from this. I do feel really bad for their entire secrutiy department. Good thing I haven't shopped at target in a long time.

JeanM

Ouch! Time to change card numbers just in case.

MSP-IT

They got my card number. Luckily for me my was on top of it.

bobloblaw

"The company said it 'began investigating the incident as soon as we learned of it through a leading third-party forensics firm.'"

Hmmm... Is it not common practice for a multi-billion dollar company to have a CIRT with well trained computer forensics personnel? Of course, after you having a breach that big you'd probably prefer a third party that isn't trying to cover their own respective butts.

lsud00d

For clarification, there were two sets of pilfered data from the same breach.

~40m cards
~70m personal information

antielvis

What is more scary is these types of incidents are no longer that rare. Where is the responsibility of the business in protecting the data of it's customers? What's really scary is not so much that this is public or that hacker groups (anon, lulzsec, etc) are dumping the data. It's the stuff that gets stolen we never hear about OR that the client doesn't even know about.

tpatt100

Wait they updated the 40 million originally to 70 million? Now it is 110 million? Wow, Chase emailed me and said my new card was on the way.

lsud00d

No, @tpatt100 read my post 2 above yours

fredrikjj

Once a payment has been validated, why do the stores need to store the credit card number? It seems flawed on a fundamental level.

YFZblu

tpatt100 wrote: »

Wait they updated the 40 million originally to 70 million? Now it is 110 million? Wow, Chase emailed me and said my new card was on the way.

As posted earlier, the number of credit cards stolen hasn't increased. It was a separate data store of customers that was accessed, and as of now I don't think there's any evidence that it contained credit card information.

--chris--

fredrikjj wrote: »

Once a payment has been validated, why do the stores need to store the credit card number? It seems flawed on a fundamental level.

This ^^^

Could someone explain why the numbers are stored?

YFZblu

Answer to that very question on /r/netsec:

It depends, primarily on the manner in which they process transactions. If they're clearing transactions in near real-time then the card number and expiration date should only be needed briefly, and may not even need be committed to disk. If they are doing batch processing, they may need to hold on to them a bit longer. That's perfectly fine, but there need to be proper protections on that data while they are holding it, and there should be processes in place to ensure they do not hold it longer than necessary. Protections would include encrypting the data (and all the issues of key management entailed therein) on disk and within any kind of long-term memory cache. Part of the job process in cleaning up after clearing should include deletion of the card records, and ideally there should be a cron job that checks for stale card records in the database just in case something went wonky with the batch job.

In a standard POS use model there is no good reason to keep card data around after clearing. The transaction and approval numbers should be all that is needed to reference the transaction later if, for instance, reversal is needed.

wes allen

bobloblaw wrote: »

"The company said it 'began investigating the incident as soon as we learned of it through a leading third-party forensics firm.'"

Hmmm... Is it not common practice for a multi-billion dollar company to have a CIRT with well trained computer forensics personnel? Of course, after you having a breach that big you'd probably prefer a third party that isn't trying to cover their own respective butts.

Read the DBIR - only a small percent of major breaches are discovered in house, it is usually 3rd party that does the notifying.

2013 Data Breach Investigations Report | Verizon Enterprise Solutions

--chris--

YFZblu wrote: »

Answer to that very question on /r/netsec:

Going further off the OP, maybe I should start a thread...

Why would anyone run cards in batches if real-time is more secure?

MentholMoose

antielvis wrote: »

What is more scary is these types of incidents are no longer that rare. Where is the responsibility of the business in protecting the data of it's customers?

Even if a business has the most advanced security and does everything right, they can still get hacked by someone determined enough. Just look at what happened to Lockheed Martin. Someone wanted to hack them but apparently couldn't get in, probably due to high security (as you might expect). So what did they do? They hacked one of their security vendors (RSA) and stole the info needed to break in to Lockheed. That was in 2011 and things have only gotten worse since, and will probably continue to worsen for the foreseeable future.

