Target Corporation confirmed Thursday that cyber thieves stole credit and debit card data belonging to about 40 million customers who used those cards at its stores nationwide beginning around Thanksgiving and through mid-December.
That the thieves were able to defeat the increased cyber-security measures that a major retailer such as Target undoubtedly has in place, experts warn, is a worrying sign that cyber criminals’ sophistication is keeping them one step ahead of the retail industry and law enforcement officials.
The stolen data, which are contained on the magnetic strip on the back of the cards, include the customer’s name, the credit or debit card number, and the card’s expiration date – as well as the “CVV” or three-digit security code, the company said in a statement issued Thursday morning.
Such “track data” are often gathered and sold in black market websites. Later they can be used to create fake credit cards to charge merchandise at a store, withdraw cash from an ATM, or charge merchandise online, cyber-security experts say.
The data in question appear to have been stolen from Target’s brick-and-mortar stores without affecting the company’s online operations, reported Brian Krebs, the online security blogger who revealed the breach on his site Wednesday.
“If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs,” Mr. Krebs wrote.
The data theft began on Nov. 27 – just ahead of Thanksgiving and Black Friday, one of the nation’s busiest shopping days – and continued until Dec. 15, Target reported in its press release. An unnamed cyber-security company is investigating the incident, the company reported.
The US Secret Service, which investigates payment system breaches, is also involved, the Wall Street Journal reported.
Target says the breach was reported immediately after it was discovered. The breach has also been stopped, they said. But consumers who used cards at the stores during that period should monitor their accounts and credit reports closely for any signs of unusual activity and notify authorities promptly, they said.
“Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Gregg Steinhafel, president and chief executive officer of Target, said in a statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
While few details about the attack are available, the Target cyber theft follows a number of high-profile thefts of credit card data in recent years that give cyber-security experts ideas about trends and vulnerabilities that may have permitted attacks to occur.
In 2007, retailer TJX discovered that cyber thieves had infiltrated wireless networks inside its stores, using those to access its headquarters data systems that stored card, check, and other transaction data from its stores nationwide. Data from about 45 million cards were stolen in that case.
In 2009, Heartland Payment Systems revealed that cyber thieves had hacked into its internal processing network, installing software that snatched “track data” belonging to some 130 million cards.
In recent years, federal authorities have shown some signs of progress bringing at least some cyber criminals to justice. Hacker Albert Gonzalez was sentenced in 2010 to 20 years in prison for the Heartland Payment Systems hack.
In July, the FBI charged two Russian hackers with stealing millions of dollars from more than 800,000 bank accounts. One of those hackers, and several others, were also charged with the theft and sale of about 160 million credit and debit card numbers leading to the theft or loss of hundreds of millions of dollars, according to the indictment.
Losses “included $300 million in losses for just three of the corporate victims and immeasurable losses to the identity theft victims, due to the costs associated with stolen identities and fraudulent charges,” the indictment found.
But even if federal authorities appear to be gaining some ground, it’s also true that cyber thieves’ sophistication is growing in order to surmount improved cyber defenses in the retailing industry, cyber-security experts say.
Companies like Target would likely have passed a number of cyber-security audits for its systems, they said. So the thieves would have had to circumvent multiple layers of encryption and other security measures.
One way to do that is to target “point of sale” systems – the equipment that records and processes the card swipe at the register. A particularly aggressive and common type of malicious software used by cyber criminals to conduct attacks on such systems is known as “Dexter,” says Johannes Ullrich, dean of research at the SANS Technology Institute, an Internet security training company.
While there is no evidence at this point that the Target compromise is related to Dexter, it is certainly is one of the avenues that may have been used, Dr. Ulrich says.
“One of the problems that is haunting merchants right now is compromised point of sales (PoS) systems,” he says. “To fight these attacks, credit card terminal vendors try to add encryption to their terminals as close to the actual reader as possible. But not all terminals use encryption, and the data can be compromised as it passes the merchants network, or even within the cash register terminal if it is compromised by malware like Dexter.”
So-called “skimmers” are also an ongoing problem. Those devices, when attached at the register, may be modified to become credit card readers that copy magnetic stripe data – and even the PINs entered – and then transmit that data to the criminals. Skimmers, however, seem far less likely in the Target case because of the additional equipment that would have been required, Ulrich says.
Ironically, one of the effects of cyber criminals’ success in stealing credit card data for resale has been a glut of stolen data and a broad price drop for it in recent years, according to research conducted by Dell SecureWorks.
Prices today for different US credit cards remain roughly at 2011 levels, or about $4 to $8 per card data set. In 2011, stolen credit cards from mainland Europe cost approximately $21. By contrast, this year credit card data from Europe cost $18, a $3 per card drop or about 14 percent. What it indicates is that law enforcement and cyber security is still playing catch-up to the most sophisticated cyber criminals, experts say.
“Target has got to be in the top tier for cyber security, have passed all the audits,” says Jeff Williams, director of Security Strategy for Dell SecureWorks Counter Threat Unit. “What it means is that the criminals have in this case gotten just that much more sophisticated. They found a loophole. It could be from outside – or a malicious insider. One thing’s for sure, though, it’s become a kind of a cyber-crime Wild West online.”