Last December 18th, the well known American retailer Target Corp informed that hackers had stolen data from 40 million credit cards of customers who had bought on their stores during the first days of the Christmas shopping season, from November 27th to December 15th. These cards are now being sold in the black market to be cloned and used for fraudulent shopping or for money withdrawal.
The company has not yet specified how the hackers carried out the attack, they are actually investigating it with the US Secret Service, although it is believed that their point of sale terminals have been compromised. This kind of attack is on the rise lately and has become a great concern for worldwide authorities.
The largest known data theft to date, of 130 million credit cards, was perpetrated against a payment processing company, Heartland, in 2009. Next one in size was the one suffered by the discount retailer TJ Maxx, who was stolen 94 million customer’s data. A similar and recent case is the one done to Barnes&Noble, when in October last year had its POS terminals compromised. Data theft is becoming more common and many large companies are being attacked, like Sony Online Entertainment (PSN), Ubisoft, Facebook, LinkedIn and eHarmony.
One hypothesis that is being heard about the Target theft is that the cyber criminals had infected the software installed on the POS terminals on their physical stores. To date, the attack has not affected their online store. Another hypothesis is the installation of information recording devices on the terminals, although it is very unlikely to steal data from so many millions of cards, from almost 1800 stores across the US, from an attack of this sort. Installing a physical device in several dozens of stores, at the same time, would imply an unheard of logistic capability from these cyber criminals.
A more plausible theory, at least for us, is that this attack could have been perpetrated by installing a malicious software which stole the data of the credit cards swiped through the stores terminals. This is a similar attack to the one in Barnes&Noble, where one of the Keypads of 63 stores were compromised to obtain the information from the card and pin number entered by the customers. The company was forced to disassemble and analyze 7000 of those Keypads from their stores.
It is believed as well that the attack could have been carried out form the inside, since some knowledge about Target’s internal network and terminals is needed to perform such a breach. One first terminal would have been infected by someone inside the company, or by an employee deceived with social engineering techniques. Once that terminal had been infected, the malware would have propagated through the stores network.
It is also possible that the malicious software, once in the internal network of the stores, had exploited some vulnerability in order to get access the servers where cards or transactions related information is stored. This would be similar to the Heartland case where 130 millions of data were stolen. The attack was carried out installing bugging programs on Fortune 500 companies’ corporate networks, and those programs intercepted credit cards transactions and transferred the information to servers in different countries. This attack run undetected from 2006 to the beginning of 2008.
To avoid this kind of attacks and data thefts is essential to have a complete protection against malware, active and updated on real time, properly installed in all the terminals and endpoints of the company.