Today’s retail environment has become increasingly more complex and sophisticated. Recently, it has been reported that more consumers in Singapore are willing to use Visa PayWave, of which usage has more than tripled since its introduction to supermarket cash registers last year. This trend has created the demand for more businesses to embrace new technologies quickly, and IT demands continue to increase due to growing risk management concerns and regulatory compliance requirements. Distributed retail environments are particularly challenging. Each endpoint (store) is an attack vector waiting to be exploited.
As real life examples of this, at the end of Year 2013, a security breach on USA-based retailer Target Corporation has discovered the vulnerabilities retailers will have with their Point of Sale (PoS) system if they are not secured correctly. As a result of the breach, Target’s CIO Beth Jacob has since claimed responsibility and resigned, leaving industry watchers questioning if companies allocate sufficient security funding and resources to prevent such breaches – or would they be better off outsourcing to third party security experts?
These are alarming concerns for the retail industry, however most retail business owners are lacking in expertise as to how they should protect their systems; most believe that a good Anti-Virus is sufficient to mitigate threats. We can learn from history if we pay close enough attention to what it tells us. With that in mind, we shall take a closer look at what the industry knows so far about the Target data breach, so we can try to learn from someone else’s painful experience.
What was stolen and how does it affect the common retailer?
As we know, Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis, Minnesota. The company is ranked 36th on the Fortune 500 as of 2013 and is a component of the Standard & Poor’s 500 index. The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August 2000. In early 2013, Target expanded into Canada and now operates over 100 locations through its Canadian subsidiary.
On Dec. 18th, 2013, Brian Krebs (krebsonsecurity.com) reported that sources had informed him Target was investigating a potentially big data breach. Target confirmed the news a day later. Fast forward to 2014, and we now understand that hackers infiltrated Target’s computer systems through a third-party vendor, making its way to store registers across its 1,000 stores. During the breach, attackers stole two distinctly different types of information, both of which serve different purposes to attackers:
1. Credit card magnetic stripe data – They can use this to create fake credit cards for physical purchases, or physical ATM withdrawals (if they can decode the PINs, which is unlikely).
2. Personally Identifying Information (PII) – They have 70 million customer names, numbers, addresses, and emails, which they can start to use for identity theft (though they’d probably have to first get your social security number, too), or they can use the email addresses in future phishing attacks.
As far as the PII is concerned, frankly things like your name, address, phone number, and email are probably already out there. The additional risk on this info due to the Target breach isn’t zero, but it is probably relatively negligible.
The credit card data leak has more severe repercussions though. While the good news is most experts believe the attackers do not have enough information to make unattended purchases, they do have enough data to make a clone copy of your card, which they can try to use to make fraudulent, in-person purchases. Finally, if they do crack the supposedly protected PINs, they could also make ATM withdrawals, like in the big $45 million dollar ATM heist of last year.
What Can Businesses and Retailers Learn from the Target Attack?
Over the past few years, experts in the Infosec field have noticed the steady increase in malware that specifically targets point-of-sale (PoS) systems, and this Target breach illustrates just how popular it’s become with cyber criminals. Since many PoS systems are just Windows or Linux computers, PoS malware looks and acts, for the most part, very much like normal malware… with two distinct differences.
First, it was designed to search the victim computer’s active memory, rather than just searching its file storage system (a technique security folks call RAM scraping). Second, PoS malware is designed specifically to sniff our credit card magnetic stripe data. In other words, it specifically looks for the data PoS systems handle. So, how do you prepare for PoS malware? Here are some of my takeaway and tips:
- Segment your trusted network – In every organization, there are people or assets that have different levels of privilege or sensitivity than others. For instance, there is no reason that someone in your HR department should have network access to your engineers’ source code repositories. By the same token, there is no reason that the computers your employees use to browse the Internet in the break room should be on the same network as the ones your PoS registers are on (and this doesn’t even get into wireless networks).
- The good news is many security appliances– be it the legacy firewalls, Unified Threat Management (UTM) devices or Next Generation Firewalls (NGFW) – have many physical interfaces, and even VLAN tagging capabilities, which allow you to segment your internal, trusted network more granularly, based on the roles difference users and assets play in your organization. This additional network segmentation allows you to have a “roadblock” where you can enforce explicit policies for what is and isn’t allowed. If you place your PoS systems on a separate network, you can create policies that only allow the specific PoS traffic to these systems. This means any PoS malware trying to ex-filtrate data from your network will have more hurdles to get the data out. For instance, in the Target attack the hackers used good old FTP, which you may decide to block on your PoS network.
- Keeping up to date with more proactive malware detection – Antivirus (AV) technology still relies very heavily on reactive, signature-based detection. However, AV vendors have started implementing more proactive detection technologies, which use techniques like behavior analysis or code emulation to help detect new malware without signatures. Recently, newer malware detection controls have surfaced that use something called virtual execution to run unknown binaries in a fully virtualized Windows environment, in real-time. These solutions are much better at proactively finding previously undiscovered malware by monitoring for suspicious behaviors. If you’re concerned with advanced attacks, like the one Target just went through, you should consider these types of advanced malware detection solutions in the future (and keep an eye on WatchGuard this year).
- Focus your defenses on data – Most of our preventative security controls are focused on protecting machines and devices, and not necessarily on protecting data directly. While we do need to protect the container of data, I also believe we need to spend a bit more time monitoring and protecting our data directly; one being investing in data loss prevention (DLP) technologies that can see sensitive data as it passes your borders. For instance, the DLP service WatchGuard offers can monitor for credit card numbers and magnetic stripe information. In fact, we specifically monitor for this type of data when sent over FTP, which happens to be how Target’s attackers got their loot out the door. DLP is not fool proof—smart attackers might encrypt things to get it past sensors—but it does pose another roadblock, making things harder for the attacker.
- Invest in detection and analytics –The technology that protects us today will eventually get bypassed tomorrow, and even if we had the perfect technological solution, there is still a human element to the security problem, and criminals would still prey on our social weaknesses to infiltrate our networks. If a motivated, persistent, and well-financed attacker wants into your network, he or she will probably find a way over time. That is why you should focus some of your security efforts on security visibility and analytics solutions this year, such as WatchGuard Dimension™. They can help you quickly identify anomalies or security events on your network, so that your incident response team can immediately research them, and hopefully cut off any attacks in progress, before the thieves make off with the keys to your kingdom.
- Review credit card standards – Countries should update its credit and debit card standards – In his video interview with CNBC, Target’s CEO mentioned an industry-wide problem that I think might be the crux of many of the US’s credit and debit card fraud issues; our continued use of magnetic stripe cards as opposed to the newer, and more secure EMV or “chip and pin” cards. Most of the data stored on magstripe cards are stored in clear text, and you can easily recover or clone the data with a cheap reader. EMV cards actually have small microprocessors on them. They include cryptographic keys that prove the card is the original, and follow a dynamic authentication process that confirms the validity of both the card and the card reader. In short, EMV makes it much harder for attackers to clone cards and use them for in-person, fraudulent purchases.
The fact of the matter is, any one of us can suffer a breach like Target did. Even if you do all the right things, and implement all the right defenses, everyone is human. A simple mistake can be the hole that lets that persistent advanced attacker in. Rather than blame the victim, we need to find and prosecute the attackers, but also learn from these unfortunate events so that we can make it a little harder for the criminals to succeed next time.
Scott Robertson is the Vice President Asia Pacific for WatchGuard Technologies, Inc.