RSA confirms its tokens used in attack on Lockheed Martin -- GCN

It may turn out that Target really dropped the ball, but I would be surprised if they really did anything egregious. I think the TJ Maxx hack in 2007 was probably a wakeup call for major retailers to improve their security. Kind of like how many video game companies started taking security seriously after Valve got hacked in 2003.

YFZblu

--chris-- wrote: »

Going further off the OP, maybe I should start a thread...

Why would anyone run cards in batches if real-time is more secure?

My understanding is cost savings - Running batches in off-peak hours or something of that nature. Hardly sounds like a problem Target would be dealing with though.

tpatt100

lsud00d wrote: »

No, @tpatt100 read my post 2 above yours

Ok so they got my card and know where I live.....

W Stewart

Back when I was working with point of sales systems we had some stores that processed credit cards in batches and some in real time. It depends on which merchant service provider you process your credit cards through. We only had like two of them and the one that did real time processing had a bad rep for their systems being down too frequently so I guess it depends on the situation. It's also probably cheaper to batch the credit cards at the end of the day than to pay per transaction.

instant000

From the article:

the encryption algorithm Target used to protect that data — a standard known as triple DES, or 3DES — is vulnerable in some cases to so-called brute force attacks

On Friday, a Target spokeswoman would not comment on whether the second batch of information stolen from its 70 million customers was encrypted.

the point-of-sale systems customers use to swipe their credit cards are connected to the corporate network like everything else. There is lots of opportunity to compromise individuals through point-of-sale machines and then pivot to the corporate network

Neiman Marcus, confirmed on Friday that it, too, had been breached

#################

A couple of interesting things here:
1. Network segmentation
2. Strong cryptography
3. Compliant is not secure
#####

1. PCI DSS doesn't require network segmentation, according to their version 3.0 (November 2013):

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS
requirement.

2. PCI DSS's definition of strong cryptography might not be as strong as it should be:

PCI DSS's definition of strong cryptography, from its Glossary v2.0 (October 2010):

Cryptography based on industry-tested and accepted algorithms, along with
strong key lengths and proper key-management practices. Cryptography is a
method to protect data and includes both encryption (which is reversible) and
hashing (which is not reversible, or “one way”). Examples of industry-tested
and accepted standards and algorithms for encryption include AES (128 bits
and higher), TDES (minimum double-length keys), RSA (1024 bits and higher),
ECC (160 bits and higher), and ElGamal (1024 bits and higher).
See NIST Special Publication 800-57 (NIST Computer Security Publications - Home) for
more information.

TDES with double-length keys is referring to 2TDEA:

According to NIST SP 800-57 Part 1, Rev 3, 2TDEA provides only 80 bits of security.

According to NIST SP 800-131A, the transition away from 2TDEA should have started at the end of 2010.

I can't locate a more recent PCI DSS Glossary than the v2.0 from Oct 2010, but I would hope that their definition of "strong cryptography" be updated.

3. Compliant is not secure.

Target may have successfully passed a PCI-DSS audit, but still not have been as secure as they could have been, and thus more susceptible to a breach.

###

Hope this helps.

P.S.: I realize that I didn't address the complaint made in this thread about having the data stored for so long, but need to go eat breakfast, and we pretty much have already made some speculation as to why this is so:

W Stewart wrote:

probably cheaper to batch the credit cards at the end of the day than to pay per transaction.

cyberguypr

Great update of the whole Target incident. Definitely worth a read.

Target Missed Alarms in Epic Hack of Credit Card Data - Businessweek

A few things worth highlighting:
- FireEye alerted; it got ignored.
- After LEO alert, it took TGT 3 days to confirm something actually happened
- Reconnaissance is key. Bad guys did their homework before going to town and it paid off
- Having the exfil happen between 10am-6pm to make it get lost in regular business hours traffic
- Attacker's credentials embedded in malware's code. They also left clues as to their cyber identity.

Take away: both sides made mistakes. One side doesn't care as they are not accountable to anyone. One side is the big loser.

TGT definitely missed the bus big time.

the_Grinch

I got an email from my bank today saying due to the hack they were issuing a new debit card. No money was missing, but I'll take it.