© 2014 Pointe Solutions, Inc. | PO Box 41, Exton, PA 19341 USA | +1 610 524 1230 | www.pointesolutionsinc.com
Target Security Breach
Background
In the aftermath of the Target breach that affected 40 million debit and credit card accounts as well as the names, home addresses, email addresses and phone numbers of about 70 million people, it is clear that the financial and reputational impact to Target is massive. According to information released by the Consumer Bankers Association and the Credit Union National Association, the breach has cost banks and credit unions more than us $200 million so far.1 Various sources have estimated that fines from the data breach could exceed $1 billion. In addition, shares of Target stock dropped from 63.55 on December 18, 2013, when the news of the breach was first reported, to a 52 week low of 54.66 on February 5, 2014. This accounted for a 16% drop in Target’s share price before slightly rebounding the following week.
Since the breach, Target has been working with federal officials in the investigation. The investigation disclosed that the attackers from Russia used the logon credentials of a HVAC vendor to access the system remotely and install malware on Target’s POS registers, which was used to obtain credit card numbers and other magnetic stripe information prior to encrypting the data. As a result of the breach, there are a number of lessons learned from both a retail and consumer perspective, which are outlined below.
Retailers and PCI Compliance
The Payment Card Industry (PCI) Council was formed in 2006 by the major card brands to enforce a level of security standards on service providers and merchants that process and store credit card data. In the first several years of PCI, card brands concentrated PCI enforcement on the large transaction acquirers that handle millions of credit card transactions on behalf of retailers and other merchants. The compliance enforcement efforts around these acquirers took several years. As the acquirers worked through PCI compliance they realized that they were also responsible for the compliance of all the retailers and other merchants connected to their processing environment.
The number of merchants (retail, hospitality, financial services, etc.) that connect to transaction acquirers are significantly more in number than the acquirers themselves. Therefore, PCI compliance for merchants will involve a much greater effort. As a result, PCI compliance enforcement at the merchant level is still in its infancy and many retailers remain non-compliant with the PCI standards.
Most card brands require independent PCI Qualified Security Assessor (QSA) companies to assess retailers and other merchants that process a certain annual volume of credit card transactions. If transaction volumes are not significant (as defined by each card brand), retailers may “self-assess” their compliance. A Self Assessment Questionnaire (SAQ) requires a less stringent testing process than what a PCI QSA company’s Report on Compliance (ROC) would entail. The SAQ is often not completed accurately and little to no supporting documentation of the testing performed is required.
1
http://www.nextgov.com/cybersecurity/2014/02/target-data-hack-cost-banks-more-200-million/78965/?oref=ng-channeltopstory
What Should Retailers Do?
PCI compliance is assessed over a period of time and the compliance report is as of a specific date. After that report date, it is up to the retailer to ensure that ongoing compliance is maintained until the next assessment, which would occur annually. If the retailer does not implement a formal practice of ongoing compliance that is embedded in the day to day business processes, breakdowns in compliance are inevitable. In looking at the Target breach, there are some short term PCI compliance requirements that can reduce the exposure to this type of security breach.
1. Vendor credentials should be enabled only while the vendor performs maintenance. During maintenance, vendor access should be monitored for unusual activity. Upon completion of vendor maintenance, vendor credentials should be disabled.
2. Remote access to the POS environment should always require two-factor authentication. Two-factor authentication requires that two of the following three authentication methods must be used to access the system:
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric
3. POS networks should be segregated from other application servers (e.g., HVAC monitoring applications), and ensure that firewall rules strictly limit traffic to and from PCI “zones” to only approved servers and devices on limited ports.
4. Top-level commercial antivirus and malware products must be used. This software must be capable of performing on-demand scans and update its signature files at least daily.
Longer term goals that will provide a more concrete solution to ongoing PCI compliance start at the very top of the organization. In evaluating sustainable compliance, retailers and other merchants should consider the following:
1. top level executive sponsorship and adequate budgeting to support PCI compliance activities;
2. limiting exposure by segmenting the corporate network from the POS processing environment through the use of strong firewall rules that deny all access by default and grant access only for authorized business purposes;
3. implementing detective controls such as intrusion detection, file integrity monitoring, and audit logging to identify and shut down unauthorized access to the POS environment as soon as it is identified; and
What Can the Consumer Do?
Consumers should first understand the difference between a credit card and a debit card. Credit cards have been used for years in the POS environment. Consumers that pay with a credit card receive a statement with all their transactions each month and they pay the bill directly to the bank that issued the card. Debit cards withdraw money directly from the consumer’s bank account and have been traditionally used to withdraw money from an ATM. The evolution of debit cards into the POS environment and the additional exposures that exist with these cards have evolved over the past several years.
Many years ago there were no debit cards other than what was used to withdraw cash from an ATM. These ATM cards always required the use of a personal identification number (PIN) and could not be used for POS transactions. Only credit cards were used for “swiped” POS transactions.
ATM networks realized the importance of securing the PIN, since the PIN along with the magnetic stripe information could be used to create fraudulent ATM cards and withdraw cash from consumer bank accounts. The ATM networks established rules around the encryption of the PIN to help protect the consumer. The rules around the encryption of the PIN were, and still are, extremely stringent and secure.
