Millions of shoppers who visited Target between November 27 and December 18, 2013, received notices that their payment card data had potentially been compromised. In what has turned out to be one of the largest cyber breaches in U.S. history, hackers infiltrated Target’s payment network and obtained the credit or debit card information of 40 million shoppers, as well as the personal information of approximately 70 million customers.
The Minneapolis-based Target Corporation went public about the breach on December 19, and has been faced with more questions than answers ever since. What tools did the hackers use to siphon off the credit card information unnoticed? Was Target doing enough to protect its customers? Could a breach like this have been prevented?
The attack. Investigators have found that RAM random access memory (RAM) scraping malware was used to infect the point of sales (POS) terminals where customers swipe their credit or debit cards. Levi Gundert, lead analyst for Cisco’s threat research analysis and communications team, says that the malware works because payment card industry security standards require that payment card data be encrypted at the POS terminal and transmitted across the network in an encrypted state. That data becomes vulnerable at one single point: when it is decrypted to be read by the machine.
“The [payment] process, as it runs, basically has to move the data from the magnetic stripe into memory on the computer workstation or terminal,” Gundert says. “Whenever it resides in memory for even a split second, it’s very simple to write some code, write a program…that basically strips out any data residing in memory even momentarily.” He says the program accesses RAM on the infected machines constantly, looking for patterns of digits that match the information contained on a payment card’s magnetic stripe.
To install the RAM scraping malware on POS terminals, hackers needed to gain initial entry into Target’s network. In late January, investigators announced that this was achieved through stolen access credentials from a third-party vendor. The press later found that the login credentials were stolen from Fazio Mechanical Services, a refrigeration and HVAC services provider based in Sharpsburg, Pennsylvania. Once the hackers were inside Target’s network, they had the ability to move throughout all of the retailer’s systems, allowing them to steal the names, mailing addresses, phone numbers, and e-mail addresses of millions of customers.
“They were able to breach an outside system and get to multiple areas within Target, which suggests things weren’t compartmentalized,” says Chester Wisniewski, senior security adviser at Sophos. He adds that a best practice for companies to prevent such a breach is network segmentation, which would include, for example, having one set of access credentials and directory restrictions for a payment system and another set for a Web site.