Target corporation is the victim of the biggest credit card security breach to date, affecting up to 110M cards. That’s an amazing statistic by itself, but the problem is even worse – it remains unclear exactly what happened or if other companies are themselves targets of the same thieves.
But that is only to be expected in a system that is only as secure as the weakest link – and the potential gain by hacking it is nearly unlimited money. There is little doubt that even before we learn exactly what happened at Target it will happen again, on scales both large and small.
Could the Russian Mafia be involved? It’d be more surprising if they weren’t.
Let’s start with what we know so far:
Online credit card fraud is a very big business, and that is almost certainly the main destination of the stolen information. In 2013 it was estimated to be at $3.5B total. To put that into perspective, that’s a bit more than retail giant Target’s net profit in the same year. It accounts for nearly 1% of all online sales, a huge number when you consider that Target’s net profit margin is a shade over 4%.
It is fueled by stolen card numbers which can be entered onto a screen without producing the physical piece of plastic by just about anyone, anywhere. It represents the most important weakness in the entire system of credit card security because with only a set of numbers a thief can buy anything they want and fence it later.
Target announced that stored credit card information of up to 40M was breached on 19 December, a day after it was reported publicly and apparently more than three weeks after the breach started. It wasn’t until 10 January that they announced that 70M people had additional personal information captured in the security breach, some of them probably included in the first group. Their CEO, Gregg Steinhafel, took to MSNBC to try to calm things on 12 January, but ultimately had to admit that the company still doesn’t “know the full extent of what transpired.”
Such an easy Target (such an easy joke)
The best we can say so far is summarized by Brian Krebs, the man who first broke the story. The focus is on malware at the Point-of-Sale (POS) systems that every store uses to process cards. This is a must-read article on the theft. The current theory is that this system was infiltrated off the web by Russian or Ukrainian gangsters. And this is the end of what is known about the story so far.
There are several problems with the prevalent theory, however. Such a breach from the web would have to mean that numerous ordinary firewalls and other security systems were not in place and some of the information, such as addresses, are not stored in the POS system. Signs still point to an inside job performed by an employee or a consultant. Yet up until now no one has even suggested that this is the focus of the investigation – more than 6 weeks after the crime was first committed.
As of today we do not have a complete list of the boosted information or any reasonable theory as to how it was stolen. That seems to be a bigger problem than the credit card numbers themselves.
A Target POS system. They really are called that.
Stepping back from the problems discovered by Target, we can only reasonably expect that something like this is going on constantly, every day. Without knowing what happened it’s impossible for any retailer to know how to protect themselves, or for consumers to know how to prevent their cards from being stolen. The entire system has to be considered unsafe and compromised until proven otherwise.
Nor will it be easy to fix whatever problem is uncovered, even if it turns out to be an inside job. Breaches like this occur every day and the tools to perform more and more intricate data stealing schemes are circulated in the dark corners of the ‘net. The rise of online retail only provides more opportunities to buy goods to fence with the stolen information, making it easier and more lucrative.
Whatever happened to Target has to be seen as something much bigger than even the eye-popping numbers tell us immediately. This had to happen on this scale eventually to someone, somewhere, no matter what it turns out went down. The system has been broken for a long time and the potential reward for abusing it is far too large to stop theft easily.
And we still don’t even know what happened. For that reason alone, the entire network of credit cards has to be considered insecure.
Barataria - The work of Erik Hare 
It totally had to be an inside job. I’m sure they are lying about the investigation to keep the target from suspecting they are on to him. They have to know what happened by now.
They may not know. But you are right, the internet point of attack may be a ruse. But it would be one Hell of a story if false information was put out by a company this big just to make the perp think the heat wasn’t on.
Did you see this? http://www.cbc.ca/news/technology/target-data-breach-is-tip-of-the-iceberg-cybercrime-watchdog-warns-1.2500959
The cyber security firm IntelCrawler said on Friday it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from some 40 million credit cards at Target Inc.
Yuck. I did see this coming. To answer Smithson’s question, this is the kind of thing that could really screw up the improvements in the economy. There is no quick fix for it, and if credit card usage goes way down for a few months we’re probably all in trouble.
Thanks for the heads-up, I really appreciate it.
Pingback: How to Fight a War | Barataria - The work of Erik Hare
Pingback: Credit Where It’s Due | Barataria - The work of Erik Hare
Pingback: The Small Stories Inside | Barataria - The work of Erik Hare
Pingback: Hindsight Conspiracies | Barataria - The work of Erik Hare
Pingback: Credit Card System: Fail | Barataria - The work of Erik Hare
Pingback: Beyond Watergate | Barataria - The work of Erik Hare
Pingback: Conspiracy in Hindsight | Barataria - The work of Erik Hare