Sunday, February 2, 2014

Target Hacker

The article, Target Hackers Used Stolen Vendor Credentials[1], provides an update as to the circumstances surrounding the cyber attack on Target’s POS that compromised the credit & debit card information.  The current findings indicate that Target’s security was breached through the use of a vendor’s stolen electronic credentials.

The initial finding was that malware was introduced into Target’s systems that allowed it to store and later transmit the account numbers and security codes of the various credit cards and debit cards used over a period of time.  It was originally speculated that the malware was introduced by enticing an employee to download a file or open a link that provided a gateway into Target’s secure system.  However, this latest information introduces another source of vulnerability where secured systems are made available to outside vendors.  Although outside vendor access may be limited to select databases or tables within a given database, the ability to remotely access a secure system may be sufficient to introduce a malware and allow the malware to navigate itself to various areas of the system, and allow it to locate and transmit sensitive data.

The malware found in Target’s system have been traced to a generic malware that is being sold on the open market for approximately $2,000 per copy[2].  The source code is then modified by the buyer to customize it for their specific needs and introduced in the target system.  This generic malware has been linked with other cyber attacks in various other companies within the United States.  It seems that the U.S. is being targeted primarily due to the use of the archaic magnetic strips that retain the account number and security codes that are revealed during the swiping/authorization process.  European and Asian countries utilize embedded chips that provide a higher degree of encryption that makes it more difficult to acquire.

It seems that credit card/debit card companies such as Visa and MasterCard, along with the various vendors such as supermarkets and other stores, are placing costs ahead of security, since the technology does exists and has been proven to be a more viable secured system than the magnetic strip technology.  However, the capital cost necessary to convert all the existing credit cards and debit cards to the embedded chip technology, along with the need to either retrofit or replace the existing card readers within the various stores that accepts these cards will be a major tasks that will likely cost the industry millions of dollars, if not billions.  It is unlikely that Visa and MasterCard will be willing to forego profits to ensure that better security becomes available to its users.  The likelihood for change will occur only if there will be a greater cost to the industry through liability lawsuits or if there is legislative changes that will require these changes to be effected in the short run.

[1] Danny Yadron, Paul Ziobro and Charles Levinson, Wall Street Journal, January 29, 2014.
[2] Version of Target Malware Linked to Young Russian, Danny Yadron, Charles Levinson and Paul Sonne, Wall Street Journal, January 22, 2014.

No comments:

Post a Comment