By Tim Toews, Guest Contributor 

By now, we have all heard about the Target data security incident involving approximately 40 million consumer credit and debit cards.

How Bad is This?

It’s bad. A few years back, I witnessed two of the largest data security breaches in history while CIO of a major multichannel retailer. In 2007, the TJX breach had roughly 90 million customers affected. A few years later, in 2009, Heartland Payment Systems had 130 million cards stolen. The Target case is right up there in scale.

Target claims that “Issue has been identified and resolved “. It also came forward with the information fairly quickly, shortly after the incident was identified and detected.

Let’s hope this is the true extent of the breach and Target has indeed fixed the issue. Only time will tell.

What Did the Hackers Do?

No one knows for sure what the hackers did to gain access to the card data. Target seems to have a good idea since it claims to have resolved the issue. According to the Target corporate website, the information stolen included “customer name, credit or debit card number, and the card’s expiration date and CVV “. That is essentially the magnetic stripe data embedded on the back of the card.

Target is a Tier 1 PCI merchant and PCI (Payment Card Industry standards) mandates that retailers are not allowed to store CVV data or debit card PINs. The only time a CVV can be present in the retailer’s systems is during transaction authorization. Coupled with the fact that Target.com is not affected by this, the speculation is that the hackers penetrated its payment gateway or POS systems. How could this happen?

In either scenario hackers would have needed access to key parts of Target’s infrastructure to install or exploit installed malware. In the TJ Maxx case hackers cracked a WEP WiFi key to obtain an internal IP address; malware at Heartland was dropped off via a SQL Injection attack on a corporate web site. Target’s attack vector could be quite different or similar, but the point is that large-scale enterprise infrastructure offers a number of soft entry points that compliance regimes like PCI mandate be hardened. Once in how do they get the mag stripe data?

Remember detailed credit card track information, like CVV, can only be present in the system prior to authorization. After authorization occurs CVV must be discarded. As Target is PCI compliant they surely must be in compliance with this control. The implication therefore is that on either the payment gateway or POS malware grabbed stripe data prior to the authorization process and before items like CVV were discarded. Isn’t this data encrypted?

Not necessarily, though it should be. PCI does not require encryption of data in transit on an internal wired network (as opposed to any publicly-accessible network where it must be encrypted). It is a best practice, however, to always encrypt any sensitive data even when it is transiting a network (you think) you control. If Target wasn’t encrypting credit card data in transit there might be a number of opportunities to grab it on its way from POS to an internal authorization service. If Target was encrypting-in-transit there is still an opportunity to swipe the cleartext before encryption on, say, the POS. Additionally, some payment providers want unencrypted data during authorization and there would therefore be an opportunity to take credit card information as it was decrypted prior to sending to the provider. How could the bad guys exfiltrate the data?

A popular – but not the only method – is to use HTTP/TCP over ports 80/443 to send stolen data to off-premises controllers. These ports get a lot of Web traffic and are often not filtered or reviewed as carefully as other ports.

All of this is speculation on my part and when the facts are finally revealed they may turn out to be quite different. Target is in the midst of an investigation that undoubtedly includes law enforcement, internal compliance, lawyers and auditors and they are not describing attack details yet.

Who Will Bear the Cost?

Typically, consumers are not liable for over $50 in charges resulting from stolen credit cards. The situation with unauthorized debit card transactions is more ambiguous and cardholders may have to work through issuer bureaucracy in order to recover any stolen money. Most credit or debit issuing banks end up bearing the cost. But this is also going to cost Target a lot of money as well.

What Can We Learn from This?

Don’t shop at Target? Well, that’s neither realistic nor necessary. Chances are, Target is more secure than other retailers at this moment in time.

As a fellow retail executive, and one who has been in charge of securing many millions of credit card transactions I can offer you the following advice on data security:

1. Make data security a priority

Security is a business leadership problem, not an IT problem. Obviously, IT has a huge end-to-end role in security execution, but senior management is accountable for asserting it as a business priority.

People in an organization respond to their leaders’ priorities and security needs to be one of them.

2. Maintain a base set of IT security processes

These include but are not limited to:

• Encrypt any data – including data in transit – that would cause your company issues if it were exposed
• Segment your network
• Monitor security events and keep logs
• Put anti-virus software everywhere
• Create a corporate security policy and standards: publicize it, train to it and hold accountable those who violate it
• Create a Security Incident Response Team (SIRT) and plan
• Hack yourself
• Measure and review security KPIs just like you do other relevant IT and business KPIs
• Include security KPIs as a bonus goal for relevant staff
• Plan and practice for a security incident
• Don’t boast about security effectiveness

3. Be Persistent

Hacking attempts will not stop and thus work to secure the enterprise cannot stop either. Any enterprise is vulnerable. You need the engagement of your company’s senior leadership, security as a business priority, fundamental security processes and accountability and persistent commitment to keeping your business secure.

With that, happy shopping, and be careful out there. Don’t let the Grinch get you!