Home » Money » A Big Fat Target

A Big Fat Target

Target corporation is the victim of the biggest credit card security breach to date, affecting up to 110M cards. That’s an amazing statistic by itself, but the problem is even worse – it remains unclear exactly what happened or if other companies are themselves targets of the same thieves.

But that is only to be expected in a system that is only as secure as the weakest link – and the potential gain by hacking it is nearly unlimited money. There is little doubt that even before we learn exactly what happened at Target it will happen again, on scales both large and small.

Could the Russian Mafia be involved?  It'd be more surprising if they weren't.

Could the Russian Mafia be involved? It’d be more surprising if they weren’t.

Let’s start with what we know so far:

Online credit card fraud is a very big business, and that is almost certainly the main destination of the stolen information. In 2013 it was estimated to be at $3.5B total. To put that into perspective, that’s a bit more than retail giant Target’s net profit in the same year. It accounts for nearly 1% of all online sales, a huge number when you consider that Target’s net profit margin is a shade over 4%.

It is fueled by stolen card numbers which can be entered onto a screen without producing the physical piece of plastic by just about anyone, anywhere. It represents the most important weakness in the entire system of credit card security because with only a set of numbers a thief can buy anything they want and fence it later.

Target announced that stored credit card information of up to 40M was breached on 19 December, a day after it was reported publicly and apparently more than three weeks after the breach started. It wasn’t until 10 January that they announced that 70M people had additional personal information captured in the security breach, some of them probably included in the first group. Their CEO, Gregg Steinhafel, took to MSNBC to try to calm things on 12 January, but ultimately had to admit that the company still doesn’t “know the full extent of what transpired.”

Such an easy Target (such an easy joke)

Such an easy Target (such an easy joke)

The best we can say so far is summarized by Brian Krebs, the man who first broke the story. The focus is on malware at the Point-of-Sale (POS) systems that every store uses to process cards. This is a must-read article on the theft. The current theory is that this system was infiltrated off the web by Russian or Ukrainian gangsters. And this is the end of what is known about the story so far.

There are several problems with the prevalent theory, however. Such a breach from the web would have to mean that numerous ordinary firewalls and other security systems were not in place and some of the information, such as addresses, are not stored in the POS system. Signs still point to an inside job performed by an employee or a consultant. Yet up until now no one has even suggested that this is the focus of the investigation – more than 6 weeks after the crime was first committed.

As of today we do not have a complete list of the boosted information or any reasonable theory as to how it was stolen. That seems to be a bigger problem than the credit card numbers themselves.

A Target POS system.  They really are called that.

A Target POS system. They really are called that.

Stepping back from the problems discovered by Target, we can only reasonably expect that something like this is going on constantly, every day. Without knowing what happened it’s impossible for any retailer to know how to protect themselves, or for consumers to know how to prevent their cards from being stolen. The entire system has to be considered unsafe and compromised until proven otherwise.

Nor will it be easy to fix whatever problem is uncovered, even if it turns out to be an inside job. Breaches like this occur every day and the tools to perform more and more intricate data stealing schemes are circulated in the dark corners of the ‘net. The rise of online retail only provides more opportunities to buy goods to fence with the stolen information, making it easier and more lucrative.

Whatever happened to Target has to be seen as something much bigger than even the eye-popping numbers tell us immediately. This had to happen on this scale eventually to someone, somewhere, no matter what it turns out went down. The system has been broken for a long time and the potential reward for abusing it is far too large to stop theft easily.

And we still don’t even know what happened. For that reason alone, the entire network of credit cards has to be considered insecure.

Advertisements

10 thoughts on “A Big Fat Target

  1. It totally had to be an inside job. I’m sure they are lying about the investigation to keep the target from suspecting they are on to him. They have to know what happened by now.

    • They may not know. But you are right, the internet point of attack may be a ruse. But it would be one Hell of a story if false information was put out by a company this big just to make the perp think the heat wasn’t on.

    • Yuck. I did see this coming. To answer Smithson’s question, this is the kind of thing that could really screw up the improvements in the economy. There is no quick fix for it, and if credit card usage goes way down for a few months we’re probably all in trouble.

      Thanks for the heads-up, I really appreciate it.

  2. Pingback: How to Fight a War | Barataria - The work of Erik Hare

  3. Pingback: Credit Where It’s Due | Barataria - The work of Erik Hare

  4. Pingback: The Small Stories Inside | Barataria - The work of Erik Hare

  5. Pingback: Hindsight Conspiracies | Barataria - The work of Erik Hare

  6. Pingback: Credit Card System: Fail | Barataria - The work of Erik Hare

  7. Pingback: Beyond Watergate | Barataria - The work of Erik Hare

Like this Post? Hate it? Tell us!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s