veryone's heard about the Target breach at the end of last year; some of you may have been affected. One way to understand this breach - to borrow a phrase from Deep Throat talking about the Watergate Scandal in "All The President's Men" - is to follow the money.
This webinar will do that. It will detail what we know about the Target breach and how it happened. But it will place particular emphasis on the money trail - not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, the likelihood of lawsuits, and so on. As such, this webinar represents a powerful opportunity to learn what really goes down as a breach unwinds from a respected professional who has been in the trenches for decades.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Mark Rasch, Chief Privacy Officer, SAIC
6. Intro
• When a cardholder uses a credit card to
purchase merchandise, the transaction
moves through a process that involves
authorization, clearing and settlement.
• Each step of the process involves an
exchange of transaction data and money
that must be settled and balanced.
• This process ends when the cardholder
pays for the merchandise listed on his/her
monthly statement.
Page 6
7. Dramatis Persona
• Cardholder – The consumer who owns the card.
• Merchant – An entity that contracts with an Acquiring Processor to
originate transactions.
• Acquiring Processor – An entity that communicates to Visa to gain
approvals to complete cardholder transactions.
Processor is an acquiring processor.
• Visa - The largest association member. Visa is the largest payment
system, enabling 14,000 financial institutions to process over $1
trillion in annual transaction volume.
• Issuing Bank – The financial institution who issues the credit card.
For example, CapitalOne, Chase, Wells Fargo.
Page 7
8. Other Parties (who can I blame?)
• Software vendor – creates and/or maintains general software
• CRM vendors and contractors – hired by merchant to maintain
Customer Relations Management (CRM) data which feeds into
POS terminal
• POS Terminal Vendor – supplier of POS terminals, related
software, maintenance and support
• PCI/DSS-PA/DSS Assessor – assesses and certifies compliance
with PCI DSS standards
• IT Security Staff/Consultants – conducted pen tests, other
assessments
• IT Audit (internal/external)
• Third party vendors with access to Target network (HVAC)
• Don’t forget insurers!
Page 8
9. The Credit Card Transaction Process – Where does
the data go?
• Step 1 - Authorization
Cardholder makes a purchase using a credit card. The merchant must obtain authorization for
the purchase from the bank who issued the card.
• Step 2 - Clearing
If the transaction is approved, the next step is clearing. In this phase, the Issuing Bank obtains
basic transaction data from the merchant such as the amount, date and location of the
purchase. This data is then sent to the credit card issuer for posting to the monthly credit card
statement.
• Step 3 - Settlement
In the final step, settlement, the funds are collected from the Issuing Bank and transmitted to
the merchant. When a consumer uses a credit card, the merchant does not receive payment
at the time of purchase. The bank credits the merchant’s bank account. The bank then sends
payment to the processor who sends the payment to Visa. The cardholder receives a monthly
statement and settles with Visa for purchases made using the credit card.
Page 9
10. The Four Party Model (Debit Card)
Purchase goods / services
using card payment
instrument
Cardholder
Merchant
Transaction
Fees
Merchant
Service Charge
Settlement &
Payment
Services
Convenience
& payment
instrument
Card Payment Facility
Settlement & Risk
Bearing
Issuer
Acquirer
Interchange Fee
2/6/2014
Page 10
12. Fraud Flow
Issuer issues cc to
consumer – not secure
because of cost
Consumer fails to
protect cc because of
zero liability
Consumer uses cc at
Target store
Some of the proceeds
used to finance new
hacks
Hacker steal
number and
sells
Hackers post stolen
credit cards on
multiple “carder”
forums around the
world. The card
numbers are
purchased and sold
within minutes/hours
of their having been
stolen
The purloined
products are sold
on online auction
sites
Mules purchase goods (or
services) online or offline
Consumer swipes
card at POS
Carder “mules” use the
bogus cards at ATM’s or
stores worldwide
Page 12
Carders distribute these
bogus cards worldwide
Carders use machines to
create new “bogus” credit
cards
$
13. Losers
• Issuer – reissue millions of card, call centers 24/7 at
Christmas
• Consumer – loss of confidence, anxiety, monitoring,
inconvenience – possible $50 loss
• Target – massive dollar loss, cost of investigation, PCI DSS
“fines,” AG investigations, loss of reputation, loss of
confidence
• Target Stockholders – loss of share price (short and long
term)
• POS Vendor/Processor – Possible liability (but look at
contracts)
• Third party merchants – out sales, cardmember “present” vs.
cardmember “not present” transactions.
• Manufacturers – lost sales because of fraudulent purchases
• Insurers – indemnify each of these parties
• Web/E-commerce merchants – fraudulent sales
• PCI DSS Certification entity
Page 13
14. SEC Disclosure
• Target stock price (6 month)
• TJX (5 year)
• Heartland Payment (5 year)
Item 1A. Risk Factors
There have been no material changes to the risk factors
described in our Annual Report on Form 10-K for the fiscal year
ended February 2, 2013.
