We all read about the Target security breach that compromised tens of million of customers. Target is back in the news today.
(LA Times) Target Corp. is hiring an IT expert from General Motors Co. to beef up its data security following a massive breach that continues to weigh on its reputation.
Brad Maiorino will head up technology risk and information strategy, a newly created position.
It’s the latest move by Target to tighten security over its huge amount of shopper data. The Minneapolis company has increased monitoring of accounts and implemented new safeguards at its point-of-sale systems.
Target, the nation’s third-largest retailer, has been struggling with the fallout from its disclosure in December that hackers stole credit and debit card information from tens of millions of customers.
Its revenue dropped 5% in the crucial fourth quarter and its chief executive, Gregg Steinhafel, stepped down last month. That followed the exit of Beth Jacob, the retailer’s former chief information officer.
You may recall that the breaches, they were big news this past December, but how exactly did the theft take place?
(Bloomberg Business) The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.
It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.
On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …
OK, so Target blew it.
Their focus being directed at realizing sales during the year’s biggest shopping weekend, the company’s security team missed the theft of millions of credit card numbers.
How much was stolen?
Estimates has those numbers at 40 million credit card numbers, along with 70 million addresses, phone numbers and an unknown amount of card holder’s personal information simply flying out of a hacked Target server.
These were not Target credit cards.
The hackers stole every card number swiped in a Target store during 2013’s Black Friday weekend. So if you shopped at any Target store on or about last Thanksgiving, your information was very likely stolen.
Bloomberg Business goes on.
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
They missed it not once, but twice.
Here’s a visual to help you along.
Security guru Brian Krebs (first to report the Target breach) reported that the HVAC vendor whose credentials were used by the hackers to breach the Target network was Fazio Mechanical Services, located in Western Pennsylvania. According to Fazio Mechanical’s response to the revelation of their part in the hack, their data connection to Target was used for billing, contract submissions and project management. The hackers obviously exploited weaknesses in Target’s firewalls and introduced a cloaked bad code (they used the name of a legitimate piece of software used by companies to protect card user’s information) on November 30th.
OK, so that’s the part we all may have heard about with perhaps a little more fill and color, but (as Paul Harvey may ask) what’s the rest of the story?
What do hackers do with 40 million stolen credit card numbers with billions of dollars of purchasing power?
What does McDonald’s have to do with any of this?
Here is… the rest of the story.
Welcome to the world of carding.
Krebs is now reporting on the industry behind the business of stolen credit card information.
Hang on to your socks.
Peek Inside a Professional Carding Shop
(Krebs on Security) Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.
The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,” the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.
Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.
Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.
These guys are brazen!
Krebs goes on.
I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.
This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.
This “Business” has its own unique terminology, as detailed by Krebs in the article linked.
I strongly recommend that you follow the article’s link, read the terminology, and watch the slide show.
It’s not only fascinating, but frightening as well.
Technological companies are hard at work looking for ways to secure the sensitive nature of electronic payments in a world that long ago decided that cash was a secondary mode of payment, and new software is being developed both for securing the buyer’s information at the store level, and for making payments in a more secure manner.
The past week’s launch of The Wocket, a smart wallet with a re-programmable single credit card device that operates under a secured system using biometrics, may in fact herald the dawn of a new age in personal financial transactions, as well as the beginning of the end for that ugly bulge on the seat of men’s pants where an overstuffed wallet normally resides.
That’s all good and dandy, but I keep reverting back to that old saying… crime doesn’t pay, and secured technology is only secured until it is hacked, so criminals will always find ways to not pay for stuff, or rather, to have us pay for their stuff.
I just don’t think that those boys at McDumpals, and their suppliers will simply give up on the easy money, no matter how secure we try to make our electronic money.
And that’s the last wire for Saturday, June 14, 2014.
Everything that was news before this moment, is now history.