Here's what an expert told Softpedia regarding the breach

Dec 21, 2013 09:13 GMT  ·  By

Target has recently suffered a data breach in which around 40 million payment cards have been compromised. The company’s CEO, Gregg Steinhafel, has made a statement to reassure users that they will not be held financially responsible for any credit and debit card fraud.

In addition, he has finally made the announcement that the company will be offering free credit monitoring services.

Furthermore, Steinhafel has revealed that Target customers who shop in US stores on December 21 and 22 will receive a 10% discount, the same as employees do.

In the meantime, Brian Krebs has revealed that the stolen payment card data is already being sold on underground markets. The information is sold in batches of one million cards for prices between $20 (€14.6) and $100 (€7.3) per card.

Fortunately, Target says there’s no evidence that PINs have been compromised and Brian Krebs has found that CVV2 codes also haven’t been obtained. This makes it a bit more difficult to misuse the stolen data.

As far as how the attackers obtained the data, it’s still uncertain. In an interview with Softpedia, Mark Bell, executive vice president of operations at Digital Defense, revealed some interesting facts and theories regarding the attack.

“From the limited information that is available, it appears that the point-of-sale (POS) software running on Target’s POS terminals was hacked. Since this issue was so widespread and at this point only seems to affect Target, it appears this issue was introduced within Target’s network environment or their POS software supplier’s environment,” Bell said.

“One thing for certain is whoever was behind this attack had to have intimate knowledge of the software running on the POS devices. Knowledgeable individuals could range from a current or former Target or vendor employee to a skilled attacker who was able to obtain the software through theft or illegal purchase of a physical device or the source code itself,” he added.

“Once the malicious code was written, the attacker then had to introduce the code into the POS source code prior to it being pushed out to Target’s POS terminals.”

Similar to other experts, Bell also believes that this could be the work of an insider, such as an employee or a contractor with access to the POS software development environment.

“A second and more likely scenario would be targeted malware that was introduced into Target’s environment through a breakdown in security controls. This could have been introduced in a variety of ways, including spear-phishing attacks via e-mail or utilizing an infected mobile device, such as a USB fob,” the expert noted.

“Once access was gained, the attacker simply inserted his/her code into the existing POS software, taking great care to ensure the actual POS software continued to work as expected and that the skimming code’s actions were not detected.”

Bell highlights the fact that there’s no silver bullet when it comes to information security.

“As a merchant, Target is required to comply with the Payment Card Industry-Data Security Standard (PCI-DSS) and, particularly due to the sheer number of transactions it processes, it receives a great amount of scrutiny from internal and external auditors and security assessors in this area,” he explained.

“Even with this level of scrutiny and its own focus on information security, Target still experienced a breach.”

As far as what Target should do next, Bell believes that the company will need to tighten its security controls in areas that are found to be weak, and review all other security controls that are currently in place.

“Target should share the results of their findings with other payment card merchants to ensure they share their lessons learned in order to help tighten payment card security across the industry as a whole,” he said.

“The true damage here is in consumer confidence; customers will likely be very wary in utilizing their payment cards at Target for the near future and may even take their business elsewhere until trust can be rebuilt. Target should clearly identify to their consumers the steps they are taking to protect their payment information and possibly even offer identity theft protection for those that were affected.”