US retail giant Target has confirmed that hackers gained access to payment card data that could mean 40 million credit and debit card accounts are at risk. An official statement says that the retailer is "aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores" and is now working with law enforcement and financial institutions having "identified and resolved the issue".

The accounts in question were targeted, no excuse for the pun, between November 27th and December 15th in order to hit the increasingly busy seasonal shopping period. Gavin Millard, Technical Director at security experts Tripwire says that the two most worrying aspect to the breach "are time frame, because it occurred on the busiest shopping period in the US calendar year when millions flood to the big box retailers and the fact that the “track data” was captured, enabling the attackers to create counterfeit cards."

Meanwhile, Mark Bower, vice president at Voltage Security thinks that sadly this massive security breach is simply a reflection of the times we live in. "The size, scale and coordination required for this attack illustrates the lengths that attackers will go to steal valuable credit and debit information including card track data and CVV codes – the ultimate prize" Bower says. Typically there are two points in the retail chain where attacks take place – the POS or the payment switching back end. "POS systems are often the weak link in the chain and vulnerable" Bower continues "They often run a standard OS and are thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider."

The problem with POS and checkout systems during the seasonal shopping rush is that they are, pretty much, in constant use and therefore less frequently patched and updated. In turn, this leaves them more vulnerable to malware compromise impacting massive amounts of cardholder data. Although we don't yet know if this was the case at Target. If the breach was further up the chain, perhaps in the authorization and settlement switching systems in the retail back end, then the track data and CVV codes should never have been stored – even if encrypted. "There’s no need" Bower warns "and it’s forbidden under PCI DSS, yet sadly still happens."

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3 Years
Discussion Span
Last Post by <M/>

US should switch from mag strip to pinNchip tech ... just like the Uks .. much better dont you think ?

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.