Whenever you withdraw cash from an ATM, the PIN is encrypted within secured hardware attached to the PIN entry device. As long as the PIN entry device is compliant with applicable standards, the PIN is never exposed unencrypted in software at any time or on the magnetic stripe. At the time, the networks were not worried about the security of the remaining magnetic stripe information, including the card number, since the magnetic stripe information itself was useless. Therefore, the protection of unencrypted card numbers and the remaining information on the magnetic stripe was not deemed as important as the PIN itself.
Several years ago, financial institutions, along with the card brands offered “branded” debit cards. These debit cards include the card brand (i.e., Visa, MasterCard) logos. The branded cards can be used for POS purchases that result in a withdrawal from the consumer’s bank account. There are two types of debit cards - an "on-line" card that requires a PIN, and an "off-line" card where no PIN is required. Most branded debit cards allow off-line transactions where the PIN is bypassed. As a result, the PIN is no longer required for POS transactions and hackers can use the magnetic stripe information alone to duplicate these cards and use them for POS transactions. Moreover, the money comes directly out of the consumer’s bank account.
Under federal law, consumers are limited to a $50 exposure on fraudulent transactions. However, it is much more difficult to get money back when it has been already withdrawn from an account. Additionally, the longer a consumer waits to notify the institution of the fraudulent charge, the greater the chance that the consumer would be liable for all the money the hacker charged. In the situation where a credit card is used, money is never withdrawn from your account and you have the ability to review your statement and dispute charges before the bill is paid.
What Can the Consumer Do? (continued)
Most banks will automatically provide the consumer with a branded debit card. If the consumer is concerned about fraudulent charges hitting their bank account directly, they can request the bank to offer them an “unbranded” debit card. An unbranded debit card will come with no card brand logo on it. With these cards, the consumer is required to enter the PIN on every transaction. Most retailers accept non-branded debit transactions through national ATM networks such as Star, Pulse, and NYCE.
In using these unbranded cards at POS devices, the PIN is not only required but is also encrypted in the same way as at an ATM; within a secured module attached to the POS PIN entry device. These POS devices offer a strong encryption method (Triple DES). Some POS devices provide an additional level of security called Derived Unique Key Per Transaction (DUKPT), where the encryption key is changed every transaction. The use of an unbranded card reduces the exposure of the card being compromised since, even if the magnetic card information is stolen, the fraudulent card would be declined without a valid PIN.
Consumers should also inspect the POS devices where they use their credit or debit cards. Skimming devices can be installed on the POS device to obtain credit and debit card information before it is ever entered into the POS device. If the consumer inspects the POS device for such skimming devices prior to swiping the card and shields the POS device when entering the PIN, it is highly unlikely that a PIN can ever be obtained in conjunction with the other magnetic stripe information.
Magnetic Stripe, Chip Card, and Point-to-Pointe (P2P) Technology
Although chip card technology was developed and available in the U.S. back in the early 1990s, the investment to retrofit existing POS and ATM terminals along with the lack of standards around the use of this technology stalled any proposed implementation. As such, the legacy magnetic stripe card technology remained in the U.S. while, more recently, other countries like the United Kingdom invested in this technology. Additionally, formal standards for chip card technology were recently adopted through EMV (Europay, MasterCard, and Visa). The EMV standards defined the interaction at the physical, electrical, data and application levels between chip cards and processing systems for financial transactions.
Chip technology does not rely solely on the magnetic stripe. Chip card readers authenticate the chip on the card, which is much more difficult to replicate. Therefore, if the card information is stolen, the transaction would be rejected without the corresponding chip. Even if the chip is somehow duplicated, there is a PIN that is required at the POS device, which further reduces the risk of compromise.
With the legacy magnetic stripe, the hacker would just need the information provided on the stripe itself to create a fraudulent credit card unless, of course, it is an unbranded debit card as described previously. Since only the PIN used for debit transactions and ATM withdrawals is encrypted within the POS or ATM terminal, the magnetic stripe information remains in unencrypted format until encrypted outside the device. Any brief exposure of the unencrypted magnetic stripe information allows a user with adequate credentials to intercept the unencrypted information and create fraudulent cards.
Magnetic Stripe, Chip Card, and Point-to-Pointe (P2P) Technology
(continued)
Point-to-Point (P2P) encryption is a way to further secure magnetic stripe technology. If the entire magnetic stripe is encrypted within the hardware of the POS device, the fraud exposure would be much lower. Hardware based encryption never exposes the unencrypted data in the memory of a POS application. Assuming the encryption keys are managed in a compliant manner, the risk of decrypting this data is extremely low. P2P encryption still requires infrastructure changes that may require POS devices to be replaced.
Conclusion
Merchants and consumers must be educated on the risks that exist with credit and debit POS transactions. Merchants should implement adequate security measures as defined within the PCI Data Security Standards to limit their exposure. PCI compliance must be embedded within the day to day processes of the organization, not just a check box at a moment in time.
Consumers should understand the risks of debit vs. credit cards and determine whether they will accept the level of risk associated with branded debit cards used at POS locations. Additionally, the consumer should always be aware of the environment in which they use their debit or credit cards. This includes inspecting the POS devices for potential tampering and shielding the entry of the PIN to avoid potential disclosure to unauthorized individuals. Credit card statements should always be reviewed for potential fraudulent transactions and, if appropriate, disputed before providing payment.
The current infrastructure to support POS transactions in the U.S. has security flaws that can only be improved through major infrastructure investments. An infrastructure that supports Chip technology and/or hardware-based P2P encryption will provide stronger security measures and should minimize the risk of a security breach similar to the case of Target.
