Target Malware Revealed

Since we first reported that hackers had stolen credit card data from Target, the news has grown worse for the retailer.  Now they say that the original estimate of 40 million credit and debit card stolen was short.  The new number is 100 million debit and credit cards, including the pins, plus the news that the theft included mailing addresses, phone numbers, and email addresses.  How is it possible they had all that data, if all that is needed to make a purchase is the card number and pin?

Target says they learned that the data was lost in December 2013.  Looking at my online bank statements, the last time I used shopped at Target was June 6, 2011.  So that would suggest the mechanism to steal this data has been churning away in Target’s computers undetected for at least 2 ½ years, since I rarely use cash.

Today’s news is that NBC news (and perhaps other media firms) has obtained a copy of the secret report that the computer firm iSight filed with the Secret Service.  The Secret Service had asked Target not the reveal the details while the investigation was underway.  NBC explained that the hackers stole this data by planting malware in the “store’s point-of-sale systems,” and that it read the data in clear text from the memory of the cash registers.  They do not know explain what they mean by the “point-of-sale systems,” but given the logistically difficultly of installing a virus physically into each individual cash register, one would have to assume that the virus was sent to the physical cash register from the POS server located in the store, perhaps when it sent pricing or credit card approval or verified the barcode.

The hack works by reading the data in clear text as the card was authorized, illustrated the point that encryption does not work if the hacker taps into the data at the right point. Retailers who use MasterCard, Visa, American Express, and other credit and debit cards are supposed to follow the PCI security standards published here.  Those standards call for strong encryption for data-at-rest and data-at-transit, but say nothing about data-as-it-is-processed.

Google’s Digital wallet has not taken off in the USA, because of various reasons, including push back from cellular service providers and other businesses who want to profit from whatever system that emerges to replace credit and debit cards in the future.  The digital wallet proposed a Secure Element chip that would have encrypted credit card data end-to-end as the card was authorized using the NFC (near field communication) radio communication that is used to read data from digital wallets.  But cell phone manufacturers have not added these chips to many phones, because of the battle for market share mentioned above.

But Google had the right idea.  In order to protect credit cards and debit cards from theft, the data sent to the card processor for authorization needs to be protected by PKI encryption that would send the public key and the encrypted card data to the processor.  That way it could not be read at the point of sale terminal and stolen.  The card’s private key would have to be held by the credit card processor so they can decrypt and read the data.

So far, there is no effort to do this.  Target is only offering Experian fraud detection for its customers for a year, which seems like a minimum gesture.  The costs of overhauling POS systems across the country must still exceed the money that is lost to thieves, not the mention the millions that Target is going to have to pay for all these lawsuits filed against them, thus making it cheaper to do nothing.  One would hope that the banks, credit card companies, and retailers would come together at some point to create something that hackers cannot defeat.  Such an effort would also help other businesses figure out how to defeat thieves and protect data.