Page 14
20. Finger Pointing – Target vs. Issuers
• Target – it’s credit card issuer’s fault for having
insecure “magstripe” credit cards (to save
infrastructure costs). Target tried to push “Chip &
PIN” cards but had resistance from banks.
Upgrade Target alone to Chip & PIN = $100 million.
• Banks – it’s merchant’s fault because of faulty
security and trust models – PCI DSS violations.
• In 2012 banks bore 63% of fraudulent losses;
Merchants 37%*
• Bank losses from counterfeit cards; Merchant loses
from (CNP) transactions on the Web, at a call
center or through mail order.
• BUT – goal is NOT to prevent/reduce fraud! Goal
is to enhance consumer confidence.
* (Source: Nilson Report, August 2013)
Page 20
23. Threat model
• Attacker types
• Class I: Clever outsiders
• Intelligent, but lack information, exploit known attack
• Class II: Knowledgeable insiders
• Have inside information on protocols/design, can use
sophisticated tools
• Class III: Funded organizations
• Have information, resources, equipment, and incentives
• Can employ class II attackers in teams
Page 23
24. Attacker Goals
• To get the crypto keys stored in RAM or ROM
• To learn the secret crypto algorithm used
• To obtain other information stored into the chip (e.g. PINs)
• To modify information on the card (e.g. calling card balance)
Page 24
25. Methodology
• Obtain access – likely SQL injection
• Obtain data – likely RAM scraper (inter-process
communications hook)
• Aggregate data – create internal shared drive / use vendor
hard-coded credentials (BMC)
• Store data - create password-protected root access remote
file server with additional services
• Exfiltration - FTP or other access to remote file share
(Cuckoo’s Egg)
Page 25
26. PIN Processing
Transaction PIN Flow Diagram …
PIN is Decrypted using
the Acquirer/Working Key
… And then Encrypted by
the Issuer Working Key
which is shared with the
Card Issuer.
Card Holder Uses
Debit Card
(ATM/POS) &
Enters PIN
PED or Payment Terminal
Encrypts the PIN using the
PIN Encryption Key already
Injected within the device.
When PIN is
Validated, Final
Transaction
Occurs.
Issuer
PIN is Decrypted using
the same Key … (And
then Encrypted by the
Acquirer/Working Key
which may be shared with
Acquirer/Acquirer
VisaNet or other
Processor
Network.)
PIN is Decrypted
using the Issuer
Key … And then
Validates the PIN.
Page 26
27. PIN Weaknesses
• 4 digit PIN = 10k+ possible combinations
(good)
• But > 10% of random PINs = 1234. Expanding
a bit, 1234, 0000, and 1111 = 20%
• 26.83% of passwords can be cracked using the
top 20 combinations.
• Birthday years are big. The 1900 PINS--1986,
1960, 1991, and so on--are extremely popular,
with PINs from later in the century used the
most.
• 17.8% = couplets, such as 7878, 8181
• And don’t forget 2580
Page 27
28. Skimmers
• Other ways to get physical attack
• Collects, stores and transmits
• Magstripe data
• Unencrypted PIN data
• Easy to install but needs physical
access to device
• Can transmit data by Bluetooth,
TCP/IP or store and dump
• New devices look exactly like
regular pin pads, card slots
Page 28
30. Target Timeline
Hackers break in
using credentials
from PA HVAC
contractor
DOJ Contacts Target
to inform them of
the breach
Target meets
with DOJ
USSS
Target notifies payment
processors and card
brands – begins malware
removal
More malware removed
from 25 disconnected
terminals
Page 30
Public breach
notification
Target retains
investigators
31. What We THINK We Know
• Attack included POS Malware
• "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP
MEMORY GRABBER by Ree[4]"
• "BlackPOS"("ree4") has sold more then 40 builds of
BlackPOS to cybercriminals from Eastern Europe and other
countries, including the owners of underground credit cards
shops such as ".rescator", "Track2.name",
"Privateservices.biz" and many others.
• BlackPOS/Kartoxa versions and mods sold on black market
in source code
Page 31
35. The Weakest Link
• Hackers broke into Target’s network on
Nov. 15, 2013 using network credentials
stolen from Fazio Mechanical Services, a
Sharpsburg, Penn.-based provider of
refrigeration and HVAC systems.
• Why did HVAC contractor have/need
network credentials?
• Why was this linked to CRM/Payment
database?
• What vulnerability let hackers in to
Fazio’s computers?
Page 35
36. Timeline
• Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday),
hackers upload RAM scraping software to small number of POS
terminals at Target.
• Hackers test POS hack to make sure it works.
• Nov. 30 – expand to majority of POS devices.
• Nov. 30 – collect from live transactions.
• Nov. 30 – December 15 – collect and dump –
• FTP from Russia?
• Dump to hacked computer in Miami
• Hacked drop server in Brazil.
Page 36
37. Anatomy of a Carder Network
• Multiple Parts – Multiple Actors
• Trojan/Malware design
• Access/Hack
• Malware injection – social network?
• Exploitation/harvesting
• Acquisition of data and selling of data
• Conversion of data to
cards/goods/services
• Conversion of goods/services to money
• Distribution of money
Page 37
38. Curiosities of Target Hack
• Obtained PIN – suggest hack at POS
• BUT – obtained e-mail addresses – suggest at CRM
• Hacked tens of millions – suggest aggregated data
• BUT attack profile suggests individual POS attacked
• Targeted to Target’s software BUT
• Multiple entities compromised
Page 38
39. Breach Aftermath
• Breach affected two types of data:
• payment card data of 40 million who shopped at Target
US Stores from November 27 through December 18
• personal data (name, mailing address, phone number or
email address) of 70 million people.
• Hacker stole a vendor’s credentials to access Target
system
• Placed malware on POS terminals.
• Designed to capture payment card data from the magnetic
strip of credit and debit cards prior to encryption within
Target system.
• Malware also captured encrypted PIN data.
Page 39
40. Target Responses
1.
2.
3.
4.
5.
6.
7.
8.
End-to-end review of security of network.
Increased fraud detection for Target REDcard customers.
Reissuing new Target credit or debit cards to any
customer who requests one.
Offering one year of free credit monitoring and identity
theft protection to anyone who has ever shopped at our
U.S. Target stores. Includes free credit report, daily credit
monitoring, identity theft insurance and unlimited access
to personalized assistance from fraud resolution agent.
Told customers to monitor accounts, and that there is
zero liability.
Adding PIN and Chip for Target REDcards and POS.
$5MM for BBB and National Cyber Security Alliance
and the National Cyber-Forensics & Training Alliance to
advance public education around cybersecurity and the
dangers of consumer scams.
Launch a retail industry Cybersecurity and Data Privacy
Initiative that will be focused on informing public
dialogue and enhancing practices related to
cybersecurity, improved payment security and
consumer privacy.
Page 40
43. It ‘aint over
• Neiman Marcus, Michaels, and others
• FBI January 17 report: "Recent Cyber Intrusion
Events Directed Toward Retail Firms."
• "We believe POS malware crime will continue
to grow over the near term, despite law
enforcement and security firms' actions to
mitigate it”
• "The accessibility of the malware on
underground forums, the affordability of the
software and the huge potential profits to be
made from retail POS systems in the United
States make this type of financially motivated
cyber crime attractive to a wide range of
actors," the FBI said.
• Malware was being sold online for over a year
for about $2,000
• 1/30 2014 – millions of Yahoo! passwords
stolen
Page 43
44. Enforcement Actions
• Federal Trade Commission – Section 5 of FTC Act
• Enforce privacy policies and challenge data security
practices that cause substantial consumer injury
• State Attorney General – State Notification Statutes
• Connecticut: “Failure to comply . . . shall constitute an unfair
trade practice . . .”
• Virginia: “The Attorney General may bring an action to
address violations.” Moreover, “nothing in this section shall
limit an individual from recovering direct economic
damages”.
• Litigation in federal or state courts
Page 44
45. Litigation
Unusual Court Rulings
• Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008).
• Laptop computer stolen, which contained approximately
800,000 Gap job applications (including name and social
security no.)
• Court denied defendant’s motion for summary judgment and
held that plaintiff “has alleged injury in fact” to establish
standing
• “Increased risk of identity theft” constituted sufficient “injury
in fact”
Page 45
46. Litigation
Unusual Court Rulings
• Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d
273 (S.D.N.Y. 2008).
• Laptop computer stolen from employer’s pension consultant,
which contained personal information (including name and
social security no.)
• Court granted defendant’s motion for summary judgment
and dismissed claims for negligence and breach of fiduciary
duty
• Court denied motion with respect to claim that plaintiff was
third-party beneficiary between defendant and plaintiff’s
employer
Page 46
47. Send In the Insurers
• Target self-insured for the first $10 million
• $15 million of excess coverage with Ace Ltd.;
• $15 million layer with American International
Group Inc.;
• $10 million layer with Bermuda-based Axis
Capital Holdings Ltd.;
• Another $10 million coverage layer with AIG;
• Quota share for the next $40 million of cyber
insurance divided among four unidentified
insurers.
• Executive liability = $10 million self-insured
retention; then $25 million in primary D&O
coverage with AIG; then $15 million of coverage
with Ace; and then $15 million of coverage with
the Hartford, Conn.-based based Travelers Cos.
Inc.
Page 47
Target could be
facing losses of
up to $420 million
49. “Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Mark D. Rasch, Esq.
Mark.D.Rasch@saic.com
(301) 547-6925